Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown adware [RESOLVED]


  • This topic is locked This topic is locked

#31
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Pretty elusive. I'm really glad for the help. :tazz:

Attached Files


  • 0

Advertisements


#32
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
copy the following text into a new Notepad file, and save it (Save as Type: All files (*.*) ) as newbatch.bat in the SAME folder as the rest of the L2m9xfix files:

@echo off
echo Here are the bad files: > results.txt
echo. >> results.txt
strings -a -f %windir%\system\*.dll | grep -E -e "nictech|UMonitor|Umonitor|IsProcessorFeaX|icannnews" >> files.txt
type files.txt >> results.txt
echo. >> results.txt
echo ************ >> results.txt
echo Here they are in short form: >> results.txt
sed -e "s/^.*system\\//g" -e "s/: .*$//g" files.txt >> results.txt
echo ************ >> results.txt
echo Here is the CLSID export: >> results.txt
regedit /e clsid.txt "HKEY_CLASSES_ROOT\CLSID"
type clsid.txt >>results.txt
echo ************ >> results.txt
echo END >> results.txt



now run this batch and post the results.txt, zipped, for us.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
  • 0

#33
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hello,

Ran the batch file and it reported that it could not find CLSID.TXT. That was my fault. I forgot to name it back from CLSID2.TXT last night (he has no compression software so I am transferring any thing larger than a floppy with a multi-session cd to my box for net access.)

It created one so I reran the batch program. This time it reported a sharing violation on CLSID.TXT. Since ther was no CLSID export in the results file, I included the CLSID3.TXT. It is the one modified during the last run of the batch.

Thanks,

Gino

Attached Files


  • 0

#34
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi ewisniew :tazz:

First of all, I apologize to Excal for jumping in on this thread. I have been following this case because I wrote the tool that seems to be failing to remove the infection on your system, and I am trying to understand what went wrong.

Furthermore, this second batch we had you run also didn't seem to export the CLSIDs correctly, so I wonder if there might be a corruption problem with your regedit.exe or something like that.

Let's try this:

1) Please go to Start -> Run -> regedit and press Enter.

2) Use the left-hand panel to navigate to the following key:

HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}

Right click on the entire {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F} key and choose Delete. Click Yes to any prompts.

Then back up in the left-hand panel to the key:

HKEY_CLASSES_ROOT\CLSID

Right-click on the CLSID key and choose Export. Change the "Save as Type" field to "Text file (.txt)", and save it to your desktop as clsid.txt.

Then please post this new clsid.txt for me to see. Please also run the second batch, the newbatch.bat, and post the results.txt.

Please also do not shut down or restart your computer until we are done with this whole process --- if you do, the files will change names and we'll have to start all over. We've been having enough trouble already that I'd rather avoid that if possible. :)

Please also disconnect your computer from the internet for the time being to avoid any additional malware being downloaded or regenerated.

Don't worry --- we'll get this thing. :)
  • 0

#35
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Will do this pm when I get in from work. Have not restarted and have my fingers crossed about a lockup or power failure. He does not have a NIC and I have been keeping it off of my phone line since I did his updates and we finished with the online scans. (Dial-up is all he has available where he lives.)

I sincerly appreciate the help the both of you are doing for us. I will be having a long discussion/teaching session on safe computing with him when I give it back.

Thanks,
Gino
  • 0

#36
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
No problem. Thanks for your help and diagnostics as well. This is the first time the newest version of the fix has failed, so I'd like to learn as much as I can about what's going on. :tazz:
  • 0

#37
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Deleted the key and exported the CLSID branch. Saved a backup, "CLSID from reg.txt' before running the batch. "CLSID after fix.txt"is after the batch ran. Icluding both along with the results since I got a sharing violation on CLSID.txt at the end of the batch again.

Thanks

Gino

Attached Files


  • 0

#38
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi ewisniew :tazz:

Sorry for the delay --- I think we are likely operating on slightly different time zone schedules.

All of your logs are the same. Even though you tried to delete that CLSID, it doesn't seem to have worked. And actually, that makes a lot of sense to me, since I already had you try to delete it with that REG file earlier, and every time you ran my original batch, that also should have tried to delete the CLSID. So it's not working under any circumstances --- and I think it might be a registry permissions problem.

