This program has been damaged

Discussion in 'SpywareBlaster & Other Forum' started by mezard, Apr 1, 2004.

Thread Status:
Not open for further replies.
  1. Buckshot359
    Offline

    Buckshot359 Guest

    I have WinXP Pro and got this same error trying to run SB3.1 I also had the CWS hijack and finally cleaned it but since then I still can't get SB to run.
    I tried to find the logk.dll file but I don't even have one of those. I have also never had the Netski virus and I'm sure that has nothing to do with it (that poster can be 100% sure it!) Since like 5 other people have all had CWS hijack and now SB doesn't work I'm sure it's because of CWS. Any for sure fix to this problem yet?

    Thanks,
    SCOTT
  2. Mihai
    Offline

    Mihai Guest

    Ok, here is how I fixed it:
    It was because of CWS, but I couldn't believe it as I saw nothing in hijackthis scans.

    1. use Find-All and just note the name of the .dll that says something like:
    "Locked file(s) found...
    \\?\C:\WINDOWS\System32\xxxxxxxxx.DLL +++ File read error"
    -where xxxxxxx is a random name, depends on your system.

    2. If your boot partition is NTFS use PEbuilder to make a boot CD, boot from that one and delete that .dll (you might know how to use different methods here - Knoppix, NTFS-DOS drivers, etc... - I didn't use those as I knew I don't know how to make Knoppix write on NTFS and I couldn't find any DOS freewares to write on NTFS)

    If your boot drive is FAT32 it is easier - just make o dos boot floppy and go to %system%/system32/xxxxxxxx.dll and delete it.

    DONE

    3. boot again and do some registry cleaning.

    --------
    Note: I really think you should make a boot cd with PE builder and install MCAfee and AdAware plugins, no matter what filesystem you have - scanning from that I found lots of other 'malwares' that were not found scanning from my normal system.

    good luck
  3. Mihai
    Offline

    Mihai Guest

    BTW: I have used and I suggest using the '2.' point because no other method found on this site worked for me to delete the culprit dll
  4. LowWaterMark
    Offline

    LowWaterMark Administrator

    Just some quick advice to people about the above recommendation... At this point, we can't confirm that this is the fix, but for those who know their way around the internals of their systems, it may be worth trying. However, for the majority of users - be very careful what you are deleting. If you are unsure, then post your observations here and ask advice before trying anything that might cause even more trouble.

    In time, we'd hope for a 100% solution. When we have it, be assured it'll be posted about.
  5. Tiv1960
    Offline

    Tiv1960 Registered Member

    I'm glad to hear you say that low watermark because I didn't understand what Mihai was saying. I hope there will be an easy fix for those of us that are infected with "home page hijacks" and "program is damaged" errors. I am confident someone will figure it out. I'll keep watching. I am so tired of everytime I boot my computer I'm hijacked. The shredder takes care of it but only temporarily. I still have programs that won't load tho. I'm keeping my fingers crossed.
  6. Mihai
    Offline

    Mihai Guest

    Oops, yes, LowWaterMark is right.
    Do these only if you know what I am talking about.
    I forgot to add this earlier, it's just that I was too happy I managed to clean my system.

    I am grateful to SpywareBlaster, not only because is a great program but it made me, indirectly, aware of this problem... and, maybe, if I had Spyware Guard installed before the infection I wouldn't had the problem in the first place.

    Thanks guys
    Mihai
  7. Buckshot359
    Offline

    Buckshot359 Guest

    If all you need to do is get rid of the .dll file(s) there is an easier way. But this hasn't fixed my issue of keeping SB from running but it does clean the system. All you have to do is find the .dll file in system32 directory and rename it from efoc.dll (or whatever the latest .dll name is, I found at least 8 different ones) to something like efoc.bak then reboot the system. You can't delete the file because it's in use but you can rename it. Then once you reboot find your .bak file in system32 and delete it.
    I kept using HiJackThis to discover the .dll's and this method to clean them.

    But the problem seems to be that CWS damages something that SB needs to run and cleaning it off the system isn't enough.

    Thanks for all the post for people trying to fix the issue.

    SCOTT
  8. Mihai
    Offline

    Mihai Registered Member

    No, it won't work if you have what I had (and the chances are quite good).

    I couldn't see the dll without Find-All, any type of listing of the system32 folder showed nothing. It wasn't in HJT logs, in SpyGuard alerts, anywhere. The dlls that kept appearing where quite easy to delete from system folder and to remove using HJT. The problem was that they kept reapearing every now and then, without any 'dangerous surfing'... and even when I thought I was clean SpywareBlaster still didn't work. I suppose the invisible dll was in charge of creating those 'visible' infections.

    So, if your SpywareBlaster does not work you are still infected.
  9. Buckshot359
    Offline

    Buckshot359 Guest

    I found an alternative to Mihai's method in case anyone else needs it.

