DLMal

Is ole.dll being blocked by OLA a false positive?

Recommended Posts

Hi guys and gals, I'm new to the forum but have been using OLA close to a year. I love the product accept for a conflict with my anti-virus program that I will research your knowledge base  for answers before I post my issue on that subject.

 

Here is my present issue:

 

Is this a false positive, autorun, being blocked on boot?

Autorun detected: ole32.dll Blocked
This autorun is blocked everytime I cold boot
Here is the file path: C:WINDOWS\system32\ole32.dll

The file exist under the listed file path above and it identifies itself as:

ole32.dll
5.1.2600.6168
Microsoft OLE for Windows

Once I click on the link, C:WINDOWS\system32\ole32.dll, I can't find the file,ole.dll, in the OLA Autoruns list.

 

:)

Share this post


Link to post
Share on other sites

Thanks Arief,

 

All attempts to upload the file have failed: basic and advanced uploader. This would include trying to upload to dropbox. This is not the only site that I have issues uploading files. Seems as though I can't upload anything close to 1mb. I have dial-up here. I will have to go to a WiFi cafe tomorrow and upload. This is not a file extension issue, or at least it is usally not a file extension issue. However, this is the first time I've tried to upload a dll file.

Share this post


Link to post
Share on other sites

Within the history section of OLA, the file is blocked on boot. However, it does not give the file--at least the same file name--when I click on the filepath/ink. It takes me to autoruns' window where there is not a clear coresponding file. The file at the top of the list in pink but allowed is ACPI.sys. 

 

Share this post


Link to post
Share on other sites

Lets get some more information about loadpoints on your system, and see if we can find the cause of this notification in Online Armor. Please run OTL by following the instructions below:

  • Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  • Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  • Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

Please open Online Armor, go to your History, and click the Export button to export your history. It will save it as a CSV file, which you can then ZIP and attach to a private message to me (I don't recommend posting it in a reply to this topic).

Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to Send To, and clicking on Compressed (zipped) Folder.

Share this post


Link to post
Share on other sites

I can clearly see the line in the history showing the DLL file being blocked, so I will forward this on to our developers to see if they can shed any light on why this might be happening.

While we wait for that, lets get a more detained log showing loadpoints. Please run RSIT by following the steps below:

  • Download Random's System Information Tool (RSIT) from this link and save it on your desktop.
  • Double click on the icon on your desktop for RSIT to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open in separate Notepad windows. Please make sure that those are saved on your desktop, and then attach them to a reply by using the More Reply Options button.

Share this post


Link to post
Share on other sites

I couldn't run the program. I have included the error messages as an attachment as a zip and .doc file. I have upgraded Hijack This (Downloaded latest Version), unblocked it (RSIT) from OLA (It blocked it initially), and given it all permissions except "system shutdown," along with adding it to my "Global exclusion" list with Avast. Yep, I tried anything and everything and even re-downloaded the program.

 

:( 

Share this post


Link to post
Share on other sites

Could you use Microsoft Paint to save the screenshot as a PNG (Portable Network Graphics) image, and then attach that? No need for a ZIP archive that way. ;)

You can open Microsoft Paint by clicking on the Start button, going to All Programs, going to Accessories, and clicking on Paint. Alternately you can hold down the Windows key on your keyboard (the one with the Windows logo on it, usually between the Ctrl and Alt keys) and tap R to open the Run dialog, then type mspaint into the field, and click the OK button.

Share this post


Link to post
Share on other sites

I'm not really sure what would cause that error, so lets try DDS instead. Please download DDS from this link, and save it on your desktop, then following the instructions below:

  • Please disable any script blocking protection or anti-virus software before running it.
  • Double click the dds icon you saved on your desktop to run the tool.
  • When done, two logs will open in Notepad.
  • Save both of these logs on your desktop as Text Documents.
  • Please attach both of those logs to a reply.

Share this post


Link to post
Share on other sites

That log doesn't show it either. I'm going to get some input from our developers, and then we'll go from there.

Share this post


Link to post
Share on other sites

I should mention here that I have disc errors. I had forgotten, but remembered when I ran AVG Rescue Disc and that notice came up. I ran AVG yesterday and the only issues that I had were three un-scannable files. I have had disc issues long before adding OLA as my firewall and Avast as my virus protection. My hard-drive is at least 4 years old and the unit was purchased as a refurbished computer. Perhaps that is the cause.

 

Again, thanks for all your help.

