This topic is locked
Attached Files
-
clsid2.zip 152.92KB
69 downloads
Unknown adware [RESOLVED]
Started by
ewisniew
, Aug 07 2005 06:33 PM
#32
Posted 18 August 2005 - 10:07 AM
Excal
-
- Retired Staff
-
- 12,739 posts
Malware Slayer Extraordinaire!
copy the following text into a new Notepad file, and save it (Save as Type: All files (*.*) ) as newbatch.bat in the SAME folder as the rest of the L2m9xfix files:
now run this batch and post the results.txt, zipped, for us.
From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
@echo off
echo Here are the bad files: > results.txt
echo. >> results.txt
strings -a -f %windir%\system\*.dll | grep -E -e "nictech|UMonitor|Umonitor|IsProcessorFeaX|icannnews" >> files.txt
type files.txt >> results.txt
echo. >> results.txt
echo ************ >> results.txt
echo Here they are in short form: >> results.txt
sed -e "s/^.*system\\//g" -e "s/: .*$//g" files.txt >> results.txt
echo ************ >> results.txt
echo Here is the CLSID export: >> results.txt
regedit /e clsid.txt "HKEY_CLASSES_ROOT\CLSID"
type clsid.txt >>results.txt
echo ************ >> results.txt
echo END >> results.txt
now run this batch and post the results.txt, zipped, for us.
From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
#33
Posted 18 August 2005 - 06:51 PM
ewisniew
- Topic Starter
-
- Member
-
- 31 posts
Member
Hello,
Ran the batch file and it reported that it could not find CLSID.TXT. That was my fault. I forgot to name it back from CLSID2.TXT last night (he has no compression software so I am transferring any thing larger than a floppy with a multi-session cd to my box for net access.)
It created one so I reran the batch program. This time it reported a sharing violation on CLSID.TXT. Since ther was no CLSID export in the results file, I included the CLSID3.TXT. It is the one modified during the last run of the batch.
Thanks,
Gino
Ran the batch file and it reported that it could not find CLSID.TXT. That was my fault. I forgot to name it back from CLSID2.TXT last night (he has no compression software so I am transferring any thing larger than a floppy with a multi-session cd to my box for net access.)
It created one so I reran the batch program. This time it reported a sharing violation on CLSID.TXT. Since ther was no CLSID export in the results file, I included the CLSID3.TXT. It is the one modified during the last run of the batch.
Thanks,
Gino
Attached Files
-
clsid3.zip 152.92KB
198 downloads
-
results.zip 1.23KB
74 downloads
#34
Posted 19 August 2005 - 07:52 AM
Swandog46
-
- Member
-
- 1,026 posts
Malware Expert
Hi ewisniew 
First of all, I apologize to Excal for jumping in on this thread. I have been following this case because I wrote the tool that seems to be failing to remove the infection on your system, and I am trying to understand what went wrong.
Furthermore, this second batch we had you run also didn't seem to export the CLSIDs correctly, so I wonder if there might be a corruption problem with your regedit.exe or something like that.
Let's try this:
1) Please go to Start -> Run -> regedit and press Enter.
2) Use the left-hand panel to navigate to the following key:
HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}
Right click on the entire {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F} key and choose Delete. Click Yes to any prompts.
Then back up in the left-hand panel to the key:
HKEY_CLASSES_ROOT\CLSID
Right-click on the CLSID key and choose Export. Change the "Save as Type" field to "Text file (.txt)", and save it to your desktop as clsid.txt.
Then please post this new clsid.txt for me to see. Please also run the second batch, the newbatch.bat, and post the results.txt.
Please also do not shut down or restart your computer until we are done with this whole process --- if you do, the files will change names and we'll have to start all over. We've been having enough trouble already that I'd rather avoid that if possible.
Please also disconnect your computer from the internet for the time being to avoid any additional malware being downloaded or regenerated.
Don't worry --- we'll get this thing.
First of all, I apologize to Excal for jumping in on this thread. I have been following this case because I wrote the tool that seems to be failing to remove the infection on your system, and I am trying to understand what went wrong.
Furthermore, this second batch we had you run also didn't seem to export the CLSIDs correctly, so I wonder if there might be a corruption problem with your regedit.exe or something like that.
Let's try this:
1) Please go to Start -> Run -> regedit and press Enter.
2) Use the left-hand panel to navigate to the following key:
HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}
Right click on the entire {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F} key and choose Delete. Click Yes to any prompts.
Then back up in the left-hand panel to the key:
HKEY_CLASSES_ROOT\CLSID
Right-click on the CLSID key and choose Export. Change the "Save as Type" field to "Text file (.txt)", and save it to your desktop as clsid.txt.
Then please post this new clsid.txt for me to see. Please also run the second batch, the newbatch.bat, and post the results.txt.
Please also do not shut down or restart your computer until we are done with this whole process --- if you do, the files will change names and we'll have to start all over. We've been having enough trouble already that I'd rather avoid that if possible.
Please also disconnect your computer from the internet for the time being to avoid any additional malware being downloaded or regenerated.
Don't worry --- we'll get this thing.
#35
Posted 19 August 2005 - 08:08 AM
ewisniew
- Topic Starter
-
- Member
-
- 31 posts
Member
Will do this pm when I get in from work. Have not restarted and have my fingers crossed about a lockup or power failure. He does not have a NIC and I have been keeping it off of my phone line since I did his updates and we finished with the online scans. (Dial-up is all he has available where he lives.)
I sincerly appreciate the help the both of you are doing for us. I will be having a long discussion/teaching session on safe computing with him when I give it back.
Thanks,
Gino
I sincerly appreciate the help the both of you are doing for us. I will be having a long discussion/teaching session on safe computing with him when I give it back.
Thanks,
Gino
#36
Posted 19 August 2005 - 11:53 AM
Swandog46
-
- Member
-
- 1,026 posts
Malware Expert
No problem. Thanks for your help and diagnostics as well. This is the first time the newest version of the fix has failed, so I'd like to learn as much as I can about what's going on.
#37
Posted 19 August 2005 - 05:15 PM
ewisniew
- Topic Starter
-
- Member
-
- 31 posts
Member
Deleted the key and exported the CLSID branch. Saved a backup, "CLSID from reg.txt' before running the batch. "CLSID after fix.txt"is after the batch ran. Icluding both along with the results since I got a sharing violation on CLSID.txt at the end of the batch again.
Thanks
Gino
Thanks
Gino
Attached Files
-
clsid_after_fix.zip 152.94KB
136 downloads
-
clsid_from_reg.zip 152.94KB
445 downloads
-
results_after_fix.zip 1.32KB
72 downloads
#38
Posted 20 August 2005 - 07:56 AM
Swandog46
-
- Member
-
- 1,026 posts
Malware Expert
Hi ewisniew
Sorry for the delay --- I think we are likely operating on slightly different time zone schedules.
All of your logs are the same. Even though you tried to delete that CLSID, it doesn't seem to have worked. And actually, that makes a lot of sense to me, since I already had you try to delete it with that REG file earlier, and every time you ran my original batch, that also should have tried to delete the CLSID. So it's not working under any circumstances --- and I think it might be a registry permissions problem.
Let's try this:
Download and install Registrar Lite
Sorry for the delay --- I think we are likely operating on slightly different time zone schedules.
All of your logs are the same. Even though you tried to delete that CLSID, it doesn't seem to have worked. And actually, that makes a lot of sense to me, since I already had you try to delete it with that REG file earlier, and every time you ran my original batch, that also should have tried to delete the CLSID. So it's not working under any circumstances --- and I think it might be a registry permissions problem.
Let's try this:
Download and install Registrar Lite
- Double click the purple Registrar Lite icon on your desktop.
- Copy the line below and paste it into the "Address" field (located at the top) of the program:
HKEY_CLASSES_ROOT\CLSID
- Click the "Go" button.
- On the right-hand side it will load all of your CLSIDs (a huge list of letters and numbers)
- Locate {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}
- Right click on it and select Properties
- Click the Permissions Button and a new window will open.
- Click the Advanced button
- Place a checkmark next to the following:
'Inherit from parent the permission entries that apply to child objects...' - Click OK, Ok again and rightclick on {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F} again.
- Choose delete.
- Exit Registrar Lite.
#39
Posted 20 August 2005 - 08:34 AM
ewisniew
- Topic Starter
-
- Member
-
- 31 posts
Member
When the "Key Properties window" opens there is no center section that would contain the permissions button. Help says the permissions and auditing features are only available in in NT, 2K and XP. His box is on ME.
Awaiting further instruciton.
Thanks
Awaiting further instruciton.
Thanks
#40
Posted 20 August 2005 - 12:06 PM
Swandog46
-
- Member
-
- 1,026 posts
Malware Expert
OK. Can you just try deleting the key in Registrar Lite, and then posting the CLSID export from regedit? Maybe that will work...
#41
Posted 20 August 2005 - 12:38 PM
ewisniew
- Topic Starter
-
- Member
-
- 31 posts
Member
Key does not delete.
Tried deleting the key in question. Hard drive activity like it was deleting but as soon as the screen refreshed it was back.
Tried deleting in regedit and it acted like it deleted, but if you refresh the view or restart regedit it is back.
Tried deleting the key in question. Hard drive activity like it was deleting but as soon as the screen refreshed it was back.
Tried deleting in regedit and it acted like it deleted, but if you refresh the view or restart regedit it is back.
#42
Posted 20 August 2005 - 02:15 PM
Swandog46
-
- Member
-
- 1,026 posts
Malware Expert
This is getting seriously messed up. I don't believe Windows ME has registry permissions. So what is going on??
I'm going to ask for some suggestions from the other helpers --- while I do that, can I ask you to try something ---
1) Go back into regedit, and navigate to HKEY_CLASSES_ROOT\CLSID.
2) Right click on CLSID and choose New -> Key. Name the key Test or something like that. Refresh the window to make sure it has permitted you to create Test OK.
