Ping Jan....Newest MVP....ping...

[Jeff Conrad]

Anyone else is more than welcome to join in, I just had
to inflate Jan's ego just a bit.


Jan,

A co-worker is complaining of sluggish IE response (gee, surprise).
She is running IE 6.0 SP1 (all updates) on Windows NT 4.0 (SP6).

It had been a while since I ran some scans on her machine. I uninstalled
the older Spybot & Ad-Aware and then installed the latest versions.
I updated both and ran full scans. Spybot found quite a few things (I
could list if need be, but probably not needed) and it was able to
clean everything, but two items. More in a minute.

I also then ran Ad-Aware and it just found Tracking Cookies. I
removed them all.

My trouble comes from the two remaining things that Spybot cannot
remove. They are both Gator items. Specifically:

C:\Program Files\Common Files\CMEII
C:\Program Files\Common Files\CMEII\

Spybot said they were being used so it asked if I wanted to perform
a full scan on next startup. Fine, did that, but every time it cannot
remove the entries and repeats the same message (Next startup,...)
I tried this several times with the same result.

I find nothing out of the ordinary under Run in RegEdit. Going to Explorer
and looking for these folders (under her profile) denies me access.

Any ideas what these items are and more importantly, how do I get rid
of them on an NT 4.0 machine since there is no Safe Mode?

Thanks,

 

[Guest]

http://www.pchell.com/support/gator.shtml

 

[PA Bear]

See http://www.iamnotageek.com/a/180-p1.php
--
~Robear Dyer (PA Bear)
MS MVP-Windows (Shell, IE/OE) & Security

Mastering Newsgroups in Outlook Express
http://www.microsoft.com/windows/ie/community/columns/newsgroups.mspx

 

[Jeff Conrad]

Thanks for the info, I will check this out and report back.

 

[Jeff Conrad]

Thanks for the info, I will check this out and report back.

 

[Jan Il]

Hi Jeff !

to inflate Jan's ego just a bit.

LOL!!

Dang! My first personal PING since the big day, and I missed it!!

Thank you! It appears that PA and another got to you first!

Looks like you're in good hands. I'll keep watch in case I can help out here
somewhere... ;o)

Jan
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Jeff Conrad]

in message:

Hi Jan, your Majesty (head bowed)

LOL!!

Dang! My first personal PING since the big day, and I missed it!!

No problem, always nice you find time for us humble peasants.

Thank you! It appears that PA and another got to you first!

Looks like you're in good hands. I'll keep watch in case I can help out here
somewhere... ;o)

I will have to work on it tomorrow as I have to leave pretty soon.
I will report back with success or failure.

Jan
MS MVP - Windows (IE/OE)

Wow, I can smell the fresh paint on that from here!
;-)

 

[Jan Il]

Hi Jan, your Majesty (head bowed)

How low? That is important, you know. And, well...you are on your knees,
aren't you? That is 'very' important too.

No problem, always nice you find time for us humble peasants.

Humility is a good virtue. Always glad I can help out there.

I will have to work on it tomorrow as I have to leave pretty soon.
I will report back with success or failure.

Very good. We'll continue this on the morrow. I've three hours on you, so
that should not be a problem.

........... ;o)


Jan
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

 

[Jeff Conrad]

Ok, here is an update.
Not much progress I'm afraid.
I very carefully reviewed the information here:

http://www.iamnotageek.com/a/180-p1.php

1. None of the processes mentioned seemed to be running
2. None of the common registry items mentioned were present either
3. I tried to unregister the DLL files mentioned, and failed on
every attempt (even under Administrator profile). Error was
something like Load Library failed. I tried syntax possibilities like this:
regsvr32 -u cmeiiapi.dll
regsvr32 -u c:\program files\common files\cmeii\cmeiiapi.dll
regsvr32 -u "C:\Program Files\Common Files\CMEII\cmeiiapi.dll"
Every attempt on every file listed failed.
4. Even under Administrator profile I cannot open the CMEII
sub folders. It just says Access denied.
5. Nothing really out of the ordinary listed in Add/Remove Programs
except for one thing. The first entry in the list is blank; no text.
Not sure if that is related or not.

Humm...me thinks I smell a rat.

