Spyware Doctor Problems, etc.

BamBam · May 17, 2005

Hey all!

HEEELLLPPP!!!! Ok, here's the scoop. Yesterday, I experienced a Home Page Hijack which resulted in my Home Page being automatically reset to "about:blank" every time I would open IE. Not only that, but when I attempted to download and install "Spyware Doctor" (I had had success with that tool before) I got the following message: "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it."

Ugh.

I searched the catacombs of the Internet and gound some other sorry sacks who had the same problem. I followed the dotted line, and now I do not have "about: blank" as my homepage, BUT Spyware Doctor will still not run (same error). This leads me to believe that there are remnants still lurking, and I have ZERO idea what to do now. The HKLM/Software/Microsoft/Windows/CurrentVersion/WindowsNT/Windows key that is supposd to have an AppIni.dll (or similar) thingy in it does NOT have that thingy. It only has a "default" key. Curiouser and curiouser...

Any help would be appreciated. I have Windows 98 as my OS and do not (yet) have Hijack This. I do have Spybot S & D, but that (so far) has done me no good.

Thanks for your time!

Bam

chaslang · May 18, 2005

Win98 does not have an AppInit_DLLs key?

Why are you trying to use Spyware Doctor? The trial version of this will not fix anything anyway so it is not really that useful. In fact quite often it will just drive you crazy by reporting left over trivial aspects of some malware item that is not really a problem. Since it does not fix the problems unless you purchase the program, you have to remove items manually.

If you think you have malware issues that need to be fixed, follow our full cleanup procedures given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

BamBam · May 18, 2005

Hey chaslang!

Aight, I tried to follow the steps outlined in the thread you posted. I ran into some difficulty. Oh, by the way, since I last posted last night, "about: blank" has returned in all its evil glory. So the AppIni.dll may well have re-appeared. But, I digress. On to the saga.

First, Spyware Blaster gave me the well-known "This program has been damaged..." error message, so I could not download any protection updates or enable any protection. I did, however, download and insall (when instructed) the remaining cleaner programs.

Second, when I attempted to run the two online virus scans (Trend and Symantec), right after the site asked me whether I trust Trend/Symantec, I received a shut-down error ("This program has performed an illegal operation and will be shut down.") for Internet Explorer. Given that both scans are necessary to continue, I stopped there. Here is the cut and pasted error detail:

EXPLORER caused an invalid page fault in
module NAVENG32.DLL at 018f:07e010e0.
Registers:
EAX=02bb9118 CS=018f EIP=07e010e0 EFLGS=00010212
EBX=0318d548 SS=0197 ESP=0318d314 EBP=0318d334
ECX=00000004 DS=0197 ESI=04a89118 FS=3bd7
EDX=0652bee4 ES=0197 EDI=00000498 GS=0000
Bytes at CS:EIP:
ff 50 4c c3 a1 24 29 e2 07 ff 74 24 04 ff 50 50

Is this virus-related? I know the new versions can block programs designed to hunt them. Anyhoo, any guidance is highly welcome.

Thanks!

Bam

BamBam · May 18, 2005

Chaslang:

Ok, quick update. Without running either the Trend or the Symantec online scan, I went ahead and rebooted in Safe Mode and ran the programs listed in Steps 2-4.

As my luck would gave it, "about: blank" is still blanking showing up on my Homepage. Of course, this may have something to do with not running the two online scans you mentioned, but my computer did not prompt me to run them before running the other scans (as it was indicated would happen in a parenthetical accompanying the instructions for Step 1), so it may be no harm, no foul.

Well I had no luck, so I went and downloaded Hijack This as instructed. I ran it and got a log. It's attached hereto.

In closing, if I EVER get my hands on someone responsible for putting ANY type of Spyware on the Internet, they will RUE the day they were born!

Happy place...happy place...

Bam

BamBam · May 18, 2005

Chaslang:

Ok, here's what's up. I went through the steps indicatedin your "When all else fails..." post. The only thing I couldn't do is delete the lines in the "se.dll" file which came up under my HijackThis log (you'll find that log attached to my previous post). Everything else went Ok.

For now, "about: blank" isn't showing up. Yay rah. I'll post my most recent HJT log for your viewing pleasure. I haven't tried to download Spyware Doctor or SpyBlaster yet, so I don't know if I'll get that infernal "This program has been damaged..." error message. If I do, you won't have to worry about trying to help me get rid of the virus, because my computer is going out the window.

Let me know what (if anything) I still need to do. Thanks a googleplex for your help! Later!

