• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

sql.dll a PITA to get rid of

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Fightingpiper

Fightingpiper

Member
Joined
Oct 29, 2001
Location
St. Paul, MN
I went to see my brother this weekend and he had me check out his fiance's (and her 2 kids's) computer because its running really slow. ITs an emachines XP2200 with 512 RAM so it shouldn't be slow for what they use it for. Well they were running some antivirus that kept popping up but not being able to fix the problem. They are on dialup but I downloaded spybot, adaware, and cwsshredder.

Well I ran spybot first and it came up with 'only' 459 hits. I fixed them and ran adaware and it came up with another 200 or so. CWshredder foud a couple of values also that it fixed. Well All this didnt totally fix the problem. THe homepage still kept on getting hijacked and that damn coolwwwsearch kept on coming back and killing the performance of the computer. I told them I'd take it home so I could do some reasearch and download much faster. Well I ran all those programs again and it found coolwwwsearch and supposidly took care of it but it didn't. I downloaded avg and its initial protecion screen kept on popping up sql.dll (trojan) but couldn't do nothing with it. It wouldn't detect it in a full virus scan tho. well I couldn't delete it and Killbox couldn't either. I finally found a reg. hack that took care of the registyr string and also had to use a program called winfile to be able to move the file and then be able to change permissions and finally delete it. IT was the biggest PITA i have ever had with spyware.

When they get this back I am going to tell those kids if they get it infected again with anything I will cut off their fingers :mad: :) Hopefully THis will take care of it....
 
@#$&*^@&I($*#^ thing came back......I am now really starting to get pissed off now. I can't seem to get rid of this damn coolwebsearch crap. What else can I run....Used adaware, spybot, cwshredder, avg,....any others that will help get rid of this about:blank, coolweb crap???? I am so P.O.'d right now I am tempted to reformat the damn thing but I don't know what files they wanna keep.........I can believe the hours I have spent on this crap.......
 
On win XP, you often have to turn off the system restore. The hijacker is acting more like a virus than adware. Turn off system restore, then remove it. Free-AVG may help too if you do not have another AV on the system already.
 
Fightingpiper said:
@#$&*^@&I($*#^ thing came back......I am now really starting to get pissed off now. I can't seem to get rid of this damn coolwebsearch crap. What else can I run....Used adaware, spybot, cwshredder, avg,....any others that will help get rid of this about:blank, coolweb crap???? I am so P.O.'d right now I am tempted to reformat the damn thing but I don't know what files they wanna keep.........I can believe the hours I have spent on this crap.......
Click to expand...

Try running Hijack This! and look for evidence in the logs generated by it. If you're unsure of log entries displayed by the program, post them here and we'll help you out.
 
If you are really frustrated, you can use a program like partition magic to create a secondary partition and store any data they have there, and wipe out the system partition and reinstall windows fresh.

Otherwise, post a log of HJT and we can fix this from safemode...

You can use it to remove the registry entries which are causing this process to start, and we should be able to kill the process if it is running in safe mode, and delete its source files. If you cannot kill the process, use this http://download.broadbandmedic.com/Killbox.exe and set the path to C:\WINDOWS\System32\sql.dll and select delete on reboot and select end explorer shell then press the red cross.

We will also make sure any reg entries causing the infection to be redownloaded are removed.

Also download the hoster and tell it to restore original host file.

Once we are finished, we can install spywareblaster which will hopefully prevent this in the future.

You can also take a look through this thread to see if anything there is helpful to you:

http://forums.techguy.org/showthread.php?t=269293
 
Last edited:
k will run HJT but yeah I turned off system restore, and was in safe mode. THe sad thing is when I first started I forgot to turn off system restore so every time I would run spybot the darn thing would do a system restore pt on its own while spybot was running....will post back with the HJT log...also, I already had tryed killbox on the sql.dll file and it wouldn't get rid of it.......
 
