Unknown adware [RESOLVED]
#31
Posted 17 August 2005 - 07:40 PM
#32
Posted 18 August 2005 - 10:07 AM
@echo off
echo Here are the bad files: > results.txt
echo. >> results.txt
strings -a -f %windir%\system\*.dll | grep -E -e "nictech|UMonitor|Umonitor|IsProcessorFeaX|icannnews" >> files.txt
type files.txt >> results.txt
echo. >> results.txt
echo ************ >> results.txt
echo Here they are in short form: >> results.txt
sed -e "s/^.*system\\//g" -e "s/: .*$//g" files.txt >> results.txt
echo ************ >> results.txt
echo Here is the CLSID export: >> results.txt
regedit /e clsid.txt "HKEY_CLASSES_ROOT\CLSID"
type clsid.txt >>results.txt
echo ************ >> results.txt
echo END >> results.txt
now run this batch and post the results.txt, zipped, for us.
From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
#33
Posted 18 August 2005 - 06:51 PM
Ran the batch file and it reported that it could not find CLSID.TXT. That was my fault. I forgot to name it back from CLSID2.TXT last night (he has no compression software so I am transferring any thing larger than a floppy with a multi-session cd to my box for net access.)
It created one so I reran the batch program. This time it reported a sharing violation on CLSID.TXT. Since ther was no CLSID export in the results file, I included the CLSID3.TXT. It is the one modified during the last run of the batch.
Thanks,
Gino
Attached Files
#34
Posted 19 August 2005 - 07:52 AM
First of all, I apologize to Excal for jumping in on this thread. I have been following this case because I wrote the tool that seems to be failing to remove the infection on your system, and I am trying to understand what went wrong.
Furthermore, this second batch we had you run also didn't seem to export the CLSIDs correctly, so I wonder if there might be a corruption problem with your regedit.exe or something like that.
Let's try this:
1) Please go to Start -> Run -> regedit and press Enter.
2) Use the left-hand panel to navigate to the following key:
HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}
Right click on the entire {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F} key and choose Delete. Click Yes to any prompts.
Then back up in the left-hand panel to the key:
HKEY_CLASSES_ROOT\CLSID
Right-click on the CLSID key and choose Export. Change the "Save as Type" field to "Text file (.txt)", and save it to your desktop as clsid.txt.
Then please post this new clsid.txt for me to see. Please also run the second batch, the newbatch.bat, and post the results.txt.
Please also do not shut down or restart your computer until we are done with this whole process --- if you do, the files will change names and we'll have to start all over. We've been having enough trouble already that I'd rather avoid that if possible.
Please also disconnect your computer from the internet for the time being to avoid any additional malware being downloaded or regenerated.
Don't worry --- we'll get this thing.
#35
Posted 19 August 2005 - 08:08 AM
I sincerly appreciate the help the both of you are doing for us. I will be having a long discussion/teaching session on safe computing with him when I give it back.
Thanks,
Gino
#36
Posted 19 August 2005 - 11:53 AM
#37
Posted 19 August 2005 - 05:15 PM
Thanks
Gino
Attached Files
#38
Posted 20 August 2005 - 07:56 AM
Sorry for the delay --- I think we are likely operating on slightly different time zone schedules.
All of your logs are the same. Even though you tried to delete that CLSID, it doesn't seem to have worked. And actually, that makes a lot of sense to me, since I already had you try to delete it with that REG file earlier, and every time you ran my original batch, that also should have tried to delete the CLSID. So it's not working under any circumstances --- and I think it might be a registry permissions problem.
Let's try this:
Download and install Registrar Lite
- Double click the purple Registrar Lite icon on your desktop.
- Copy the line below and paste it into the "Address" field (located at the top) of the program:
HKEY_CLASSES_ROOT\CLSID
- Click the "Go" button.
- On the right-hand side it will load all of your CLSIDs (a huge list of letters and numbers)
- Locate {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}
- Right click on it and select Properties
- Click the Permissions Button and a new window will open.
- Click the Advanced button
- Place a checkmark next to the following:
'Inherit from parent the permission entries that apply to child objects...' - Click OK, Ok again and rightclick on {1DC178BC-76AC-4EB5-B529-DDA2417C0E4F} again.
- Choose delete.
- Exit Registrar Lite.
#39
Posted 20 August 2005 - 08:34 AM
Awaiting further instruciton.
Thanks
#40
Posted 20 August 2005 - 12:06 PM
#41
Posted 20 August 2005 - 12:38 PM
Tried deleting the key in question. Hard drive activity like it was deleting but as soon as the screen refreshed it was back.
Tried deleting in regedit and it acted like it deleted, but if you refresh the view or restart regedit it is back.
#42
Posted 20 August 2005 - 02:15 PM
I'm going to ask for some suggestions from the other helpers --- while I do that, can I ask you to try something ---
1) Go back into regedit, and navigate to HKEY_CLASSES_ROOT\CLSID.
2) Right click on CLSID and choose New -> Key. Name the key Test or something like that. Refresh the window to make sure it has permitted you to create Test OK.
3) Try to delete Test. Let me know if you can. I want to see what you are and are not permitted to do here. I've never seen anything like this before.
Thank you...
#43
Posted 20 August 2005 - 02:59 PM
Also noticed that there is a key named CLSID in HKEY_CLASSES_ROOT\CLSID\ .
NAme is Default, data value is {0000031A-0000-0000-C000-000000000046}.
Is this normal?
Thanks again.
#44
Posted 20 August 2005 - 04:41 PM
#45
Posted 20 August 2005 - 08:28 PM
I'm going to take a chance and have you do something involving a reboot. I really hope this works, because if it doesn't, the filenames and bad CLSID might change --- I'd been hoping to do this all without a reboot, but yours is by far the most persistent case I've ever encountered. But I'm not giving up yet....!
Please run Notepad and copy the following text into a new file:
Save the file as C:\fix.bat and make sure the "Save as type" field says "All files".@ECHO OFF
echo REGEDIT4 >> fix.reg
echo. >> fix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}] >> fix.reg
regedit /s fix.reg
del fix.reg
exit
Now we're going to run this batch three times in hopes that one of them will kill the bad CLSID.
Run it first just by going to My Computer, navigating to C:\, and double-clicking on fix.bat.
Then please run Notepad, and open the file c:\windows\system.ini. Look for a line in this file beginning with the letters shell=
It will probably say:
shell=explorer.exe
or
shell=explorer
Change that line to say:
shell=command.com
Save the changes and exit Notepad.
Then please run Notepad again and copy the following text into a new file:
Save the file to the desktop as fix.reg and make sure the "Save as type" field says "All files". Then double-click on fix.reg, and click Yes to merge it with the registry.REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*Batch"="C:\\fix.bat"
Restart your computer. When it starts up, you should NOT get your normal desktop. You should get a black command prompt window instead.
At the command prompt type the following commands, pressing Enter after each one:
cd c:\
fix
A window may appear and disappear quickly --- this is normal.
Then type the command:
notepad
Notepad will open. Again open the file C:\windows\system.ini, and change the shell= line back to what it was before; probably:
shell=explorer.exe
Save the file and exit Notepad. Restart your computer again. You should get a normal desktop this time.
Finally, run regedit, and export the HKEY_CLASSES_ROOT\CLSID branch again. Also run my second batch newbatch.bat from before, and post the results from both here for me.
Cross your fingers....
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users