3) Try to delete Test. Let me know if you can. I want to see what you are and are not permitted to do here. I've never seen anything like this before.
Thank you...
I'm going to ask for some suggestions from the other helpers --- while I do that, can I ask you to try something ---
1) Go back into regedit, and navigate to HKEY_CLASSES_ROOT\CLSID.
2) Right click on CLSID and choose New -> Key. Name the key Test or something like that. Refresh the window to make sure it has permitted you to create Test OK.
3) Try to delete Test. Let me know if you can. I want to see what you are and are not permitted to do here. I've never seen anything like this before.
Thank you...
#43
Posted 20 August 2005 - 02:59 PM
ewisniew
- Topic Starter
-
- Member
-
- 31 posts
Member
Added the test key ok. Exited and restarted regedit. New Key was there. Deleted it. closed and restarted Regedit. New key was gone.
Also noticed that there is a key named CLSID in HKEY_CLASSES_ROOT\CLSID\ .
NAme is Default, data value is {0000031A-0000-0000-C000-000000000046}.
Is this normal?
Thanks again.
Also noticed that there is a key named CLSID in HKEY_CLASSES_ROOT\CLSID\ .
NAme is Default, data value is {0000031A-0000-0000-C000-000000000046}.
Is this normal?
Thanks again.
#44
Posted 20 August 2005 - 04:41 PM
Swandog46
-
- Member
-
- 1,026 posts
Malware Expert
Yes, that's normal, don't worry. So your registry IS editable. OK. I'll be back to you ASAP.
#45
Posted 20 August 2005 - 08:28 PM
Swandog46
-
- Member
-
- 1,026 posts
Malware Expert
Hi ewisniew,
I'm going to take a chance and have you do something involving a reboot. I really hope this works, because if it doesn't, the filenames and bad CLSID might change --- I'd been hoping to do this all without a reboot, but yours is by far the most persistent case I've ever encountered. But I'm not giving up yet....!
Please run Notepad and copy the following text into a new file:
Now we're going to run this batch three times in hopes that one of them will kill the bad CLSID.
Run it first just by going to My Computer, navigating to C:\, and double-clicking on fix.bat.
Then please run Notepad, and open the file c:\windows\system.ini. Look for a line in this file beginning with the letters shell=
It will probably say:
shell=explorer.exe
or
shell=explorer
Change that line to say:
shell=command.com
Save the changes and exit Notepad.
Then please run Notepad again and copy the following text into a new file:
Restart your computer. When it starts up, you should NOT get your normal desktop. You should get a black command prompt window instead.
At the command prompt type the following commands, pressing Enter after each one:
cd c:\
fix
A window may appear and disappear quickly --- this is normal.
Then type the command:
notepad
Notepad will open. Again open the file C:\windows\system.ini, and change the shell= line back to what it was before; probably:
shell=explorer.exe
Save the file and exit Notepad. Restart your computer again. You should get a normal desktop this time.
Finally, run regedit, and export the HKEY_CLASSES_ROOT\CLSID branch again. Also run my second batch newbatch.bat from before, and post the results from both here for me.
Cross your fingers....
I'm going to take a chance and have you do something involving a reboot. I really hope this works, because if it doesn't, the filenames and bad CLSID might change --- I'd been hoping to do this all without a reboot, but yours is by far the most persistent case I've ever encountered. But I'm not giving up yet....!
Please run Notepad and copy the following text into a new file:
Save the file as C:\fix.bat and make sure the "Save as type" field says "All files".@ECHO OFF
echo REGEDIT4 >> fix.reg
echo. >> fix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}] >> fix.reg
regedit /s fix.reg
del fix.reg
exit
Now we're going to run this batch three times in hopes that one of them will kill the bad CLSID.
Run it first just by going to My Computer, navigating to C:\, and double-clicking on fix.bat.
Then please run Notepad, and open the file c:\windows\system.ini. Look for a line in this file beginning with the letters shell=
It will probably say:
shell=explorer.exe
or
shell=explorer
Change that line to say:
shell=command.com
Save the changes and exit Notepad.
Then please run Notepad again and copy the following text into a new file:
Save the file to the desktop as fix.reg and make sure the "Save as type" field says "All files". Then double-click on fix.reg, and click Yes to merge it with the registry.REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*Batch"="C:\\fix.bat"
Restart your computer. When it starts up, you should NOT get your normal desktop. You should get a black command prompt window instead.
At the command prompt type the following commands, pressing Enter after each one:
cd c:\
fix
A window may appear and disappear quickly --- this is normal.
Then type the command:
notepad
Notepad will open. Again open the file C:\windows\system.ini, and change the shell= line back to what it was before; probably:
shell=explorer.exe
Save the file and exit Notepad. Restart your computer again. You should get a normal desktop this time.
Finally, run regedit, and export the HKEY_CLASSES_ROOT\CLSID branch again. Also run my second batch newbatch.bat from before, and post the results from both here for me.
Cross your fingers....
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
