RUNDLL Error Loading: ... ACCESS DENIED

[Abigail]

Under Win XP Pro SP3
Spyware and virus associated with it was recently removed from System and
now every time someone logs in to any profile other than the Administrator
the following errors will pop:

Loading: c/winnt/system32/ojncembx.dll Access Denied (OK Button only)
Loading: c/winnt/system32/mhpfbmxu.dll Access Denied (OK Button only)

However if logged as the administrator there are not error pops and the
processes described above are running in the background under explorer.

Please Advice
Thanks

 

[Elmo]

Under Win XP Pro SP3
Spyware and virus associated with it was recently removed from System and
now every time someone logs in to any profile other than the Administrator
the following errors will pop:

Loading: C:\Winnt\System32\ojncembx.dll Access Denied (OK Button only)
Loading: C:\Winnt\System32\mhpfbmxu.dll Access Denied (OK Button only)

However if logged as the administrator there are no error pops and the
processes described above are running in the background under Explorer.

Please Advise,
Thanks

It reads as though the virus is still alive and well in the
administrator account. You might run your a/v software from that
account. Also try one of these free online virus scans:

This one has a choice of a Quick or a Complete check
http://www.pcpitstop.com/

Symantec
http://security.symantec.com/default.asp?productid=ssr&langid=ie&venid=sym

<url:http://security2.norton.com/us/home.asp?j=1&venid=sym&langid=us&plfid=20&pkj=IHBEXIBVEMBQAUWZKTK>
then click the Security check link.

http://housecall.antivirus.com/ free online virus scan

http://www.ewido.net/en/

http://www.pandasoftware.com/products/activescan.htm

When the malware was deleted by your a/v software, the reference to the
file was not removed from the registry.

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type the name of the file into the search pane. Click "Find Next", and
when located, delete the reference to the file. Press F3 to continue
the search.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

You could click Start, Run, type MSCONFIG, click OK, click the StartUp
tab, and deselect the item(s). When you restart the computer, you will
be warned that you're running in the Diagnostic mode; click to not alert
you again, and OK out. You won't see the message again. But I think
it's best to just remove the references from the registry.

 

[Abigail]

Just run Symantec Antivirus with the latest definitions all night (last
night), results are clean.

The items previously described were removed with SUPERAntiSpyware; I will
run it again tonight selecting full system scan and post results tomorrow.
Thanks for your answer.
Abigail

 

[Abigail]

Elmo,

As said in my previous post I just finished performing the additional SpyW
scan and cleared some cookies and a couple variants of the same items deleted
before, additionally I did the registry corrections that you are recommending
there was two references for (ojncembx.dll) and one for (mhpfbmxu.dll) but it
did not delete one of the former, though I did a backup of the these reg.
files anyway and everything seems like is working properly but down to only
one Rundll error now:

Error Loading: C:\Winnt\System32\ojncembx.dll Access Denied

What should I do next?

 

[jimbo571]

Elmo,

As said in my previous post I just finished performing the additional SpyW
scan and cleared some cookies and a couple variants of the same items deleted
before, additionally I did the registry corrections that you are recommending
there was two references for (ojncembx.dll) and one for (mhpfbmxu.dll) but it
did not delete one of the former, though I did a backup of the these reg.
files anyway and everything seems like is working properly but down to only
one Rundll error now:

Error Loading: C:\Winnt\System32\ojncembx.dll Access Denied

What should I do next?

Google and d/l Unlocker and see if that helps .

 

[Abigail]

Google and d/l Unlocker and see if that helps .

Would you please elaborate some more? What exactly I'm looking for? What it
is for and what does it do?

After searching for the name you are recommending I get zillions of
different things.

Thanks in Advance

 

[Elmo]

Would you please elaborate some more? What exactly I'm looking for? What it
is for and what does it do?

After searching for the name you are recommending I get zillions of
different things.

