This program has been damaged

Discussion in 'SpywareBlaster & Other Forum' started by mezard, Apr 1, 2004.

Thread Status:
Not open for further replies.
  1. Iliad

    Iliad Registered Member

    Joined:
    May 25, 2004
    Posts:
    8
    Hm...I am still having problems with the forum here. My last attempt shut down Explorer again. I'll excise the detail and make this a quicker one. The answer to your problems may well be here:

    http://www.lavasoftsupport.com/index.php?showtopic=28039

    I did what he did and My SB is working again
     
  2. Iliad

    Iliad Registered Member

    Joined:
    May 25, 2004
    Posts:
    8
    I found the hidden dll listed in System Information just as he said, hooked into Rundll32. I searched for it in Explorer and sure enough, it is super hidden but it resided in C:\Windows\System.

    If you use PV you will also see it listed in the Rundll32 and Explorer modules. It also appears in the registry if you search for it in RegLite, along with a few other interesting dlls, one of which might be even more hidden. I haven't done anything more with these other dlls yet but I will run CWShredder and see if it finds anything.

    If you do what the guy in the Lavasoft forum did, adaware will then find it and identify it as CWS-related malware. Your SB will work again.

    Good luck
     
  3. Iliad

    Iliad Registered Member

    Joined:
    May 25, 2004
    Posts:
    8
    OK the forum seems to work if I keep my posts short. The Registry key where I found the dll listed was this one:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\\d

    Most of the other five values in this key looked suspicious too. Is this THE registry key that loads the bug every time you start up? Or is it likely lurking somewhere else in the registry as well? I suspect I have not yet completely cleaned up this bug and I would like some advice.
     
  4. Iliad

    Iliad Registered Member

    Joined:
    May 25, 2004
    Posts:
    8
    In case my earlier post wasn't clear, you will NOT actually find the culprit dll in Explorer. it is too hidden. But you will see it, and the path to it (Probably in C:\Windows\System\, as in my case) if you go from the start menu to Programs - Accessories - System Tools - System Information - Software Environment - System Hooks. It is actually kind of hiding in plain view there!

    BTW CWShredder shows my system clean, I guess the remaining evil dlls are orphaned for now. I hope so. But I would still like to get rid of them somehow.
     
  5. Iliad

    Iliad Registered Member

    Joined:
    May 25, 2004
    Posts:
    8
    culprit dll in Win98

    ps. There may be "good" dlls listed in System Hooks as well. But if you find a dll hooked to Rundll32 that is super-invisible in Explorer that is probably the bad guy in Win98. You might want to look first then post here with what you find before you rush into DOS and start deleting or renaming things.
     
  6. Tech2

    Tech2 Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    3
    Buckshot is the man.

    I, too, was having the about:blank problem, and couldn't get Spyware Blaster to run. I deleted the malicious dll using reglite, ran AdAware, SpyBot S&D, CWShredder, and HijackThis. Re-installed Spyware Blaster and it works.

    All is well (fingers crossed)

    Thanks guys, for your time and expertise.
     
  7. John.Whorfin

    John.Whorfin Guest

    I have two machines running Win98se. One would run SB 3.1 fine, the other would give the 'damaged' error. After reading the last few posts in this thread, I decided to check out the 'system hooks' section of each machines system information.

    The one with no problems had no hooks defined.

    The other one had one hook defined - grxp4dll.dll was hooked into grxp4exe.exe. With a bit of poking around, I determined that those files were part of the drivers for my joystick.

    After disconnecting the joystick, uninstalling the drivers, rebooting and verifying that there were no longer and defined hooks, I tried starting SB again... Success! :)

    Hope this info can help someone else out. :)
     
  8. Iliad

    Iliad Registered Member

    Joined:
    May 25, 2004
    Posts:
    8
    That bit about the joystick drivers is interesting. I wonder if the driver dll in question was infected with something. Have you tried reinstalling your joystick and drivers and seeing if SB still works?

    Having fixed my SB error message problem, I do still have one system hook left in place, a dll for my optical mouse. I didn't want to tinker with it and lose my mouse, but I still have nagging suspicions about it. Its not a super-hidden file, and it is in the right directory for the mouse driver files, but my reglite search found it listed as a value in the Doc Find Spec MRU key, along with the evil dll. Moreover, there was another suspicious value there, a dll with almost the same filename as the mouse driver dll (one character different) but super-hidden and possibly evil. One of the cleanup things I did, possibly adaware, removed the entire key from my registry, not just the values, so I figured I didn't have anything nasty left but still I wonder. Should a mouse driver dll show up as a value in a Doc Find Spec MRU key at all? And Is CWS capable of infecting "good" dlls?
     
  9. John.Whorfin

    John.Whorfin Guest

    I have not tried reinstalling the joystick drivers, and don't plan to. The install process is prone to problems, and I never used the stick anyway, so it's gone for good.

    I doubt that the dll was infected with anything. Besides running AdAware, SpyBot and Kaspersky anti-virus, I also check for open/listening network ports. The joystick dll has never been flagged as suspicious/infected.
     
