This program has been damaged

EVERYONE!!! FOLLOW 2BENTARROWS ADVICE!!! IT WORKS AND IS EASY!!!
THANK YOU SO MUCH 3BENTARROWS!!!

 

I have admin rights (at least that's what my user profile says) and I can't remove the read-only attribute from my .dll, either through explorer or cmd.

Any clue where to go next?

 

Ok, I booted into safe mode, logged in under the Administrator account that appears, and tried to change the attribute of the dll in question. Access is still denied.

If I can't modify the file as administrator, how the heck can I remove the read-only attrib?

Sigh.

 

I can rename the file, but still can't delete it, either from explorer or from cmd. Even if I logon in safe mode, as an administrator.

Since I've removed the registry entries (they haven't come back so far) I'm hoping the .dll is orphaned, but I would still like to nuke it if possible.

Advice?

 

Thanks 2Bent Arrows...seems all good...I wonder if I ever dare putting that file back in...lol.

 

yep same problem ran ok with sp1 for a long time on winxp sp1, then got same message as you about bad sector etc
Logfile of HijackThis v1.98.0
Scan saved at 9:36:59 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~4\Speed Disk\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\Administrator\Desktop\Briefcase\CWShredder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\My eBooks\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll

have run adaware, cwshredder, spybot, have spyguard running, ran NAV latest , ran spysweeper. ...still same error msg after reinstalling....from fresh download to different director..

 

Ok guys, I've was having the same problem with spywareblaster, and I had tried every fix or possible solution or scan that I could think of or that was posted. No matter what it wouldn't let me run the program and I had the infamous reinstalling CWS problem, no matter how many times I would remove it, it would find a way to reinstall itself. In my search I stumbled across a fix and IT FINALLY WORKED, apparently this variant creates a registry key that actually redownloads the dll file needed to reinstall itself. I am going to paste the fix that I found and low and behold problem solved. It is from http://www.computing.net/security/wwwboard/forum/11527.html

I've pasted the fix below:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."


Hope this has the same results as it did for me, removal of that pain in the ass reinstalling CWS variant!!! Good Luck

 

My bad I just noticed that this fix was already listed, hope it works for everyone tho.

 

I download spyware blaster and my mcaffe antivirus discover on install W32/Gaobot.worm.gen.e virus. What a bonus..

 

test (last reply got lost )

 

ok its working now -

Im on win98, and i also get that "Progam has been damaged" error.
I also get it on Registry Mechanic, Spydoctor, as well as Spyware Blaster.

Im curious if anyone else havign this message with SBlaster also has it for Regmechanic etc?

I am guessing that the trojan files know that they can be fixed with these products, so maybe they are intercepting their starting routines, OR maybe these 3 programs all have something in common, such as a shared windows dll which is actually infected?

i am going to try and run Wingrep from www.Wingrep.com to search for that message string - maybe it will show the dodgy file

i also noticed lots of processes in Zonalarm pro having access to the net. one of which was a HOOKED file called Glidejx.ovl

windows system information shows this in HOOKED dlls, but i cant find that file AT ALL in dos or windows folder. (its being used though because "del Glidejx.ovc" in dos brings up access denied. - then again i DO have a 3dfx card - but why is it super hidden?

im guessing maybe if Spyware Blaster and other programs can be converted by the authors into a STANDALONE program, (eg not one that gets installed), maybe that will let them run without being intercpeted?

Additionally, does anyoen know of that ROKOP security site is for real? whenever i go there, (even after reboots), that damn cws search page appears!!!. i can go to www.grc.com and do a shields up, or yahoo etc, but as soon as i go there, BAM

if it is for real, can someone with high standing at this forum (non guest etc) please confirm this, and also maybe put a direct dl at wilderssecurity.com itself at all? (i cant find the link on that site either)


btw i cant seem to find a reg folder called APPinit_Dlls - eg i cant find this path (it doesnt seem to exist).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

many thanks for reading this.
paulus
(i hope this doesnt crash and i lose this message

 

Hi paulus.

Welcome to Wilders.

Take a look here,

http://www.javacoolsoftware.info/kb/idx/7/007/article/

As for ROKOP, the site is real but that fix it is very old now(as is this thread) so i wouldn't advise anyone to use it.

Hope this helps.


snowbound