Solved

Persistant verclsid.exe

Posted on 2006-07-13
10
1,725 Views
Last Modified: 2010-05-18
Hi Experts

Since I installed the MS security update 908531 (security bulletin MS06-015), back in April, I've this pesky little program "verclsid.exe".

Many times I have deleted it, renamed it, searched whole drive and deleted from prefetch etc.

I have also uninstalled the MS update.

However, it still keeps returning. Am I missing something fundamental here?

And in returning, it consumes just about 100% CPU and thus stalls the system until stopped.

To workaround this until I find a complete solution I have scheduled a batch file to delete it every 1 hour. It still slips through the net on occassion (I can shorten the run time to every 5 minutes but there must be an answer somewhere).

Once it has run (and then I stop it), several programs - random programs, could be firefox, powerpoint whatever, - then function in the same way as verclsid did, i.e. consume full CPU and hang the system.

My only answer to date has been to reboot when this happens (very annoying).

Due to the length of time passed a system restore is not an option sadly.

I am looking for complete solutions to this and not just links to "rename it" or "uninstall the patch" as I have found and tried all those myself.

Many thanks for any help to be offered.

Nick
0
Comment
Question by:Nick Denny
  • 6
  • 3
10 Comments
 
LVL 14

Expert Comment

by:Geisrud
Comment Utility
I haven't read through this completely, but it's an MSKB article about verclisid.exe which was installed with the patches the other day.

http://support.microsoft.com/kb/918165
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
As Geisrud mentions above:  This is due to a problem with a recently installed MS patch:

http://support.microsoft.com/default.aspx?scid=kb;en-us;918165
Problems in Windows Explorer or the Windows shell after you install security update MS06-015

I am not convinced that the proposed MS fix will necessarily correct the problem with the faulty MS patch, for I think it depends upon you using HP products or Sunbelt Kerio Personal Firewall with your computer.  If you don't get the problem corrected with the above, then read this:

http://episteme.arstechnica.com/groupee/forums/a/tpc/f/12009443/m/810008568731/r/758002668731

That patch that came out 4-11 causes problems on some computers. I am sure Microsoft will end up reissuing the patch that does not break some computers.

Here are the symptoms:

Office Products:

When choosing Save As it will lock up. If you look in Task Manager you will see one or possible 10-20 or more processes of verclsid.exe running. Killing that process will probably allow the office products to work fine in that one instance.

Internet Explorer:

Typing in any address and then hitting enter will launch a process of verclsid.exe and it will not go away. IE will sit there and appear like you have done nothing. Killing all processes of verclsid.exe will let IE work fine.

Fix:

Uninstall KB908531 from any computer that is affected then reboot.



Or, as another temporary workaround until MS comes out with the corrected patch, you can find verclsid.exe in \Windows\System32\ folder and rename it to verclsid.old


Incidentally, I was under the impression that MS has now come out with a correction for the patch.  I'll see if I can find out more...
0
 
LVL 13

Author Comment

by:Nick Denny
Comment Utility
Thanks Geisrud  - but I know from whence it came.

Thanks LeeTutor - I have already been through all the MSKB info - nothing really of use in it.

I have no HP products, I already have the reg entries re Nvidia, and also no Kerio software.

It doesnt just happen with Office either - it seems particularly random - and - I dont use MSIE (just Firefox).

It seems to happen more so as I attempt to start programs as opposed to within them.

The really weird thing is how after renaming/deleting and so on - how it manages to come back.

I have done a full search on my hard drive and deleted all instances (also in the prefetch).
0
 
LVL 59

Accepted Solution

by:
LeeTutor earned 500 total points
Comment Utility
On April 25th Microsoft issued a revised patch that you should be able to download and hopefully solve your problems.  From this page (in the Frequently Asked Questions about this Security Update section):

http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx

Why did Microsoft reissue this bulletin on April 25, 2006?
Microsoft has completed its initial investigation into issues involving old third party software that customers may have experienced after the installation of this security update.

Microsoft updated this bulletin today to advise customers that revised versions of the security update are available for all products listed in the “Affected Software” section.

Note Customers who have already applied the MS06-015 update who are not experiencing problems as indicated in Microsoft Knowledgebase Article 918165, need take no action.

What changes does the revised security update include?
The revised security update contains no changes to the binaries included in the initial security update. During installation, the revised security update will place the following entries in the allow list as indicated in Microsoft Knowledgebase Article 918165.

