|SProtector.dll and why you shouldn't have it.
||[Sep. 28th, 2012|03:39 am]
Just typing this up for the benefit of others who have the same problem and have to resort to a Google search. (The next-best thing to knowing stuff!)
Here's the problem I encountered on a relative's computer:
Several programs would not start at all, instead giving the typical "This program died" error message right off the bat. In most (but not all) cases, rundll32.exe will crash in ntdll.dll with exception code 0xC0000374 (This is the "STATUS_HEAP_CORRUPTION" error) yada-yada-yada...
Here's a partial list of the programs that were affected:
• Internet Explorer (and it probably would've affected Firefox and Chrome too if they had been installed)
• Security Center in Control Panel
• Windows Firewall in Control Panel
• Internet Settings in Control Panel
• Various other components...
Even GMER, the experts-only use-at-your-own-risk tool for digging out all evidence of rootkit-like virus activity,
gets partway through the scan and then crashes. (UPDATE: Turns out that was an unrelated issue.)
This one had me stumped for a few days. (Plus the time it took to run the virus scans; several different programs, each taking a full day each because it was a Windows Vista system. Damn, I hate Vista!)
The culprit turned out to be this file:
Neither AVG, Microsoft Security "let's look like we're trying" Essentials, Windows Malicious Software Removal Tickler, Spybot S&D, nor Malwarebytes' Anti-Malware identify this file as dangerous. Even some determined Google searching yielded no useful clues as to what this file actually is, or what it does... aside from one report, just one, that it might, just might, be a trojan of some sort.
I didn't even suspect that file until I noticed some interesting things about it: The file loads automatically by using the "AppInit_DLLs" registry section (easy to notice because HijackThis scans there), it contains no version information, it has no other files aside from an "uninstall.exe" in its directory, and there's a "SProtector" section in the registry that contains some sort of encrypted data. Put together, these are enough warning signs to be called "warning signs". (UPDATE: Later investigation showed that the DLL file was compressed with UPX as well, just to make its contents slightly harder to examine!)
Deleting the file, and the reference to it in AppInit_DLLs, fixed the problem.
Now that all doubt's been removed, all that's missing is a way to report my findings to the makers of AVG, MBAM, Spybot S&D, Microsoft's MRT team, et cetera, et cetera, et cetera...