This one sounds familiar, think I had one in the shop a week or two ago with it. If you follow one or both of the stickies on malware removal to the T, you shouldn't have any problems - you may have to post a hijackthis .log too though.

To rehash what the stickies say:

-reboot in safemode
-turn off system restore
-delete ALL temp system/internet files
-delete index.dat files for all users
-full scan with adaware with latest defs
-full scan with spybot with latest defs
-full scan with spysweeper with latest defs
-full scan with xblock (usually can repair broken hosts/winsock files)
-full scan with CWS Shredder
-post hijackthis log file

Here are the stickies:
http://www.ocforums.com/showthread.php?t=307720
http://www.ocforums.com/showthread.php?t=319615

IMOG is on top of things with a link for manual removal too.
 
have done all of that.....except post my HJT file (here it is) and yes I read the stickys last night and followed them.....

Ive gotten rid of the sql.dll trojan now I jsut cant get rid of the coolwwwsearch crap..

Logfile of HijackThis v1.98.2
Scan saved at 1:43:10 PM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Mary Jo\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.tds.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {42394113-C757-4FD0-A5DC-DF48DE0A8B00} - C:\WINDOWS\System32\ohkbkba.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4E4153202020} - C:\WINDOWS\System32\NAS.dll (file missing)
O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [load support four warn] C:\Documents and Settings\All Users\Application Data\meal city load support\sixthiso.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [THUNK VGA] C:\DOCUME~1\MARYJO~1\APPLIC~1\SPAMHT~1\pure ford kind.exe
O4 - Startup: Forget Me Not.lnk = C:\Program Files\Mindscape\AGCraft\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093056549668
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O18 - Filter: text/html - {9F4E192A-7F96-4509-841C-6D22EA0B0992} - C:\WINDOWS\System32\ohkbkba.dll
O18 - Filter: text/plain - {9F4E192A-7F96-4509-841C-6D22EA0B0992} - C:\WINDOWS\System32\ohkbkba.dll
 
Boot into safe mode and delete the following files if present:

C:\WINNT\wincmd\svchost.exe
C:\WINNT\System32\ochlp30t.exe

Ensure that all browser windows are closed, start hijack this and delete the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.tds.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {42394113-C757-4FD0-A5DC-DF48DE0A8B00} - C:\WINDOWS\System32\ohkbkba.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4E4153202020} - C:\WINDOWS\System32\NAS.dll (file missing)
O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yah...ebio5_0_2_7.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O18 - Filter: text/html - {9F4E192A-7F96-4509-841C-6D22EA0B0992} - C:\WINDOWS\System32\ohkbkba.dll
O18 - Filter: text/plain - {9F4E192A-7F96-4509-841C-6D22EA0B0992} - C:\WINDOWS\System32\ohkbkba.dll
Click to expand...
 
Thanks for all your help guys I think I may got it...at least google is staying the home page for now......That was way too much work for what it was worth. It would have been faster to reformat but I don't know what They want kept. again thanks a bunch.
 
hafa said:
Boot into safe mode and delete the following files if present:

C:\WINNT\wincmd\svchost.exe
C:\WINNT\System32\ochlp30t.exe

Ensure that all browser windows are closed, start hijack this and delete the following:
Click to expand...

pwn3d

Nice job. :thup:
 
You must log in or register to reply here.

Similar threads

rainless
nofltr Developer Diary
Replies
1
Views
139
rainless
rainless
M
How difficult is it to run 24 GB of fast RAM on X58? (X58 / Socket 1366 / Westmere)
Replies
9
Views
217
freeagent
freeagent
c627627
How to fix slow charging? Use a tooth pick to get dust out of your phones charging port!
Replies
10
Views
480
c627627
c627627
dfonda
Folks...Down for an 8 count...
Replies
12
Views
703
dfonda
dfonda
don256us
(Un)Official Race Week Thread.
2
Replies
26
Views
870
dfonda
dfonda
Back