    1. Download reglite http://www.resplendence.com/reglite
    2. install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.
    3. Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
    4. You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
    5. Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
    6. Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
    7. Rename the windows folder back to its original name "Windows".
    8. Run SpyBot, Ad-Aware and CWShredder etc.
    9. Next step will be to remove this dll file so make sure you have it noted down.
    Step 1
    Download KillBox http://download.broadbandmedic.com/
    Unzip and start the application
    Paste in the dir <path and name of dll as found in the appinit value box> i.e C:\Windows\System32\nameofdll.dll
    Menu Select Action -> Delete on Reboot
    Select File -> Add file <It should add the path automatically>
    <Same Window> Select Action -> Process and Reboot
    If Step 1 didn't work
    Step 2
    Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
    This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
    Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
    Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
    Carry out Step 1 again
    Restart your computer in safemode
    Open cmd window again as before
    Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
    While in safe mode How to Start In Safe Mode run the 3 ad-removal programs again, just to make sure all traces are gone.
    Boot up pc as normal and you should be trouble free.

    After this no more CWS and my SB runs fine.
    SCOTT
  10. reppy
    Offline

    reppy Guest

    Thank you BuckShot. That worked for me! :)
  11. VampireWolf
    Offline

    VampireWolf Guest

    It worked fine for me too! Thanks a lot and now I can use SpywareBlaster, Spybot and some trojan cleaners CWS was affecting.
  12. 3bentarrows
    Offline

    3bentarrows Registered Member

    CWW.Searchx caused me grief for a week. Used HijackThis; CWShreddar; Spybot & AdAware--to no avail. Then I found this:
    1)Rename the HLM\Software\Microsoft\WindowsNT\Current Version\Windows foder to <Windows2>.
    2) Now, delete the AppInit_DLLs key under the Windows2 folder.
    3) Hit F5. Notice that AppInit_DLLs doesn't come back. It will if you try this before re-naming the folder.
    4) Rename the <Windows2> folder back to <Windows>

    Now SpyWareBlaster will load.
  13. javacool
    Offline

    javacool BrightFort Moderator

    Hi everyone,

    There should be a fix for this in SpywareBlaster 3.2, which I'm currently working on. Until then, it appears that completely ridding your computer of this particular CWS variant may fix the issue.

    Best regards,

    -Javacool
  14. 3bentarrows
    Offline

    3bentarrows Registered Member

    Javacool:
    Thanx for the post. You're right! Removing this pestilence from one's system will indeed allow SpywareBlaster to load. That was my issue.
    After many hours of hard work, I finally figured out how to remove it for good. The key to removing this is the registry key called

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

    The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

    1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
    2. Now delete the AppInit_DLLs key under the Windows2 folder.
    3. Hit F5 and notice that AppInit_DLLs doesn't come back.
    4. Rename the Windows2 folder back to Windows.

    Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now.
  15. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    A small warning. The above mentioned registry key itself is there by design and it may be in use by legitimate programs.
    Only if you find a value there that is hidden you will have to worry about this trojan/hijacker.

    Regards,

    Pieter
  16. reghakr
    Offline

    reghakr Registered Member

    For anyone experiencing the "The program has been damaged, possibly by a bad sector of the hard drive or a virus" who does NOT have a spyware/adware issue, this seems to work fine:

    Update your Visual Basic Run Time components to Service Pack 6.0

    1. Visit Microsoft's site below.

    http://www.microsoft.com/downloads/...61-7A9C-43E7-9117-F673077FFB3C&displaylang=en

    2. Click the Download button, save the file to your computer's Desktop close all programs on your system.
    3. Double click the downloaded file, VB6.0-KB290887-X86.exe to extract the vbrun60sp6.exe to the Desktop. Double-click on this to install the update.
    4. Restart your computer

    reghakr
  17. jacquot
    Offline

    jacquot Guest

    thanks a lot to Buckshot
    After 3 weeks I was desesperate !
    And now it works, the bad.dll is gone and spywareblaster works again.
  18. onemore
    Offline

    onemore Guest

    i also have this problem with trojan remover and video edit magic.
  19. mezard
    Offline

    mezard Registered Member

    No "AppInit_DLLs" key in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" on win98 systems. :(

    Update of the Visual Basic doesn't help... pity, pity... :(
    Let's hope that someone finds another solution...
  20. EZE
    Offline

    EZE Guest

    Buckshot, you absolutely rule. I am now running the program (SB) and your directions were a piece of cake to follow.

    Thanks again.

    Ez
  21. swat8
    Offline

    swat8 Guest


    Worked for me too on two pcs. i did have to delete the key and update VB.
    thanks!
  22. computermom
    Offline

    computermom Guest

    Okay, I have the same problem
    I read Buckshot's post
    Now, which one of you guys will come over and try to fix this for me. I really really don't know even 1/99th of the stuff you guys know. I will try to follow your directions, but my main question is, can I really screw something up by trying to do this. Or should I just wait until V3.2 is out?

    I really liked this program and felt safer with it.

    Thanks.
  23. snowbound
    Offline

    snowbound Retired Moderator

    Javacool is working very hard on this and i'm sure V3.2 isn't far off.

    If u are unsure, It is best to heed Pieter and LWM's warnings on this.

    Waiting, IMHO in the best way to go.


    snowbound
  24. Ankou
    Offline

    Ankou Guest

    Hi!

    Thanx a lot to 3bentarrows! I've been working for more than 2 weeks to find a logj.dll hidden file and nobody in France can tell me how to do.

    Very easy to use process for a nonexpert guy.

    Spywareblaster works again.
    Bravo!
  25. Iliad
    Offline

    Iliad Registered Member

    Mezard, I have the solution for Win98!

    I think this bug has kept me from posting to this forum, this message just a quick test
Thread Status:
Not open for further replies.