World Antispy causing Spy Sweeper lockout problem?

Help! My Webroot Spy Sweeper found and removed World Antispy spyware but was unable to reboot as required. I had to do a hard shut down and in the process, Spy Sweeper is disabled so that it can't run and can't be reinstalled correctly. The error is: "Error starting program. C:\Windows\System\Imagehlp.DLL not found". I then get a message saying that Spy Sweeper needs to be reinstalled but when I download and reinstall, the same error message comes up. The Spy Sweeper opens but cannot run or scan (those buttons are now grayed out). The computer was scanned everyday by AVG and Spy Sweeper so this is a recent development. I've submitted a ticket to Webroot but have not heard back from them.

I don't know if this is a Malware issue or a computer issue but am guessing that is Malware because of the association of the events. Up until this point, the computer and all of it's programs hae been running without any issues.

I've run all of your suggested scans except for Panda Online which I was unable to successfully download. Attached are the requested log files from CounterSpy, BitDefender and Hijack This.

Here are the system specs:

Dell Dimension XPS T500
Windows 98SE
256 MB RAM
AVG Anti Virus
Zone Alarm firewall
Spy Sweeper (not working)
AdAware (run manually)
SpyBot (run manually)
Firefox browser
Thunderbird email

Thanks in advance,

Mathey1

 

The files didn't attach.

 

Here are the files. Sorry about that.

Mathey1

 

The previous Hijack This log was performed with startup items disabled. Attached is the new Hijack This log with startup items normalized (all programs start up).

Thanks,

Mathey1

 

Your BitDefender log is teh Scan Summary not the Scan Report; and is not very informative.

The CounterSpy report indicates that CWS has left behind a registry entry.

Download
- about:Buster

Run about:Buster twice and atttach the log.

Your HijackThis log shows no signs of an infection.

 

I ran about:buster twice in the safe mode and it came up clean. Attached is the generated log.

Sorry about the Bit Defender scan report but the scan summary was the only one that came up. I ran it again today and it found nothing this time.

Thanks for taking the time to look at this issue. While I'm pleased that no infections were found in the HJT log, it makes me wonder what is wrong. Where did the missing file go (that prevents Spy Sweeper from correctly installing/running), and how do I get it back?

Looking forward to the next step.

Mathey1

 

Hey Shadow_Puter_Dude,

Your last analysis mentioned still being infected with CWS so I ran CounterSpy twice in the safe mode and was able to fix CWS along with 3 other items. Attached are both logs.

Spy Sweeper is still not operational due to the missing IMAGEHLP.DLL file. What is my next step?

Thanks again for reviewing this problem.

Mathey1

 

Follow up to previous post:

CounterSpy ran automatically overnight in the normal mode and found more Malware which I quarantined. I ran the CS scan again and it came up clean. I hope this was just overlooked during the previous 2 safe mode scans and is not generating new Malware.

Attached is the 2:00AM CounterSpy scan.

Thanks again for all your help!

Mathey1

 

Uninstall SPySweeper completely.

Run CounterSpy in Safe Mode, then run it in Normal Mode.

Post the CounterSpy log and a Fresh HijackThis log.

Do not turn your computer off, let me look at those 2 logs before you do anything else.

 

I uninstalled Spy Sweeper, I got the same error message about the missing file but the uninstall seems to have worked anyway. I ran CounterSpy according to your instructions and no malware came up. Perhaps the malware that was missed earlier was due to the new installation of CounterSpy and it didn't have a chance to update it's definitions yet.

Attached are the logs you requested.

FYI, I received a reply from Webroot today which includes a download link for the missing file. I am holding off that installation until you say so.

I am keeping the computer on until I hear from you.

Many thanks,

Mathey1

 

FYI, the SYSTRAY locked up so I had to do a hard shutdown and reboot. Attached is a new HJT log. Computer will remain on until I hear from you.

Hope this helps.

Mathey1

 

O4 - HKLM\..\Run: [Cleanup] c:\windows\TEMP\2005825154148_mcappins.exe /v=3 /cleanup
This appears to be the McAfee Installation Cleanup tool. Is there a reason for this to run at system start?

Other than that your system appears to be malware free.

 

McAfee is not needed as I no longer use their products on this machine. It is probably left over from a previous uninstall and it would be good to get rid of these extraneous items. How would I do that? Is that something that HJT can fix?

FYI, the link Webroot sent to add the file was for an NT machine and therefore incorrect for my Windows 98SE computer. Do you have any ideas on where to get that file? What is my next step in getting this Spy Sweeper issue resolved?

I'm glad to hear that my computer is malware free, thanks to all of the help from Major Geeks. I really appreciate all that you've done. I've learned a lot in the process and hopefully will be better protected in the future.

Thankfully,

Mathey1

 

IMAGEHLP.DLL is a Windows file that aparently isn't installed on your computer. To install it, you must copy it from the Windows 98 CD to the \WINDOWS\SYSTEM\ folder.

1. Insert the Windows 98 CD.
2. In Windows Explorer, double-click the win98 folder on the Windows 98 CD.
3. Expand the *.cab file containing the imagehlp.dll file:
   • If you use Windows 98 First Edition, double-click the Win98_32.cab file.
   • If you use Windows 98 Second Edition, double-click the Win98_30.cab file.
4. Copy IMAGEHLP.DLL to C:\WINDOWS\SYSTEM\.
5. Restart Windows.

Fix the O4 line with HijackThis and then delete c:\windows\TEMP\2005825154148_mcappins.exe

Reboot

 

Hey Shadow,

It worked! I was able to use the .DLL file for NT which is the same for 98SE. The IMAGEHLP.DLL is installed and so is Spy Sweeper which is working perfectly.

I also had HJT Fix the O4 line c:\windows\TEMP\2005825154148_mcappins.exe. There are two other Mcafee 016 entries which I no longer use. Can I use HJT to fix them also?

Now that I have Spy Sweeper back up and running, which anti-spyware would you recommend for my 98SE machine? I'm impressed with what CounterSpy was able to do while SS was being resusitated.

Thanks so much for all your excellent help and troubleshooting. You've performed a miracle! I've learned a lot from you and hope to continue to do so using the Major Geeks Website.

Many, many thanks!

Mathey1

 

You are welcome.

You can remove those 016 entries for McAfee. CounterSpy is a pretty decent program, SpySweeper is better.

Safe Surfing.