Too persistent program! Cannot uninstall! [Finally Resolved]

[Purifier]

Hello,
I use Windows 98 OS and I got a program I cannot uninstall.
The program always starts itself when the computer is rebooted.
Please help me remove it from being loaded every reboot.

Here are a few details:

A) There is no shortcut for the program in the \Startup dir.

B) There is no reference inside Win.INI file in the "Run=" line.

C) I looked with MSconfig, and saw the program got a reference to be loaded in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so I deleted this reference, but somehow, when I rebooted, the reference was in there again (!?), the program wrote the reference back when the computer was rebooted!

D) I scanned the whole registry for the program's execution line, because I thought maybe it's running from some other key, but nothing was found.

E) I tried to be sophisticated: I tried to just delete the nasty exe, but I couldn't: "File is in use" was the answer.

F) I exited to an MSDOS mode, and deleted it successfully, and thought that maybe I finally got rid of that, but when I ran Windows98 again, the program copied itself again to where I deleted it from, and ran itself again on the reboot.

What am I doing?!?!? Where could the program ran itself from?

Thanks.

[DiGiTaIErRoR]

What's the name of the exe?

[Purifier]

It doesn't matter. The process of removing here is what important. Maybe it's some virus or a backdoor somebody installed on my comp, but I wanna remove it manually, and not with some already made remover. This program really challenged me and made me curious about its stubborn process.

Any Ideas?

[DiGiTaIErRoR]

I would do a web search on the EXE to see what you may be dealing with. That's why I mentioned it.

Your problem is that this process is most likely remaining in memory, so it's just re-writing it's entry when you close the system.

Have you checked the autoexec.bat?

You may also want to install a firewall, incase it is a trojan.

[Purifier]

- Checked the autoexec.bat, it's not there.

By the way, I considered your suggestion that the program remains in the memory and writes itself back right before the computer is shutdown/rebooted. I found this theory to be false, because of an experiment I took:
I removed any reference to the program from any method I know (Registry keys, \Startup dir, Win.INI, Autoexec.bat) and then I suddenly pressed the reset button (thus leaving no chance for the program to write itself as a part of the shutting-down process), and the result was pretty surprising, yes you were guessing right, the program was still there and still loaded upon the startup.
From this experiment I concluded that the program is not rewriting a reference on the shutting-down process, but is writing a reference while the computer is loading.

But where does it write it from? I am yet to discover.

Any Ideas?

[MartinLiss]

Originally posted by Purifier
It doesn't matter. The process of removing here is what important. Maybe it's some virus or a backdoor somebody installed on my comp, but I wanna remove it manually, and not with some already made remover. This program really challenged me and made me curious about its stubborn process.

Any Ideas?

Why not mention the name? Someone might know something about it.

[DiGiTaIErRoR]

There are about 65A0BC00 people on this planet, and most of them do not understand Hex...

You're missing a 1 at the start. It's a dead give away that it's wrong as a four byte quantity cannot exceed 4.3 billion.

Hex or not, base logic still applies.

[Purifier]

All right, though I don't this it's gonna be that helpful.
Anyway, the terrible awful horrible disgusting repulsive dreadful (My english vocabulary is pretty limited, sorry) program is Win32TTR.EXE which is always running from C:\Windows\System.

Well, I strongly suspect this program to be some kind of a virus/worm/backdoor, but searching in the net has made no result.

There must be someone who heard of a different method of loading things on startup... Is it you?

P.S: DigitalError, I guess I'm one of those who doesn't understand Hex too... kidding... Thanks for the correction, I guess the problem is with Windows Calculator, try to convert 6 billion to Hex base with it and see what you get, now try to convert it back to Decimal. Pretty nice ha?

[DiGiTaIErRoR]

Alright.

In your registry you also have services. Did you check them?

They're where the RUN/runonce are. Check both HKCU and HKCM.

[Purifier]

I've scanned the whole registry for any entries including that "C:\windows\system\Win32TTR.exe" line.

None was found. It's probably not calling itself from the registry.

Ahhh, this program is tough... ha?

[MartinLiss]

Try asking your question at AntiOnline.

[DiGiTaIErRoR]

Originally posted by Purifier
I've scanned the whole registry for any entries including that "C:\windows\system\Win32TTR.exe" line.

None was found. It's probably not calling itself from the registry.

Ahhh, this program is tough... ha?

It doesn't need to call it by the directory.

Just Win32TTR.exe

So your scan may be inaccurate.

[DiGiTaIErRoR]

Ah-ha!