HP Share-to-Web

• {A4DF5659-0801-4A60-9607-1C48695EFDA9}
 

NVIDIA Graphics Driver

• {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
 
• {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
 
• {1CDB2949-8F65-4355-8456-263E7C208A5D}
 

How do I deploy this revised update?
For customers who have already applied the update and are experiencing the problem related to the older Hewlett Packard Share-to-Web software, or older NVIDIA drivers prior to or including version 61.94, the revised update will be available through Windows Update and Microsoft Update. The targeted re-release will be automatically delivered to affected computers through Automatic Update if it has been enabled. The re-release will not be distributed to non-affected computers.

Microsoft Baseline Security Analyzer (MBSA) 2.0 will also determine if one of the identified third-party COM controls has been installed and will offer the revised security update.

For Microsoft Baseline Security Analyzer (MBSA) 1.2.1, the detection logic has been updated to offer the revised package only to machines that do not have the initial security update installed. MBSA 1.2.1 cannot be used to determine if the identified third-party COM controls have been installed. For customers using MBSA 1.2.1 that are experiencing these issues, we recommend using Group Policy or scripting to add the above COM controls to the allow list manually as documented in Microsoft Knowledge Base Article 918165.

0
 
LVL 13

Author Comment

by:Nick Denny
Comment Utility
Thanks again LeeTutor

I had uninstalled this patch when it became apparent that it was creating an issue.

It was reinstalled through auto-updates on 14th May and therefore should already be the fixed version.

My dilemma appears to be that no matter how much it gets removed it keeps returning to wreak havoc and necessiate a reboot.

I may not have been too clear before so here are the symptons:

verclsid.exe runs randomly and takes almost 100% CPU causing system to stall
I stop it, delete it (tried renaming too).
I then attempt to run another program and that too consumes nearly 100% cpu each and every time, even when i stop process and restart.
e.g. this could be firefox, other 3rd party apps and MS office apps.
My only way to date, out of this is to reboot.
I have therefore set a batch file to run every hour that deletes verclsid.exe if it exists.
However, this has not irradicated it.
I have run full spyware/malware and antivirus with Spybot, Ad-Aware, Norton AV2005, AVG free. (AV runs every 24hours anyway).

I am going to unistall the patch and download the latest and reinstall that.
(Failing that - I suppose it could be time for a Windows reload).

I'll see if that sorts it out.

Thanks again

Nick
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 13

Author Comment

by:Nick Denny
Comment Utility
After running a full system search for "verclsid" (inc hidden and system files) and deleting all instances, removing the update and reinstalling, all was well for 48 hours.
However, verclsid.exe once again re-appeared with ever so slight differences.
Firefox (again) was running at 97/98% CPU and never actually started so I manually ended it.
Skype that was already running, then started to use high CPU (90+%) so I stopped that too.
Then verclsid.exe appeared immediately after in the list of processes.
I stopped and deleted it. Still couldn't start firefox and several other programs. Rebooted.
Ran a full system search again...
4 instances found
C:\WINDOWS\system32
C:\WINDOWS\$hf_mig$\KB908531\SP2QFE
C:\WINDOWS\SoftwareDistribution\Download\cb2769f3b1daf367a31ed046299a3790\sp2gdr
C:\WINDOWS\SoftwareDistribution\Download\cb2769f3b1daf367a31ed046299a3790\sp2qfe
I have once again!! delted all these inc folders.
What am I missing here?
Thanks
Nick
0
 
LVL 13

Author Comment

by:Nick Denny
Comment Utility
Oh and before deleting, I turned off system restore.
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Do you have HP Share-to-web or the "older Nvidia drivers" that MS talks about?  If so, try removing the HP Share-to-web software and updating your driver...
0
 
LVL 13

Author Comment

by:Nick Denny
Comment Utility
Thanks again LeeTutor
No HP software/hardware, Nvidia card but with latest drivers.
Still a mystery!!
0
 
LVL 13

Author Comment

by:Nick Denny
Comment Utility
After uninstallation (again) of the patch and total deletion of all instances of verclsid.exe (and its install directories), the patch reappears on the Windows Updates list.
I have been using manual updates and ticked this to "never ask me again".
Since then, all has been well.
It seems even the "fixed" version was causing me trouble.
Thanks for all efforts.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now