I'm in DIRE need of ABOUT: BLANK guidance!

Hi,
I am hoping someone will be kind enough and have the time to guide me through what seems to be a rather complicated procedure to get rid of some viruses! I have been for the past couple of days browsing the internet for solutions to my problems and have come to the conclusion that not only I am not computer savvy, I am completely computer illiterate! I have been looking at solutions to problems that other people have had and was considering following the same steps, but then I reconsidered as I'm sure each problem may require a different solution.

I have run Spybot SD many times and have "fixed" the problems, yet they seems to return each time.

DSO Exploit 4 entries
Webdialer 1 entry

I have also run Hijack This, and here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 11:31:36 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\miguel\Desktop\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\miguel\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {299EC41F-29C8-44CB-A931-6A082B8FF929} - C:\WINDOWS\System32\egkpml.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\System32\ipxrip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I truly hope someone can help me resolve this problem and I thank you in advance. Cheers!

MH.

 

Hi MH,

Can you download :

http://tools.zerosrealm.com/dllfix.exe

Doubleclick it and install in folder of choice but on the root drive, most likely C:\

1.Run start.bat and press option 1. A search will start, let it finish

'output.txt' will be created in the folder

Copypaste the complete contents of output.txt here pelase

Thnx!

Cheers,

 

Hi! Thank you very much for your help! I've run the dllfix and here is the result!
MH.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Sun 05/23/2004
11:11 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "Boot Disk" (F457:E334) - FS:NTFS clusters:4k
Total: 20 406 886 400 [19G] - Free: 13 692 301 312 [13G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:


*PC uptime:
11:11am up 0 days, 0:12
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
100da 1936 norm TF_FloatingLangBar_WndTitle
100de 1936 norm CiceroUIWndFrame
7024c 1464 norm SysFader
1007c 1464 norm Start Menu
3003e 1464 norm _Shell_TrayWnd
10026 720 high NetDDE Agent
101ca 2568 norm CiceroUIWndFrame
101c8 2568 norm CiceroUIWndFrame
501ec 2064 norm C:\WINDOWS\System32\cmd.exe
80252 1464 norm dllfix
20172 2568 norm Wilders Security Forums - I'm in DIRE need of ABOUT: BLANK guidance! - Microsof
701ea 1464 norm Acrobat IEHelper
10102 1924 norm Yahoo! Messenger
2017e 1464 norm MCI command handling window
40292 2568 norm MCI command handling window
4027e 3176 norm Auto Update Client Window
101d0 2568 norm IMMIF UI
101c2 2568 norm DDE Server Window
101b6 2568 norm Acrobat IEHelper
200ba 1872 norm ActiveMovie Window
200c2 1872 norm ActiveMovie Window
20142 1872 norm MSP PNP Notification Window
10160 1924 norm Peer Listen Window
1015c 1872 norm CRTCClient
1015a 1872 norm CRTCIMService
10150 1464 norm Connections Tray
1014c 616 norm Scan
1014a 616 norm ACTION
10148 616 norm VPIPCLINK
10146 1016 norm NVSVCPMMWindowClass
10144 1924 norm HIDDEN WINDOW
10138 1924 norm NET WINDOW
2012a 1924 norm AXWIN Frame Window
200e0 1924 norm AXWIN Frame Window
10104 1924 norm Y!TrayWnd
10100 1924 norm DDE Server Window
100be 1992 norm About WinZip Quick Pick
100c4 1860 norm DirectCD
100cc 1872 norm DDE Server Window
100b6 1764 norm Symantec AntiVirus Corporate Edition
100a6 1464 norm Power Meter
100a4 1464 norm MS_WebcheckMonitor
2018a 2568 norm SysFader
1007a 1464 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{299EC41F-29C8-44CB-A931-6A082B8FF929}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{E9B8DCD4-CA90-4677-942B-857A1A8B2031}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{E9B8DCD4-CA90-4677-942B-857A1A8B2031}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

 

Hi Caltuga,

Delete C:\WINDOWS\System32\SQLEEMC.DLL from the Recovery Console

How to install and use the Recovery Console in Windows XP

Then boot normally and use AdAware as described here:
https://www.wilderssecurity.com/showthread.php?t=15913
to clean out the rest.

Regards,

Pieter

 

Hi Pieter, thanks for trying to help me!
I tried to delete the C:\WINDOWS\System32\SQLEEMC.DLL from the Recovery Console but when I did it I was told "Access Denied." I don't know if its related, but I don't have the administrator's password...

Also, I've just noticed that my Symantec File System RealTime Protection has been disabled just now... Is that normal?

I don't really understand computers very much, and I now sure wish I did!
I don't know what to do!

MH.

 

Hi caltuga,

Nothing should be in use when you boot from the Windows CD.
Then follow the instructions here on how to delete one file:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;307654#4
As you will see, you will indeed need the Administrator password.
Did you ever set one?
http://www.fas.harvard.edu/computing/kb/kb0824.html

Can you re-enable the Symantec tool for now?
We will have a look at that later if it continues to give you problems.

Regards,

Pieter

 

Hi Pieter. I don't think I have a password, because I just press enter when the password is asked and I'm cleared. But unfortunately I keep getting "access denied" when I try to delete the file. I there any other way around this? I also looked at the link you gave me to set a password and when I do Control/Alt/delete I don't get a windows security dialog, I get a windows task manager and it doesn't show an option to change the password....