Thanks in Advance

Try Download.com which is owned by c/net:

http://www.download.com/Unlocker/3000-2248_4-10493998.html

 

[Abigail]

Try Download.com which is owned by c/net:

http://www.download.com/Unlocker/3000-2248_4-10493998.html

Thanks for the link but the tool does not work under registry or the
registry hierarchy entry lists,

I even attempted to edit the exported key by removing the entry of the path
to the file in question but that only merges back the contents, it does not
replace it.
This is getting frustrating.
Any more suggestions will be appreciated

Thanks in advance

 

[Elmo]

Thanks for the link but the tool does not work under registry or the
registry hierarchy entry lists,

I even attempted to edit the exported key by removing the entry of the path
to the file in question but that only merges back the contents, it does not
replace it.
This is getting frustrating.
Any more suggestions will be appreciated

Thanks in advance

Run Msconfig, open the Startup folder and see if the entries are there.
If so, try deselecting them there. When you restart the computer, you
will be asked if you want to run in Diagnostic Mode. Answer yes, and
check the box so you aren't asked at each boot.

Autoruns might do something for you too, though I've never tried it.

39. AutoRuns - All Programs Running Boot/Login
http://www.kellys-korner-xp.com/xp_tweaks.htm

 

[Abigail]

Run Msconfig, open the Startup folder and see if the entries are there.
If so, try deselecting them there. When you restart the computer, you
will be asked if you want to run in Diagnostic Mode. Answer yes, and
check the box so you aren't asked at each boot.

Autoruns might do something for you too, though I've never tried it.

39. AutoRuns - All Programs Running Boot/Login
http://www.kellys-korner-xp.com/xp_tweaks.htm

I will need more directions, sorry I'm unfamiliar with it but if I do the
Msconfig thing and once I enter the Diagnostic mode, where do I go from there?

By reading at similar threads I found and tried something called
(StartupTracker3) I think is similar to what you are suggesting (Autoruns).

After runing StartupTracker3 in the resulting startuplog under Registry
Items you will notice there is a:
BMaac9df33 Rundll32.exe "C:\WINNT\system32\ojncembx.dll",s

And under running processes:
rundll32.exe "C:\WINNT\system32\Rundll32.exe"
"C:\WINNT\system32\ojncembx.dll",s

Under running Services:
None

Here is the complete part of the log report:

##############################################
8/24/2008 6:37:34 PM

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager mobsync.exe /logon
NvCplDaemon RUNDLL32.EXE
C:\WINNT\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
NeroFilterCheck C:\WINNT\system32\NeroCheck.exe
Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader
8.0\Reader\Reader_sl.exe"
zBrowser Launcher C:\Program Files\Logitech\iTouch\iTouch.exe
InCD C:\Program Files\Ahead\InCD\InCD.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe"
-atboottime
NvMediaCenter RUNDLL32.EXE
C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
SystemTray SysTray.Exe
BMaac9df33 Rundll32.exe "C:\WINNT\system32\ojncembx.dll",s
TraySantaCruz C:\WINNT\system32\tbctray.exe

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
ctfmon.exe C:\WINNT\system32\ctfmon.exe

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

^SetupICWDesktop C:\Program Files\Internet Explorer\Connection
Wizard\icwconn1.exe /desktop

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

No Items Found

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
Adobe Gamma Loader.lnk
Microsoft Office.lnk

-- Disabled Items --
No Items Found

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINNT\system32\services.exe
lsass.exe C:\WINNT\system32\lsass.exe
svchost.exe C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
spoolsv.exe C:\WINNT\system32\spoolsv.exe
DefWatch.exe "C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\DefWatch.exe"
InCDsrv.exe "C:\Program Files\Ahead\InCD\InCDsrv.exe"
Rtvscan.exe "C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\Rtvscan.exe"
nvsvc32.exe C:\WINNT\system32\nvsvc32.exe
svchost.exe C:\WINNT\system32\svchost.exe -k imgsvc
alg.exe
explorer.exe C:\WINNT\Explorer.EXE
VPTray.exe "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe"
reader_sl.exe "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
iTouch.exe "C:\Program Files\Logitech\iTouch\iTouch.exe"
InCD.exe "C:\Program Files\Ahead\InCD\InCD.exe"
rundll32.exe "C:\WINNT\system32\RUNDLL32.EXE"
C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
rundll32.exe "C:\WINNT\system32\Rundll32.exe"
"C:\WINNT\system32\ojncembx.dll",s
tbctray.exe "C:\WINNT\system32\tbctray.exe"
ctfmon.exe "C:\WINNT\system32\ctfmon.exe"
StartupTracker3.exe "C:\StartupTracker3\StartupTracker3.exe"
wmiprvse.exe

##############################################

 

[Elmo]

I will need more directions, sorry I'm unfamiliar with it but if I do the
Msconfig thing and once I enter the Diagnostic mode, where do I go from there?