 

:)

Share this post


Link to post
Share on other sites

Have you run a disk check to see if it can repair the issues? Here are instructions on how to do it:

  • Open My Computer.
  • Right-click on your C: drive (or any other drive you want to check for errors), and select Properties.
  • Click on the Tools tab.
  • Click Check Now.
  • Make sure it's set to automatically fix errors.
  • If you suspect that there might be physical damage to the hard drive, then you can also select Scan for and attempt to recover bad sectors.
  • Click the button to start the check.
  • Normally it will ask you if you want to schedule the check disk to run the next time you restart your computer, tell it Yes. (note that this only happens when a hard drive is in use and cannot be unmounted, so it will always happen for the hard drive that Windows is installed on)
  • Restart your computer, and do not interrupt your computer when the light-blue screen comes up that says it will check your hard drive for errors. It must be allowed to complete it's process (usually only takes a few minutes).

Share this post


Link to post
Share on other sites

Just for the sake of argument, lets get a log from TDSSKiller. Here are the instructions:

  • Download TDSSKiller from this link and save it on your desktop.

  • Run the TDSSKiller download that you saved.

  • Click on Change parameters as it shows in the following screenshot:

    tdsskiller_report_001.png

  • Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:

    tdsskiller_report_002.png

  • Click the Start scan button as in the following screenshot:

    tdsskiller_report_003.png

  • You will see the following as the scan runs:

    tdsskiller_report_004.png

  • If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:

    tdsskiller_report_005.png

  • Click on Report in the upper-right corner, as in the following screenshot:

    tdsskiller_report_006.png

  • You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.

    tdsskiller_report_007.png

  • Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.

    tdsskiller_report_008.png

  • Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.

  • Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:

    tdsskiller_report_009.png

  • Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

    tdsskiller_report_010.png

Share this post


Link to post
Share on other sites

As far as I can tell, there's no indication that there is a loadpoint for that file. Are you still seeing the file being blocked?

Share this post


Link to post
Share on other sites

Yes, that is correct.

 In addition since I ran the last scan OLA has blocked several more files that I have unblocked and allowed. I also receive a non-notification dll error relating to wireless. I did not receive that error this time in my admin account so maybe it has corrected itself. The error message was seen in my standard user account and (I believe) my admin account before the last restart.

Share this post


Link to post
Share on other sites

Lets try ComboFix, and see if it can tell us anything new about this issue. Please download ComboFix from this link and follow the instructions below to run it. Note that some infections will block it from running if you save it as ComboFix so you may wish to rename it in order to prevent this. Make sure you remember what you changed the name to.

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus, AntiSpyware, and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on the ComboFix icon on your desktop (it has a red and white icon that looks like a white cat's head in a red circle) and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not click in ComboFix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Arthur,

 

Why exactly are we running ComboFix? I no longer have a dll error. The original issue is still present, OLE.Dll is still being blocked on start-up. I will need more info before I run ComboFix since we have been unable to identify my original issue. In addition, we have run many scans. Have you found any indication from those scans that I may have a malware issue?

Share this post


Link to post
Share on other sites

No, everything looks fine in the logs. I just wanted to see if any System Files had been modified. There are other ways of finding out, but ComboFix is the one I am most familiar with.

Share this post


Link to post
Share on other sites

According to that ComboFix log, there are more than 500 system files (that includes backups of those files) that are failing a signature check. It is also not showing any backups of those files that are passing the signature check, which means that you will need your Windows XP disk to restore the files. Do you have a Windows XP disk (note that it should be the same edition that you have installed, which OTL says is Professional Edition)?

Share this post


Link to post
Share on other sites

Since running Combofix, I have had two crashes of my browsers, 1 each: Opera and Firefox. In addition, Avast took a lot longer to update virus definitions. However, my computer runs a lot more stable on a WiFi connection than a dial-up one. That has been the case for some time. I was working on my computer yesterday and had access to WiFi with no issues. I will watch both of occurrences much closer. Have I had situations in which my browser crashed? Yes. But I have never had a situation in which one crashed after the other within say, 5-10 minutes.

I found ole32.DLL in "Programs" rather than "Autoruns" as OLA pointed to (link). when I clicked on the link provided in "history." Found it while I was looking for "STI.DLL." OLA blocked this DLL as well. This seemed to be a block of another legitimate file. I choose "trust" and it no longer blocks the file. I have included a picture below.

Would those signatures issues that you are speaking of cause this issue of blocking legitimate files?

My computer is loading much cleaner. On boot, my background picture loads right before my desk icons which before it would be almost a minute before my icons would show up. I am going to work on removing some of the start-up programs in the near future. Right now it takes about 8 minutes before my computer is stable enough to use even with adding the recent memory that I have added.  I have maxed out with the latest amount. I could probably save some time if I were not running CCleaner at start-up but I feel better with it cleaning at boot.