Any ideas?

 

[Jan Il]

Hi Jeff

Have you done the HiJackThis that I mentioned off-group (for other readers,
Jeff is a personal friend of mine, thus, our banter in the thread here too
<g>). That would be a very good place to start at this point. Did you run
the AdAware and SpyBot programs all from Safe Mode? Often there are some
files when working through windows that will prevent files from being
deleted, thus, you will get an access denied or "file in use" error. Please
be sure to go to the HiJackThis forum and have the log checked. There may be
more to this than what is obvious at this point.

You can also go here and do an online scan, see what it might find:

Trendmicro Housecalls:
http://housecall.antivirus.com/housecall/start_corp.asp

also...here is another source of information and removal you can check out
here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.gator.html

Hope this helps

Jan
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Jan Il]

Hi Jeff...

Here is another reference you might check on too:

Gator Adware Removal Tool
http://www.majorgeeks.com/download4434.html

Hope this helps

Jan
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Jeff Conrad]

in message:

Have you done the HiJackThis that I mentioned off-group

I think that will be my next step.

(for other readers, Jeff is a personal friend of mine, thus, our banter in the thread here too
<g>).

"Loyal Subject" more accurately your Majesty.

That would be a very good place to start at this point.
Did you run the AdAware and SpyBot programs all from Safe Mode?
Often there are some files when working through windows that will prevent files from being
deleted, thus, you will get an access denied or "file in use" error.

I would love to do that Jan, and I probably would have been able to take
care of it that way, however, remember I mentioned this was an
NT 4.0 machine. No Safe Mode for NT 4.0 unfortunately.
:-(

Please be sure to go to the HiJackThis forum and have the log checked. There may be
more to this than what is obvious at this point.

You can also go here and do an online scan, see what it might find:

Trendmicro Housecalls:
http://housecall.antivirus.com/housecall/start_corp.asp

She has McAfee on her system. I will update the DAT files and
run a full scan.

also...here is another source of information and removal you can check out
here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.gator.html

Ok, I'll check that out as well.

Thank you kindly Ms. MVP.
;-)

 

[Jan Il]

Hi Jeff

Comments in line -

in message:


I think that will be my next step.

Good...I really think that is best at this point.

"Loyal Subject" more accurately your Majesty.

Lol!! You may rise now.....

I would love to do that Jan, and I probably would have been able to take
care of it that way, however, remember I mentioned this was an
NT 4.0 machine. No Safe Mode for NT 4.0 unfortunately.
:-(

She has McAfee on her system. I will update the DAT files and
run a full scan.

'k......we'll got with that for now.

Ok, I'll check that out as well.

Thank you kindly Ms. MVP.
;-)

You are most welcome, kind Sir. ;o))

Jan
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.


35 days 2 hrs 9 mins 30 secs!!!!!!!!

 

[Jeff Conrad]

Hi Jan,

Time was limited today so I've done all I can at the moment.

Symantec's tool found nothing.

The other one erred out immediately.
"Access violation at address 00492FCB in module 'gatorremover.exe'
Read of address 00000001

So that one did not work.

More tomorrow....

 

[Jan Il]

Hi Jeff...

'k...then do the HiJackThis and let's see what it says is going on.

Jan
MS MVP - Windows (IE/OE)
Smiles are meant to be shared,
that's why they're so contagious.

 

[Jeff Conrad]

Hi Jan,

Full scan with McAfee using latest DATs revealed nothing.
Created a HiJack log and will be posting to one of the groups
you provided in a little while.

 

[Jan Il]

For those who might want to follow this thread at the AumHa forum, here is
the link
http://aumha.net/viewtopic.php?p=76793#76793

Some progress is being made.......however, the Gain/Gator files are still
proving very difficult to remove.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

 

[Jeff Conrad]

This particular issue has finally been resolved thanks to some assitance
by Jim and Jan. You can review the entire thread on the link that Jan
previously posted. Here is my last message which detailed the exact
problem. I have copied/pasted it here:
Hi Jim and Jan,

Here is an update on the situation.

Break out the party favors, get on your dance shoes, pop in Kool And The Gang's CD, and crank up
"Celebrate good times, c'mon..." because this problem is OVER!!!!!!!!!!!!!!!
Yeaa-Haa!!!!!