Bam

BamBam · May 18, 2005

Chaslang:

Tried to download Spyware Blaster. No joy. Got the "This program has been damaged..." message. Still no "about: blank" homepage, but I expect that to change.

What am I missing???

Bam

chaslang · May 18, 2005

Based on the last HJT log you posted you only have two items remaining to fix.

Make sure viewing of hidden files is enabled (per the tutorial)

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O18 - Filter: text/html - {956EF2A3-C78E-11D9-8FD6-0080F2EEDB71} - C:\WINDOWS\SYSTEM\MAL.DLL
O18 - Filter: text/plain - {956EF2A3-C78E-11D9-8FD6-0080F2EEDB71} - C:\WINDOWS\SYSTEM\MAL.DLL

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM\MAL.DLL

Now empty your Recycle Bin

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

For your SpywareBlaster problem, do you already have a previous version installed? If so, uninstall it, reboot into safe mode, and then install the new version while in safe mode.

BamBam · May 19, 2005

Chaslang:

Ok, I followed the steps you sent. Only hitch was that MAL.DLL did not appear in the folder you pointed out (and I DO have my hidden files visible). Other than that, it went fine. No "about: blank"...yet.

Log is posted. I'll fill you in on the Blaster issue.

Thanks again!

Bam

BamBam · May 19, 2005

Chas:

Still no love on the Blaster issue. All else seems normal. I await your wisdom.

An aside to all: I have to wonder exactly how much time is spent per year trying to remove Spyware, Adware and other Internasties. In the business and professional worlds, time is money. Let's say, for example, an attorney who bills out at $150 per hour has to spend three hours removing garbage from their computer. That's a loss of $450. Now let's say there were 10,000 attorneys who went through this. Now we're talking $4.5 Million in lost revenue. Extend that to ALL business and professional entities who had to remove these programs, and then include those who had to contract out for tech-support services or, in extreme cases, had to replace computers, servers, etc...you could EASILY get into the billions.

My question is simple. Build a better mousetrap and nature will build a better mouse. Spyware/Adware/Internasty Removal Programs can be beaten (witness my difficulties with SpyBlaster in previous posts), and thus will have limited effectiveness in dealing with the problem (or at the very least will result in an endless cycle of leapfrog between Spyware producers and Spyware removers). BUT...if it was too risky from a monetary standpoint for the person or persons or entities to continue to infect our computers - even if they knew they COULD - THAT might have a real impact.

I'm sure these SOBs can be traced and it can be discovered exactly who they are. Anyone ever consider launching a class-action lawsuit against one or all of these guys? Just a thought.

Bam

chaslang · May 19, 2005

Your log is clean now.

As far as your other message about malware.... some efforts are being made USA government officials to help but the problem is that many of the people creating this malware are not within the USA. Let me see you start a class action suit against, some jerk who lives in Russia.

BamBam · May 24, 2005

Chas:

Ok, this "about:blank" thing is really starting to give me the red ass! Here's the story...

I performed your "Generic Solution" and posted my HJT log here, as you saw. Everything was Ok for a day or so, but then "about:blank" popped up again. So, I peformed the Generic Solution again. The offending .dll file was a different name this time, but I was able to clear its contents (in safe mode, because it wouldn't save the empty file in normal mode) and delete it, along with all the other "about:blank" related garbage the HJT log found. Again, all seemed fine.

Just when you thought it was safe to go in the Interwater...

It's back. It's the damndest thing too. I wasn't even actively on the web, and a "Best Offer" pop-up appeared. Yes, my DSL cable was hooked up so I guess I was connected, but IE was not running. Sure enough, however, the next time I opened up IE, my homepage was "about:blank."

Have you ever heard a computer virus actually LAUGH at you? Kinda creepy. Anyway...

Obviously I've been missing some remnant of "about:blank" that it allowing it to re-install itself after a time interval. Any help in getting rid of this thing ad infinitum would be GREATLY appreciated. Thanks!

Bam

chaslang · May 25, 2005

Some of your problems are due to running an out dated version of IE. Also do you have ALL the patches for WIn98 (which is obviously old) installed. You also need a firewall and some other blocking tools (all covered in How to Protect yourself from malware! )

The Generic Procedure was not written with the SE.DLL version of the hijacker in mind. In fact it was written way before that form had ever occurred. It will not fix the SE.DLL form if that is what you have. The only way I will know is for you to post a new HJT log. So go ahead and attach a current log and do not reboot or power down afterwards (unplug your cable to the internet for security while waiting to come back to look for my response).