Thanks again...
MH.

 

Download KillBox from:
http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip and run the program
Hit the Action Menu and choose "Delete on Reboot"
In the resulting dialog box, hit the File menu and select Add File.
Copy and paste the full path to the file ( C:\WINDOWS\System32\SQLEEMC.DLL )
The file should show now in the list of files to be deleted.
In the same dialog box, Hit the Action menu and select Process and Reboot.
Hit OK on the reboot prompt.

Hope this still works,

Pieter

 

Hi Pieter,

I'm sorry to say that I did all you asked me to do and unfortunately the problem persists. I downloaded Killbox, I did the delete and reboot and then I ran AdAware, it cleaned up some stuff but the my internet explorer is still blocked on About: Blank. Nothing has changed.

Here is the new dllfix log... It seems the SQLEEMC.DLL file is still around....

Thanks for helping me. I really appreciate it.
MH.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/25/2004
04:28 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "Boot Disk" (F457:E334) - FS:NTFS clusters:4k
Total: 20 406 886 400 [19G] - Free: 13 820 829 696 [13G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:


*PC uptime:
4:28pm up 0 days, 0:57
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLEEMC.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
10110 2020 norm TF_FloatingLangBar_WndTitle
1011a 2020 norm CiceroUIWndFrame
a01b2 1616 norm SysFader
20082 1616 norm Start Menu
30042 1616 norm _Shell_TrayWnd
10026 720 high NetDDE Agent
1d021e 2760 norm CiceroUIWndFrame
5026c 2760 norm CiceroUIWndFrame
6024e 2060 norm C:\WINDOWS\System32\cmd.exe
d0186 1616 norm dllfix
13027a 1616 norm Acrobat IEHelper
100e6 2000 norm Yahoo! Messenger
6029a 2760 norm MCI command handling window
502a6 2760 norm IMMIF UI
1101ee 2760 norm DDE Server Window
100238 2760 norm Acrobat IEHelper
500b6 1616 norm MCI command handling window
1019e 2728 norm Auto Update Client Window
20166 1616 norm Connections Tray
10160 744 norm Scan
1015e 744 norm ACTION
1015c 744 norm VPIPCLINK
10154 2000 norm Peer Listen Window
10152 1212 norm NVSVCPMMWindowClass
1014e 1992 norm ActiveMovie Window
1014c 1992 norm ActiveMovie Window
1014a 2000 norm HIDDEN WINDOW
2011c 1992 norm MSP PNP Notification Window
2011e 2000 norm NET WINDOW
10138 1992 norm CRTCClient
10136 2000 norm AXWIN Frame Window
3009e 2000 norm AXWIN Frame Window
10130 1992 norm CRTCIMService
10106 1968 norm DirectCD
100e8 2000 norm Y!TrayWnd
100c0 200 norm About WinZip Quick Pick
100dc 2000 norm DDE Server Window
100da 1992 norm DDE Server Window
100b4 1892 norm Symantec AntiVirus Corporate Edition
100a6 1616 norm Power Meter
100a4 1616 norm MS_WebcheckMonitor
601ae 2760 norm SysFader
5017e 2760 norm Wilders Security Forums - I'm in DIRE need of ABOUT: BLANK guidance! - Microsof
1007a 1616 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{299EC41F-29C8-44CB-A931-6A082B8FF929}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{59060D73-C596-4C03-8E25-3E513BA0575F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{59060D73-C596-4C03-8E25-3E513BA0575F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

 

At the same site where you downloaded The Killbox:
http://download.broadbandmedic.com/

Download the file at the bottom.

Regards,

Pieter

 

Hi Pieter,

I've downloaded the file. I've gone to the recovery console to try and delete SQLEEMC.DLL but it still said access denied.
What do I do now?

Thanks,
Caltuga.

 

Hi Pieter,
I really don't know what to do. If there is anything else I would really appreciate it! Thanks!
Caltuga.

 

Hi caltuga,

Can you try this method :

Remember you downloaded dllfix?

Open it

run start.bat again and choose option 2.

Then hit '1' and enter dll name manually :

C:\WINDOWS\System32\SQLEEMC.DLL

and hit enter

restart PC after doing so and fix entries again in HijackThis if still present :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egkpml.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Restart PC after doing so

Also it's important you update XP and IE asap at windowsupdate.com after doing this fixes

Let us know after you've done all of this!

Cheers,

 

please download a fresh version of dllfix first before running it. It has been updated a lot in the past few days.

Also seem to be having better luck with letting it find it. so i would recommend option 2 than option 2 again.

Cheers

 

Hi, Thanks very much to both of you. I'm sure your very busy and I appreciate your taking the time to help me out.
I did all you have asked, except fix the entries on the HijackThis log because the exact files you mentioned are not there; but it seems that they have changed name because the new ones are very similar. I wasn't sure if I should fix the new entries and I thought it would be best to ask you. Here is the new HijackThis log:

Thanks again,
Caltuga.

Logfile of HijackThis v1.97.7
Scan saved at 11:58:19 AM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\miguel\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aomklha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2352D365-62E8-49A5-B31D-D89D871995BA} - C:\WINDOWS\System32\aomklha.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\System32\ipxrip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi caltuga,

Could you mail me a copy of: C:\WINDOWS\System32\ipxrip.exe

Use the address in my profile

Regards,

Pieter