Let's try this:

Download and install Registrar Lite
  • Double click the purple Registrar Lite icon on your desktop.
  • Copy the line below and paste it into the "Address" field (located at the top) of the program:

    HKEY_CLASSES_ROOT\CLSID

  • Click the "Go" button.
  • On the right-hand side it will load all of your CLSIDs (a huge list of letters and numbers)
  • Locate {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}

  • Right click on it and select Properties
  • Click the Permissions Button and a new window will open.
  • Click the Advanced button
  • Place a checkmark next to the following:
    'Inherit from parent the permission entries that apply to child objects...'
  • Click OK, Ok again and rightclick on {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F} again.
  • Choose delete.
  • Exit Registrar Lite.
Then can you please run regedit, export the HKEY_CLASSES_ROOT\CLSID branch again, and post it here for me? If that bad CLSID is finally gone this time then we should be in business. :)
  • 0

#39
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
When the "Key Properties window" opens there is no center section that would contain the permissions button. Help says the permissions and auditing features are only available in in NT, 2K and XP. His box is on ME.

Awaiting further instruciton.

Thanks
  • 0

#40
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
OK. Can you just try deleting the key in Registrar Lite, and then posting the CLSID export from regedit? Maybe that will work...
  • 0

Advertisements


#41
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Key does not delete.

Tried deleting the key in question. Hard drive activity like it was deleting but as soon as the screen refreshed it was back.

Tried deleting in regedit and it acted like it deleted, but if you refresh the view or restart regedit it is back.
  • 0

#42
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
This is getting seriously messed up. I don't believe Windows ME has registry permissions. So what is going on??

I'm going to ask for some suggestions from the other helpers --- while I do that, can I ask you to try something ---

1) Go back into regedit, and navigate to HKEY_CLASSES_ROOT\CLSID.

2) Right click on CLSID and choose New -> Key. Name the key Test or something like that. Refresh the window to make sure it has permitted you to create Test OK.

3) Try to delete Test. Let me know if you can. I want to see what you are and are not permitted to do here. I've never seen anything like this before.

Thank you...
  • 0

#43
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Added the test key ok. Exited and restarted regedit. New Key was there. Deleted it. closed and restarted Regedit. New key was gone.

Also noticed that there is a key named CLSID in HKEY_CLASSES_ROOT\CLSID\ .

NAme is Default, data value is {0000031A-0000-0000-C000-000000000046}.

Is this normal? :tazz:

Thanks again.
  • 0

#44
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Yes, that's normal, don't worry. So your registry IS editable. OK. I'll be back to you ASAP.
  • 0

#45
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi ewisniew,

I'm going to take a chance and have you do something involving a reboot. I really hope this works, because if it doesn't, the filenames and bad CLSID might change --- I'd been hoping to do this all without a reboot, but yours is by far the most persistent case I've ever encountered. But I'm not giving up yet....!

Please run Notepad and copy the following text into a new file:

@ECHO OFF
echo REGEDIT4 >> fix.reg
echo. >> fix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}] >> fix.reg
regedit /s fix.reg
del fix.reg
exit

Save the file as C:\fix.bat and make sure the "Save as type" field says "All files".

Now we're going to run this batch three times in hopes that one of them will kill the bad CLSID.

Run it first just by going to My Computer, navigating to C:\, and double-clicking on fix.bat.

Then please run Notepad, and open the file c:\windows\system.ini. Look for a line in this file beginning with the letters shell=
It will probably say:

shell=explorer.exe

or

shell=explorer

Change that line to say:

shell=command.com

Save the changes and exit Notepad.

Then please run Notepad again and copy the following text into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*Batch"="C:\\fix.bat"

Save the file to the desktop as fix.reg and make sure the "Save as type" field says "All files". Then double-click on fix.reg, and click Yes to merge it with the registry.


Restart your computer. When it starts up, you should NOT get your normal desktop. You should get a black command prompt window instead.

At the command prompt type the following commands, pressing Enter after each one:

cd c:\
fix


A window may appear and disappear quickly --- this is normal.

Then type the command:

notepad

Notepad will open. Again open the file C:\windows\system.ini, and change the shell= line back to what it was before; probably:

shell=explorer.exe

Save the file and exit Notepad. Restart your computer again. You should get a normal desktop this time.


Finally, run regedit, and export the HKEY_CLASSES_ROOT\CLSID branch again. Also run my second batch newbatch.bat from before, and post the results from both here for me.

Cross your fingers.... :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP