Viruses, Spyware and...

Crunchie...need your help with sqlo.dll (about blank)

Thread Solved

•

Join Date: Jun 2004

Posts: 6

Reputation: mochastaat is an unknown quantity at this point

Solved Threads: 0

mochastaat mochastaat is offline

Offline

Newbie Poster

Crunchie...need your help with sqlo.dll (about blank)

Jun 15th, 2004

Crunchie,

I have the same problem with trying to delete sqlo.dll, but with no success.
My symptoms are my IE homepage keeps being changed to a smartsearch page...'about blank' URL.

Please help!!!

•

Join Date: Feb 2004

Posts: 10,100

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 16th, 2004

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

Download dllfix from the following link.
http://tools.zerosrealm.com/dllfix.exe

Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of the log here.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jun 2004

Posts: 6

Reputation: mochastaat is an unknown quantity at this point

Solved Threads: 0

mochastaat mochastaat is offline

Offline

Newbie Poster

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 17th, 2004

•

Originally Posted by crunchie

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

Download dllfix from the following link.
http://tools.zerosrealm.com/dllfix.exe

Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of the log here.

Here id hjt log:
Logfile of HijackThis v1.97.7
Scan saved at 10:19:34 AM, on 18/06/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Palm\palm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Documents and Settings\Mick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.3:81
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://server3/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://pcworld.idg.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Palm Desktop.lnk = C:\Program Files\Palm\palm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=http://pcworld.idg.com.au
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28177.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28177.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

Here is other log:
--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Fri 18/06/2004
10:23a

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "C" (3EDC:B343) - FS:NTFS clusters:512
Total: 6 366 333 952 [5.9G] - Free: 3 219 309 056 [3.0G]

*IE version and Service packs:
5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.0.2140.1 C:\WINDOWS\system32\notepad.exe
5.0.2140.1 C:\WINDOWS\notepad.exe
*Media Player version :

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP2;Q324929;

Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
\\?\C:\WINDOWS\System32\SQLO.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLO.DLL +++ File read error

Scanning for main Hijacker:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Can't open Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

2 - The system cannot find the file specified.

•

Join Date: Feb 2004

Posts: 10,100

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 18th, 2004

Run start.bat again & select option 2. Then select 1 & enter C:\WINDOWS\System32\SQLO.DLL & reboot. There will be another scan, when done, reboot again.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,

O1 - Hosts: 213.159.117.235 auto.search.msn.com

O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\realtime.exe

Reboot normally after doing the above then post a fresh log plz.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jun 2004

Posts: 6

Reputation: mochastaat is an unknown quantity at this point

Solved Threads: 0

mochastaat mochastaat is offline

Offline

Newbie Poster

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 20th, 2004

crunchie,

the dll fix program seems to have an error or it is not working. here is what i get when i do what you asked:

Error: The system was unable to find the specified registry key or value.

it also doesnt reboot or rescan which u said it would...so clearly it isnt operating as it should.

i fixed the files from the scan i did. here is the new log from a new scan:

Logfile of HijackThis v1.97.7
Scan saved at 10:15:12 AM, on 21/06/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Palm\palm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Documents and Settings\Mick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.3:81
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://server3/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://pcworld.idg.com.au/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Palm Desktop.lnk = C:\Program Files\Palm\palm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=http://pcworld.idg.com.au
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28177.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28177.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab

•

Join Date: Feb 2004

Posts: 10,100

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 21st, 2004

Do you still have the problem? You really should upgrade to IE6 as well.
dllfix has been removed from that site now because it had a few bugs, which you have obviously found. Shadowwar is in the process of creating a new version.

Please download & install
Regalyzer.

Copy and Paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

into the address bar and press enter

double click on the AppInit_DLLs sub key and the value box will open.

check the contents -- should be the path to the dll.

Post your result Back here.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jun 2004

Posts: 6

Reputation: mochastaat is an unknown quantity at this point

Solved Threads: 0

mochastaat mochastaat is offline

Offline

Newbie Poster

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 21st, 2004

•

Originally Posted by crunchie

Do you still have the problem? You really should upgrade to IE6 as well.
dllfix has been removed from that site now because it had a few bugs, which you have obviously found. Shadowwar is in the process of creating a new version.

Please download & install
Regalyzer.

Copy and Paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

into the address bar and press enter

double click on the AppInit_DLLs sub key and the value box will open.

check the contents -- should be the path to the dll.

Post your result Back here.

Yes it is still happening in earnest!!!

That link that you have provided...when i go there, there is nowhere or nothing to download (that i can read anyway). So i searched for regalyzer on Google and dowloaded version 1e from softpedia.

Once dowmloaded and copy and pasted the above address as u asked but it came back with no results. I checked that location in the registry and there is no windows folder under current version!!!
Also i couldnt see any 'AppInit_DLLs sub key' in the regalyzer program either!

•

Join Date: Jun 2004

Posts: 6

Reputation: mochastaat is an unknown quantity at this point

Solved Threads: 0

mochastaat mochastaat is offline

Offline

Newbie Poster

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 22nd, 2004

•

Originally Posted by mochastaat

Yes it is still happening in earnest!!!

That link that you have provided...when i go there, there is nowhere or nothing to download (that i can read anyway). So i searched for regalyzer on Google and dowloaded version 1e from softpedia.

Once dowmloaded and copy and pasted the above address as u asked but it came back with no results. I checked that location in the registry and there is no windows folder under current version!!!
Also i couldnt see any 'AppInit_DLLs sub key' in the regalyzer program either!

crunchie,

i have fixed the problem. found the file in the system32 folder and changed the security properties to full access. i was then able to delete it!!!!!

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 363

DMR

Offline

Wombat At Large

Re: Crunchie...need your help with sqlo.dll (about blank)

Jun 22nd, 2004

Marking this thread as solved. The thread is essentially closed unless the original poster has further questions.

Members with similar problems should post their questions in their own thread.

Thanks.

"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.