(yes, I need to get out more)

The person up front has not been in this morning so I have had all morning to work on the problem.
Now as you may recall, before we had to cut to commercial, I was able to take Ownership of the CMEII
folder and sub-folders under the Administrator profile. After doing that, I was finally able to at
least open the folders and view the contents. I only had time to run two scans with Spybot (one on
reboot), but neither scan could still remove the folders/files.

The problem can be summed up in one word: Permissions

Here is what I did:
1. Turned on the computer, logged in as Administrator, opened Explorer, navigated to C:\Program
Files\Common Files\, and (for fun) right-clicked on the CMEII main folder and selected "Delete."
Confirming the message, the folder went straight into the Recycle Bin!!

Wait............that was *too* easy!

2. Being the overly-cautious freak that I am (especially with NT) I decided not to clear it out of
the Recycle Bin just yet. I was dreading the possibility of clearing out the Recycle Bin, restarting
the machine, and have it just blow up on me. I REALLY did not want that to happen so I opened Sbybot
and ran a full scan again. Spybot said "Congratulations, no threats found." OK, but I'm still not
happy.

3. Restored the folder back out of the Recycle Bin and then re-ran Sbybot. It found the folder
again, but could not remove it yet again (even on a reboot scan). Hummm....OK, this is just going to
drive me nuts now!

4. Now I decided to really closely examine the folders and files under CMEII since I had not done
that yet. Below is a list of the file structure.
Under CMEII there were two folders:
--1. GUI folder - Under GUI there was another folder called SVCSAP. This is the contents of SVCSAP
applist.htm 2KB 4/13/01
applist.xsl 5 KB 4/13/01
blank.txt 1KB 11/11/01
--2. Store folder - Under Store there were two folders: Case & SVCSAP These were their contents:
Case folder--
appmgr.cfg 1 KB 12/5/01
appmgrgui.zip 24 KB 12/5/01
col 2 KB 12/5/01
odm.cfg 1 KB 12/5/01
syscfg 1 KB 12/5/01
SVCSAP folder--
svcsap.cfg 1 KB 12/5/01
svcsupgui.zip 1 KB 3/28/02

I carefully checked each and every file and they were all not set to be "Read Only" under
properties. Also, the Owner of each and every file (and folder/sub folder) was Administrator.
Humm...that looks OK.

5. Here is what was really strange. I tried to open the Blank.txt file since that one would *seem*
to be pretty harmless if I opened it. I immediately got an "Access denied" message!! What?? I'm the
Owner of this file now, what do you mean I cannot open it?!

6. So then I decided to really carefully examine the Permissions. On the folders themselves under
Permissions it said:
"Special Access (All) * (Not Shared)"

??? I've never seen that before. Checking the Permissions area I see that this is an option, but
we've never used that setting here. So then I checked the Permissions of the files themselves. Each
and every one had:
System Full Control

Again, ??? System? We've always used Everyone, or a specific user, but never System before. So I
took a chance and added one more permissions to each and every file. I added "Everyone" and gave
them Full Control of the file.

7. I then ran Spybot yet again and it of course found the folder. This time, however, it was FINALLY
able to remove it!!!!!!!!! Yessssss!

8. Now came the part I was dreading: restarting the machine. I hit restart, said a little prayer,
and rubbed the head of my MVP Jan bobble-head doll for good luck. Time seemed to stand still as I
waited in agony for it to come back on........dramatic pause here.........

It came back on with no problems!! Yes!

I logged in as Administrator again and there was no sign of the folder. I ran a full scan with
Spybot and Ad-Aware and everything was clean. I then logged in under the current user's profile and
ran both scans yet again. Clean as a whistle. Whew!!

So I *think* I am OK now.

Thank you so much Jim and Jan for your time, expertise, and patience. I am deeply grateful for the
assistance.

Jeff

 

[Jan Il]

Hi Jeff

This particular issue has finally been resolved thanks to some assitance
by Jim and Jan. You can review the entire thread on the link that Jan
previously posted. Here is my last message which detailed the exact
problem. I have copied/pasted it here:

Great work......and thanks for posting back.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.