I'm in DIRE need of ABOUT: BLANK guidance!

Discussion in 'adware, spyware & hijack cleaning' started by caltuga, May 23, 2004.

Thread Status:
Not open for further replies.
  1. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi,
    I am hoping someone will be kind enough and have the time to guide me through what seems to be a rather complicated procedure to get rid of some viruses! I have been for the past couple of days browsing the internet for solutions to my problems and have come to the conclusion that not only I am not computer savvy, I am completely computer illiterate! I have been looking at solutions to problems that other people have had and was considering following the same steps, but then I reconsidered as I'm sure each problem may require a different solution.

    I have run Spybot SD many times and have "fixed" the problems, yet they seems to return each time.

    DSO Exploit 4 entries
    Webdialer 1 entry

    I have also run Hijack This, and here is the log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:31:36 PM, on 5/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\miguel\Desktop\HijackThis.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\miguel\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {299EC41F-29C8-44CB-A931-6A082B8FF929} - C:\WINDOWS\System32\egkpml.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\System32\ipxrip.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I truly hope someone can help me resolve this problem and I thank you in advance. Cheers!

    MH.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi MH,

    Can you download :

    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice but on the root drive, most likely C:\

    1.Run start.bat and press option 1. A search will start, let it finish

    'output.txt' will be created in the folder

    Copypaste the complete contents of output.txt here pelase

    Thnx!

    Cheers,
     
  3. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi! Thank you very much for your help! I've run the dllfix and here is the result!
    MH.

    --==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

    Sun 05/23/2004
    11:11 AM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "Boot Disk" (F457:E334) - FS:NTFS clusters:4k
    Total: 20 406 886 400 [19G] - Free: 13 692 301 312 [13G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q837009;Q832894;

    *Google Toolbar version and Attributes:
    Defaults: "A" ;"R"
    Path not found - C:\Program Files\google
    Path not found - C:\Program Files\google

    *UserAgent:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    *Wmplayer version:
    8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
    6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

    *M$Java version:


    *PC uptime:
    11:11am up 0 days, 0:12
    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error
    \\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error


    *List of top level windows:
    HWND PID PRIO TITLE
    100da 1936 norm TF_FloatingLangBar_WndTitle
    100de 1936 norm CiceroUIWndFrame
    7024c 1464 norm SysFader
    1007c 1464 norm Start Menu
    3003e 1464 norm _Shell_TrayWnd
    10026 720 high NetDDE Agent
    101ca 2568 norm CiceroUIWndFrame
    101c8 2568 norm CiceroUIWndFrame
    501ec 2064 norm C:\WINDOWS\System32\cmd.exe
    80252 1464 norm dllfix
    20172 2568 norm Wilders Security Forums - I'm in DIRE need of ABOUT: BLANK guidance! - Microsof
    701ea 1464 norm Acrobat IEHelper
    10102 1924 norm Yahoo! Messenger
    2017e 1464 norm MCI command handling window
    40292 2568 norm MCI command handling window
    4027e 3176 norm Auto Update Client Window
    101d0 2568 norm IMMIF UI
    101c2 2568 norm DDE Server Window
    101b6 2568 norm Acrobat IEHelper
    200ba 1872 norm ActiveMovie Window
    200c2 1872 norm ActiveMovie Window
    20142 1872 norm MSP PNP Notification Window
    10160 1924 norm Peer Listen Window
    1015c 1872 norm CRTCClient
    1015a 1872 norm CRTCIMService
    10150 1464 norm Connections Tray
    1014c 616 norm Scan
    1014a 616 norm ACTION
    10148 616 norm VPIPCLINK
    10146 1016 norm NVSVCPMMWindowClass
    10144 1924 norm HIDDEN WINDOW
    10138 1924 norm NET WINDOW
    2012a 1924 norm AXWIN Frame Window
    200e0 1924 norm AXWIN Frame Window
    10104 1924 norm Y!TrayWnd
    10100 1924 norm DDE Server Window
    100be 1992 norm About WinZip Quick Pick
    100c4 1860 norm DirectCD
    100cc 1872 norm DDE Server Window
    100b6 1764 norm Symantec AntiVirus Corporate Edition
    100a6 1464 norm Power Meter
    100a4 1464 norm MS_WebcheckMonitor
    2018a 2568 norm SysFader
    1007a 1464 norm Program Manager
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{299EC41F-29C8-44CB-A931-6A082B8FF929}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{E9B8DCD4-CA90-4677-942B-857A1A8B2031}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{E9B8DCD4-CA90-4677-942B-857A1A8B2031}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  5. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi Pieter, thanks for trying to help me!
    I tried to delete the C:\WINDOWS\System32\SQLEEMC.DLL from the Recovery Console but when I did it I was told "Access Denied." I don't know if its related, but I don't have the administrator's password...

    Also, I've just noticed that my Symantec File System RealTime Protection has been disabled just now... Is that normal?

    I don't really understand computers very much, and I now sure wish I did!
    I don't know what to do!

    MH.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  7. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi Pieter. I don't think I have a password, because I just press enter when the password is asked and I'm cleared. But unfortunately I keep getting "access denied" when I try to delete the file. I there any other way around this? I also looked at the link you gave me to set a password and when I do Control/Alt/delete I don't get a windows security dialog, I get a windows task manager and it doesn't show an option to change the password....

    Thanks again...
    MH.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Download KillBox from:
    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    Unzip and run the program
    Hit the Action Menu and choose "Delete on Reboot"
    In the resulting dialog box, hit the File menu and select Add File.
    Copy and paste the full path to the file ( C:\WINDOWS\System32\SQLEEMC.DLL )
    The file should show now in the list of files to be deleted.
    In the same dialog box, Hit the Action menu and select Process and Reboot.
    Hit OK on the reboot prompt.