Once you edit the Startup tab, and restart, you're in "Diagnostic" mode.
You simply remain in that mode so you won't be prompted for it each
time. If, upon a restart, you no longer get the error message, you then
work on removing the entry from the registry, then reenter msconfig and
leave "diagnostic" mode.

By reading at similar threads I found and tried something called
(StartupTracker3) I think is similar to what you are suggesting (Autoruns).

After running StartupTracker3 in the resulting startuplog under Registry
Items you will notice there is a:
BMaac9df33 Rundll32.exe "C:\WINNT\system32\ojncembx.dll",s

And under running processes:
rundll32.exe "C:\WINNT\system32\Rundll32.exe"
"C:\WINNT\system32\ojncembx.dll",s

Autoruns, which I haven't used, allows you to remove entries. If
"StartupTracker3" also allows that, it may be an option on its toolbar.

 

[Abigail]

Once you edit the Startup tab, and restart, you're in "Diagnostic" mode.
You simply remain in that mode so you won't be prompted for it each
time. If, upon a restart, you no longer get the error message, you then
work on removing the entry from the registry, then reenter msconfig and
leave "diagnostic" mode.


Autoruns, which I haven't used, allows you to remove entries. If
"StartupTracker3" also allows that, it may be an option on its toolbar.

The free version of Autoruns does not allow me to remove entries, with the
licensed version maybe?

At running msconfig and deselecting the entry in the startup tab and
rebooting I still get the same error when switching to other user than the
administrator, when I go back to msconfig again I found two instances of the
same entry this time one is checked and the other don't and in the general
tab the selective startup has been automatically selected rather than the
diagnostic mode I believe you told me I should be under?

At trying to unlock the "ojncembx.dll" directly from the system32 directory
I see that all the taskbar programs point to this file and if I try to unlock
only the C:\WINNT\system32\ojncembx.dll I get a Microsoft send report error
warning.

Same thing at trying to delete the string either with regedit or with
Windows Registry Pro it will show as deleted or errors corrected I the case
of the former one but then I check in ProcessExplorer and still be running
and receiving the same error when login in as another user.

As you can see I’m really having an horrible time with this and starting to
suspect it may be a system file that got corrupted in the process of getting
ride of the spyware maybe?

 

[Elmo]

The free version of Autoruns does not allow me to remove entries, with the
licensed version maybe?

At running msconfig and deselecting the entry in the startup tab and
rebooting I still get the same error when switching to other user than the
administrator, when I go back to msconfig again I found two instances of the
same entry this time one is checked and the other don't and in the general
tab the selective startup has been automatically selected rather than the
diagnostic mode I believe you told me I should be under?

At trying to unlock the "ojncembx.dll" directly from the system32 directory
I see that all the taskbar programs point to this file and if I try to unlock
only the C:\WINNT\system32\ojncembx.dll I get a Microsoft send report error
warning.

Same thing at trying to delete the string either with regedit or with
Windows Registry Pro it will show as deleted or errors corrected I the case
of the former one but then I check in ProcessExplorer and still be running
and receiving the same error when login in as another user.

As you can see I’m really having an horrible time with this andstarting to
suspect it may be a system file that got corrupted in the process of getting
ride of the spyware maybe?

Will Autoruns let you stop the process? Do so if you can. Then, remove
it from the registry, reboot. If you can get Windows to start without
it, you can then delete it.

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type the name of the file into the search pane. Click "Find Next", and
when you've located ojncembx.dll, delete the line. Press F3 to continue
the search.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

You could click Start, Run, type MSCONFIG, click OK, click the StartUp
tab, and deselect the item(s). When you restart the computer, you will
be warned that you're running in the Diagnostic mode; click to not alert
you again, and OK out. You won't see the message again. But I think
it's best to just remove the references from the registry.

 

[Abigail]

Actually somebody pointed me to a article from the Symantec Security Response
website about hard to remove viruses for Trojan type and as described I did a
full scan updating to the latest virus definitions with System Restore
disabled and in safe mode and that found “ojncembx.dll†among many other
“Trojans and Vundo†viruses then I cleaned the registry to eliminate the
strings and restarted in normal mode again and seems like that corrected the
problem.

Symantec claims that some of these viruses can be hiding or left dormant in
the System and reappear when triggered by starting an application or visiting
a particular website.

Abigail