Also do the following:

Download: "StartDreck", from here: http://www.niksoft.at/download/startdreck.htm
Look to the bottom of that page and click the Download link. It should give your StartDreck217.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

BamBam · May 27, 2005

Chas:

Sup?

I'm pretty sure I have that SE.DLL version of which you speak. I've posted the log so you can check it out for yourself.

I've tried to clear and delete the SE.DLL file in the Temp folder (that's where it always is by the way) while in safe mode, while running HJT to fix the rest. Same results: Ok for a day or so, then "about:blank" reappears.

To my woefully untrained eye, nothing in my HJT log sems out of the ordinary, except for the items you pointed out in the Generic Solution. Still, I HAVE to be missing something: Either a file that allows "about: blank" to reinstall, or a "Homing Device" type file that allows the Spyware to re-find my computer with ease. The sites I visit are all mainstream (cnn, espn, etc.), so it's not like I'm wandering down any Internet back-alleys where these hijackers are more prone to lurk. I'll download the firewall and any other preventative measure, but I'd like to make sure that the file gets kicked OUT before I lock the door. Otherwise the firewall is useless.

Thanks for the help!

Bam

chaslang · May 27, 2005

You need to post the StartDreck log I requested. Do not waste your time trying to remove the files or fixing lines with HJT. That will not work until we find the hidden file that is respawing the problem.
After post you the StartDreck log do not power down or reboot your PC or the problem could mutate making any fix I suggest useless.

BamBam · May 30, 2005

Chas:

Ok, here's the log you requested. I'll leave the computer up and running as requested.

Give it hell.

Bam

chaslang · May 31, 2005

First open Corntrol Panel and run Add/Remove programs and uninstall: PRECISIONTIME

Now we are going to have to boot to an MS DOS prompt to working on fixing this problem.
You should print or write these instuctions down because you will be offline and not running Windows while doing this. Please read thru all of the steps first and ask any questions you may have before beginning. Make sure you understand all steps before starting

Click Start and select Shutdown and in the window that comes up choose the one that says Restart the computer in MD-DOS mode.

When it boots you will be at the command prompt (full screen) enter the below commands each followed by the enter key. Let me know if you have any problems or get any error messages during these steps (tell me the exact error message).

Now in command prompt window do the following:
cd C:\WINDOWS\SYSTEM
attrib -s -h -r MIHI.CAB
del MIHI.CAB

attrib -s -h -r spoolsrv32.exe
del spoolsrv32.exe

attrib -s -h -r JHFH.DLL
del JHFH.DLL

cd C:\WINDOWS\TEMP
attrib -s -h -r se.dll
del se.dll

win

After typing win and hitting enter your system will boot back to Windows. The very first thing you need to do after booting Windows is the following (make sure you do not run anything else):

Run HijackThis and select the following lines and then click FIX

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9F64BA61-CEC8-11D9-8FD6-008039C4A959} - C:\WINDOWS\SYSTEM\JHFH.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {BE1ECA40-CD10-11D9-8FD6-0080C6F96394} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BE1ECA40-CD10-11D9-8FD6-0080C6F96394} - (no file) (HKCU)
O18 - Filter: text/html - {9F64BA60-CEC8-11D9-8FD6-008056880CC2} - C:\WINDOWS\SYSTEM\JHFH.DLL
O18 - Filter: text/plain - {9F64BA60-CEC8-11D9-8FD6-008056880CC2} - C:\WINDOWS\SYSTEM\JHFH.DLL

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot your PC again into normal mode and post a new HJT log. And tell us how things are working. And how all the steps went too.

BamBam · May 31, 2005

Chas:

All went well, with the following exceptions:

Precision Time could not be uninstalled in the conventional way, so I deleted the file and will remove all remnants with Spybot.

More importantly (perhaps) is that in DOS mode, spoolsrv32.exe could not be found and deleted. I did, however, locate the file in Windows (C:\windows\system to be exact) and I was able to delete it (and overwrite it) from there. Upon reboot, the file no longer appears.

Here's the HJT log. Enjoy!

Bam

chaslang · May 31, 2005

OK! We seem to have fixed all your problems! Now to help keep you clean, make sure you follow the steps in the below thread:

How to Protect yourself from malware!

Log in or Sign up

Spyware Doctor Problems, etc.

BamBam Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

BamBam Private E-2

BamBam Private E-2

Attached Files:

hijackthis.log

BamBam Private E-2

Attached Files:

hijackthis.log

BamBam Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

BamBam Private E-2

Attached Files:

hijackthis.log

BamBam Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

BamBam Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

BamBam Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

BamBam Private E-2

Attached Files:

STARTDRECK.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

BamBam Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member