    Hope this still works,

    Pieter
     
  9. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi Pieter,

    I'm sorry to say that I did all you asked me to do and unfortunately the problem persists. I downloaded Killbox, I did the delete and reboot and then I ran AdAware, it cleaned up some stuff but the my internet explorer is still blocked on About: Blank. Nothing has changed.

    Here is the new dllfix log... It seems the SQLEEMC.DLL file is still around....

    Thanks for helping me. I really appreciate it.
    MH.

    --==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

    Tue 05/25/2004
    04:28 PM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "Boot Disk" (F457:E334) - FS:NTFS clusters:4k
    Total: 20 406 886 400 [19G] - Free: 13 820 829 696 [13G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q837009;Q832894;

    *Google Toolbar version and Attributes:
    Defaults: "A" ;"R"
    Path not found - C:\Program Files\google
    Path not found - C:\Program Files\google

    *UserAgent:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    *Wmplayer version:
    8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
    6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

    *M$Java version:


    *PC uptime:
    4:28pm up 0 days, 0:57
    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error
    \\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error


    *List of top level windows:
    HWND PID PRIO TITLE
    10110 2020 norm TF_FloatingLangBar_WndTitle
    1011a 2020 norm CiceroUIWndFrame
    a01b2 1616 norm SysFader
    20082 1616 norm Start Menu
    30042 1616 norm _Shell_TrayWnd
    10026 720 high NetDDE Agent
    1d021e 2760 norm CiceroUIWndFrame
    5026c 2760 norm CiceroUIWndFrame
    6024e 2060 norm C:\WINDOWS\System32\cmd.exe
    d0186 1616 norm dllfix
    13027a 1616 norm Acrobat IEHelper
    100e6 2000 norm Yahoo! Messenger
    6029a 2760 norm MCI command handling window
    502a6 2760 norm IMMIF UI
    1101ee 2760 norm DDE Server Window
    100238 2760 norm Acrobat IEHelper
    500b6 1616 norm MCI command handling window
    1019e 2728 norm Auto Update Client Window
    20166 1616 norm Connections Tray
    10160 744 norm Scan
    1015e 744 norm ACTION
    1015c 744 norm VPIPCLINK
    10154 2000 norm Peer Listen Window
    10152 1212 norm NVSVCPMMWindowClass
    1014e 1992 norm ActiveMovie Window
    1014c 1992 norm ActiveMovie Window
    1014a 2000 norm HIDDEN WINDOW
    2011c 1992 norm MSP PNP Notification Window
    2011e 2000 norm NET WINDOW
    10138 1992 norm CRTCClient
    10136 2000 norm AXWIN Frame Window
    3009e 2000 norm AXWIN Frame Window
    10130 1992 norm CRTCIMService
    10106 1968 norm DirectCD
    100e8 2000 norm Y!TrayWnd
    100c0 200 norm About WinZip Quick Pick
    100dc 2000 norm DDE Server Window
    100da 1992 norm DDE Server Window
    100b4 1892 norm Symantec AntiVirus Corporate Edition
    100a6 1616 norm Power Meter
    100a4 1616 norm MS_WebcheckMonitor
    601ae 2760 norm SysFader
    5017e 2760 norm Wilders Security Forums - I'm in DIRE need of ABOUT: BLANK guidance! - Microsof
    1007a 1616 norm Program Manager
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{299EC41F-29C8-44CB-A931-6A082B8FF929}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{59060D73-C596-4C03-8E25-3E513BA0575F}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{59060D73-C596-4C03-8E25-3E513BA0575F}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  11. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi Pieter,

    I've downloaded the file. I've gone to the recovery console to try and delete SQLEEMC.DLL but it still said access denied.
    What do I do now?

    Thanks,
    Caltuga.
     
  12. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi Pieter,
    I really don't know what to do. If there is anything else I would really appreciate it! Thanks!
    Caltuga.
     
  13. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi caltuga,

    Can you try this method :

    Remember you downloaded dllfix?

    Open it

    run start.bat again and choose option 2.

    Then hit '1' and enter dll name manually :

    C:\WINDOWS\System32\SQLEEMC.DLL

    and hit enter

    restart PC after doing so and fix entries again in HijackThis if still present :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    Restart PC after doing so

    Also it's important you update XP and IE asap at windowsupdate.com after doing this fixes

    Let us know after you've done all of this!

    Cheers,
     
  14. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    please download a fresh version of dllfix first before running it. It has been updated a lot in the past few days.

    Also seem to be having better luck with letting it find it. so i would recommend option 2 than option 2 again.

    Cheers
     
  15. caltuga

    caltuga Registered Member

    Joined:
    May 23, 2004
    Posts:
    10
    Hi, Thanks very much to both of you. I'm sure your very busy and I appreciate your taking the time to help me out.
    I did all you have asked, except fix the entries on the HijackThis log because the exact files you mentioned are not there; but it seems that they have changed name because the new ones are very similar. I wasn't sure if I should fix the new entries and I thought it would be best to ask you. Here is the new HijackThis log:

    Thanks again,
    Caltuga.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:58:19 AM, on 5/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\miguel\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2352D365-62E8-49A5-B31D-D89D871995BA} - C:\WINDOWS\System32\aomklha.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\System32\ipxrip.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi caltuga,

    Could you mail me a copy of: C:\WINDOWS\System32\ipxrip.exe

    Use the address in my profile

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.