  10. JackAttack

    JackAttack Guest

  11. poldi

    poldi Guest

    @JackAttack

    IT WORKED !!! Thank you so much !!!

    maple
     
  12. JemW

    JemW Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    32
    Hmm...I'm struggling here because the same thing happened to me a while ago, but I think it went something like this:

    CWS kept resurrecting itself and in the end I made a note of the Reg keys that Spybot S&D found, cleaned with S&D but BEFORE logging off (XP Home), or restarting, I used Regedit to look for the offending keys and found....that they had mutated (apparently). I'm sorry guys but I can't remember exactly what the change was but once I found the CWS keys in the registry I deleted them again manually and it seemed to clear. S&D plus AdAware scans since show a clean result. Does this seem completely bizarre?...but it seemed to me at the time that the process of finding and attempting to remove CWS with S&D was actually CAUSING it to reproduce itself but named differently....

    Don't know if my half forgotten experiences will help... :doubt:

    JemW
     
  13. Foo KY

    Foo KY Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    2
    Thank for your advice. Your solution is 100% SIMPLE AND EFFECTIVE.

    REGARDS FOO KY.
     
  14. octopus54

    octopus54 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    1
    This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.o_Oo_O??

    Help
     
  15. Kimberly0527

    Kimberly0527 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    4
    I just wanted to mention that cleaner which Jackattack posted worked! My Spyware blaster is working fine!! Thanks folks, everyone is so nice here.....

    :)
     
  16. I just wanted to chime in that the clean from
    http://www.rokop-security.de/main/article.php?sid=746
    also worked for me in cleaning out the CWS Coolsearch.cc variant from my 'puter. And also that Spywareblaster3.1 is now working again.

    Anyone know anything about rokop security and their cleaner? Every website that I found about them was in German but the cleaner is in English?!?
     
  17. 2samiam

    2samiam Guest

    I would like to say the file post from jackattack did work for me on win xp. I was having problems with cws searchx. I couldn't get it to go away.
    I tried the registry trick and that didn't work. I tried finding strange .dll's
    shredder was even coming up that it didn't find anything but sb would not install. I'll let you know if this is a good fix.
     
  18. Ken_Goding

    Ken_Goding Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    1
    I was having the same problems with a computer I had installed Spywareblaster on about 2 months ago for a client. I got it back last Friday all messed up and with the error message... It finally took AVG antivirus to allow it to start running again, it found about 9 trojans and downloaders that Norton 2004 didn't see. For spyware I use a combination of Hijackthis, Ad-Aware, Spybot, and Webroot Spysweeper (one update on the free version, but that's all you need for this). Just my 2 cents.
     
  19. rembokiller

    rembokiller Guest

  20. rembokiller

    rembokiller Guest

  21. bigfree54321

    bigfree54321 Guest

    ive tried all of the above and still i cant download any of the programs and i still have the virus anyone have anymore newer solutions? it seems as if the virus has updated itself. Thanks
     
  22. rob7278

    rob7278 Guest

    Bucksot is the man!!!
    I have been working on this CWS problem for weeks; I would run HijackThis delete CWS files, run spybot- came back clean, run ad-aware- came back clean, run CWS Shredder- came back clean and then inevitably after some time would pass my spyware guard would pop-up IE change- home page was changed to about:blank and a document called C:DOCUME~1\Rob\LOCALS~1\TEMP\sp.html was changed, also spyblaster would not run- received same message everyone else received. I followed Buckshot's directions, ran all the tests(spybot, ad-aware, etc)- everything was clean and now my SpyBlaster works fine. Therefore I would have to conclude that if you cannot get this version of SpyBlaster to work, you probably have CWS in your system. Those jacka$$es at CWS have gotten really tricky, but thanks to all these forums on the internet hopefully we all can keep them away. Also those of you waiting for the updated version- You are still going to want to remove the CWS hijacker; the new version of SpyBlaster will probably just find a way to allow the program to run, but I don't believe it will clean out the existing CWS; I could be wrong, but I doubt it will and trust me you definitely do not want to keep this hijacker in your computer.
    Thanks again Buckshot
     
  23. satori

    satori Guest

    You think CWS is bad now, its about to get a LOT worse. In fact it
    is downright depressing and scary. The awesome author of CWShreader
    is throwing in the towel. We are about to loose the only effective tool
    against the insidious malware.

    Check out this article for more details:

    http://www.theregister.co.uk/2004/06/29/cws_shredder/



    Hopefully something will come along soon to fill its shoes.
     
  24. Scubapro

    Scubapro Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    1
    Hey BuckShot

    When I try to execute the attrib -r command it tells me access denied. Please excuse my ignorance but how do I get around this?

    Thanks in advance


    Scubapro
     
  25. Buckshot

    Buckshot Guest

    Need to have administrator rights (Be signed in as an Admin) to change attributes, you can do it through the GUI too if you don't want to use the command line.

    SCOTT
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.