In regards to an XP disk. My computer came with a partition and not the disk.

 

Share this post


Link to post
Share on other sites

Hi,

 

I had this pop-up notification from OLA today.

clbcatq.DLL is located in file path that it is supposed to be located in on my computer.
I was printing a document with bullzip printer. It also caused a notice from Adobe as well. I'm pretty sure that it caused the notice with Adobe because Bullzip prints it as a PDF.I have not had any issues with Bullzip at all. I'm assuming that this is what triggered the popup from OLA.

http://www.file.net/process/clbcatq.dll.html
http://www.processlibrary.com/directory/files/clbcatq/28573/

 

:)

 

 

Share this post


Link to post
Share on other sites

In regards to an XP disk. My computer came with a partition and not the disk.

With no Windows XP disk, it will not be possible to use the System File Checker to verify if System Files have been modified or corrupted.

It is still possible to replace those System Files (or at least most of them) by reinstalling Service Pack 3 for Windows XP. Please try the following:

  • Download the Service Pack 3 for Windows XP installer from Microsoft at this link.
  • Once that's done, restart your computer in Safe Mode by following the instructions at this link.
  • Run the installer for Service Pack 3.
  • Once it is done, restart your computer normally.
Let me know if that helps at all.

Share this post


Link to post
Share on other sites

I completed the re-installation of SP3 only after disabling OLA in Window's services. It worked fine in safe mode but at restart OLA would not let Windows complete whatever cleaning that had to be done from the command line:OLA blocked it everytime. Windows would not complete the installation with a restart to safe mode. However, I believe that re-installation was worth the time and effort. In addition, I have even more respect for OLA after these exercises: It seems to be just as paranoid as I am.

The unit seems to have only one new issue as stated before: Firefox and Opera are crashing while using dial-up. OLE.DLL is no longer being blocked. Windows is loading a bit more smoother. Therefore, I will probably rate the browser crash issue lower-major. That is, if I do not begin to see the same issue while using a broadband connection. So far, I have been unable to place what is causing the crash.

System is about 4 years old. It was a refurbished purchase from one of my suppliers, IBM. I am surprised that the unit is not working even worse based on the experimentation that has been performed on it. Installing and uninstalling software, installing and uninstalling hardware and drivers. When Microsoft's XP is no longer supported in April of next year, II will switch her over to Ubuntu. I knew of IBM's reputation in regards to quality of product at least in this case it is well deserved. It is a shame that they are no longer in the PC business.

Thanks for your time and patience in helping me to resolve these issues. Much appreciated. She will be used from this day forward for light surfing. She deserves a break, with no more major surprises. We'll keep her out of the landfill for awhile longer.

 

:)

Share this post


Link to post
Share on other sites

I'm sorry, I should have told you to put Online Armor in Learning Mode after restarting. Online Armor really should be in Learning Mode whenever Windows Updates are installed, that way it learns the modifications to the System Files and doesn't ask you about them.

Have you checked to see if both Opera and Firefox are Trusted and Allowed in the Programs list in Online Armor? It's possible that the crashes are just being caused by Adobe Flash (that plugin is horrible when it comes to stability), but we can do some checking to verify.

Share this post


Link to post
Share on other sites

I have checked and both are trusted and allowed. The browser crashes are intermittent and have occurred less and less since first reported. Therefore, i am hoping that the issue is resolved. I do not have sny other noticeabe issues. Consequently, I think we are done and you have assisted me very well in resolving those previous issues.

 

Thanks,

 

:)

 

I guess the only thing left is to remove those tools used to evaluate & clean my system..

Share this post


Link to post
Share on other sites

I guess the only thing left is to remove those tools used to evaluate & clean my system..

Yep. ;)

Share this post


Link to post
Share on other sites

Arthur,

 

Do you have an organized way to remove these tools step by step or do I just delete them from my system?

 

Best regards,

 

David

Share this post


Link to post
Share on other sites

Here's instructions to uninstall ComboFix.

  • Hold down the Windows key on your keyboard (it has the little Windows logo on it, next to the Ctrl key) and press R to open the Run dialog.
  • Type ComboFix /Uninstall in the field (make sure to leave a space just before the /) and then click OK
  • ComboFix should take care of the rest.
Everything else you can just delete from your desktop. ;)

Share this post


Link to post
Share on other sites

No Windows key on my computer, however I know how to get to the Run dialog box.

 

Much appreciated, thanks again for all your help.

 

:)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.