I did a search of TTR:

Seems they do DRM....

http://www.ttrtech.com/

Could be it.

[MartinLiss]

Originally posted by DiGiTaIErRoR
Ah-ha!

I did a search of TTR:

Seems they do DRM....

http://www.ttrtech.com/

Could be it.

They have/had a facility in Isreal.
http://www.ttrtech.com/MVSNnegotiations.html

[Purifier]

The regisrty search for the filename with the path was accurate.
You see, when you're using MSconfig, you see the exact line as it is appearing in the registry.
Unfortunately, MSconfig shows the execution line with the path.

Nice try though.
Any other Ideas?

P.S: I don't think TTR Technologies have any connection to this.
That's the first time I even hear this name.

[DiGiTaIErRoR]

Originally posted by Purifier
P.S: DigitalError, I guess I'm one of those who doesn't understand Hex too... kidding... Thanks for the correction, I guess the problem is with Windows Calculator, try to convert 6 billion to Hex base with it and see what you get, now try to convert it back to Decimal. Pretty nice ha?

Must be a Windows 98 problem. In win2k it works fine.

[Purifier]

Here is what Microsoft Support Team answered me, bahh!

"Hello,

Thank you for contacting Microsoft Customer Service.

We appreciate you have taken the time to write us.

With regards to your queries, as a part of Microsoft’s product support lifecycle framework, warranty support for Windows 98 has expired last June 30, 2003. The available support options that you can obtain from Microsoft are Pay-Per-Incident support at the rate of $35 USD, no-charge online support which includes the Knowledge Base, Troubleshooters, Newsgroups, Frequently Asked Questions, and Microsoft Certified Partner Support.

You have an option to try Keen Personal Advisor which you could contact at (800) 311-9556 wherein you can talk to a Support Professional for your issue with only $0.99 per
minute...."

What do you say?

[wrack]

B*** S***

[Purifier]

Please, we're trying to be serious here.

[wrack]

OK if I were you then I would search every nook of registry for that exe and delete it. The go to task manager and find out if anything is there and terminate it.

Then goto Windows\System and find the exe and delete it.

Then Start -> Run -> type msconfig -> Press OK

In the startup section remove any entry related to that exe.

Cheers.

[Purifier]

You didn't read the above messages, did you?

I've already tried all of what you said and even more.

Please read before you reply.

Thanks anyway.

[wrack]

I did read it but all I meant to say was you might have missed something on somewhere...!!! I make mistakes too and miss out small things.

No offence was intended.

[Purifier]

Here is a list I found somewhere, it's a list of many Autostart methods...

I am gonna check for this one by one.

Autostart folder
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory.


Win.ini
[windows]
load=trojan.exe
run=trojan.exe

System.ini
[boot]
Shell=Explorer.exe trojan.exe

c:\windows\winstart.bat
Normal bat file restarting every time.

Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur

rentVersion\RunOnceEx\000x]
"RunMyApp"="||notepad.exe"
The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command parameters"

Microsoft Windows 98 Microsoft
Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition

http://support.microsoft.com/suppor...s/Q232/5/09.ASP


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"


c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :
[Rename]
NUL=c:\windows\picture.exe

' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totaly stealth.

Autoexec.bat
something like
c:\trojan.exe

Registry Shell open
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell

\open\command]
There should be a Key with the Value "%1 %*", if there is some kind of .exe it will be executed each time you execute a binaryfile.
"server.exe %1 %*" would be a restart of a RAT.

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Ap

ps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Ap

ps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

Explorer start-up
Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.
Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.

The problem has to do with the search order that occurs when system startup is in process. Whenever a registry entry specifies the name of a code module, but does it using a relative path, Windows initiates a search process to find the code. The search order is as follows:

Search the current directory.
If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro

l\Session Manager\Environment\Path, in the order in which they are specified.
If the code isn't found, search the directories specified in HKEY_CURRENT_USER\Environment\Path, in the order in which they are specified.
More info : http://www.microsoft.com/technet/se...in/fq00-052.asp
Patch : http://www.microsoft.com/technet/su...b.asp?ID=269049
General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows version as of today.


Active-X Component
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe
Believe it or not, this does start filename.exe BEFORE the shell and any other Program normaly started over the Run Keys.
Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
"NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to show up.

[Purifier]

The crappy program changed my startup folder in the registry, to be some other directory it created somewhere in my HD.
inside that dir, there was a hidden copy of Win32TTR which probably was rewriting the references in the registry.

you see, sometimes \Startup is not really your startup directory.

Case is Successfully Closed!

Thanks for everyone who helped.