Latest Microsoft Patch needs Patching
On April 11, 2006, Microsoft released a critical patch, MS06-015 (KB908531), to plug a vulnerability in how COM objects interact with the Windows Explorer Desktop. It was called a Desktop drag and drop vulnerability. Fine, it was exploitable and was patched. Well, not so fast!
I am the moderator of a computers forum and a lot of members who applied that patch as part of the April 11 Windows Updates are reporting all kinds of system instability and freeze-ups. It turns out that they aren't the only ones having trouble because of the COM patch. Forums all over the World are talking about problems people are experiencing after applying this patch, and various solutions have been put forth by individuals and by Microsoft.
Many people first became aware of the effects of the patch when their desktop applications began hanging, and when they used Task Manager to see what processes were running they all found a file named VERCLSID.EXE was running as a process, not an application. Terminating that process restores normal Windows Desktop operation. Verclsid.exe is part of the MS06-015 patch.
You can read about just some of the applications that are having problems because of this patch, in Microsoft Knowledgebase Article 918165. The list of affected products is growing all the time.
Some people have decided to rename or delete the file that is causing the problems - verclsid.exe, which is located in your %Windir\System32 directory. Others have uninstalled the Update via Control Panel > Add/Remove Programs. The Microsoft artlcle linked to above even suggests some solutions for certain 3rd party products.
If your computer is now suffering unexplainable hangs they might be due to bad interactions with this patch. You can rename the verclsid.exe file, uninstall the patch, or look for spyware on your computer. Why did I say that, you ask? Read my extended comments to find out what I learned last weekend...
Last Friday, April 14, I took in a computer for troubleshooting. It wouldn't enter the Desktop at all, from the Welcome screen. Hmmm.
After a bit of trial and error I decided to hit Ctrl + Alt +Del to bring up the Task Manager, from the blue Welcome Screen. When the TM opened, there near the top was a process named verclsid.exe, using most of the CPU cycles. I terminated the process and voila, Windows Desktop appeared! However, a very short time later I found that almost every Windows or properties sheet I opened was hanging and becoming unresponsive, and unclosable. Even the Start Menu would not close after I opened it. WHen I looked at the running processes again, in TM, I found that verclsid had re-appeared. I decided it was time to boot into Safe Mode and create a new Administrator level account.
When I created the new Admin level account and booted into it everything appeared to be functioning fairly normally. I was able to install, update and run anti virus and anti spyware scans and removed a lot of crap from the computer. When I was done I opened Task Manager and there was no verclsid showing in it. After defragging I decided it was time to log onto the customer's account and continue the spyware fight from there.
My troubles reappeared instantly upon entering the client's desktop. Windows were hanging, the mouse was slow, and verclsid was running in TM. There was also an unexplainable Notepad file open with no contents, titled "Desktop." I terminated verclsid but it re-appeared in a few seconds. I tried to close the empty Notepad file but it was hung up. I terminated it using TM. I was curious about why NotePad was launching and why it's title was Desktop. I had to set the Folder View options to display known extensions and display hidden files before I discovered a hidden executable in the customer's account Startup Directory (All Programs > Startup), named Desktop.exe. Note that when hidden files are made visible that there was also a file there named desktop.ini, which is a Windows System file.
I deleted Desktop.exe from the computer's startup folder, logged off, then back on. Notepad did not re-appear, and neither did verclsid.exe! None of the spyware tools detected that file in the startup folder, nor did AVG flag it as a virus. Nonetheless it is some form of Desktop infector, possibly associated with Nail.exe, which was also found on and removed from that computer, along with it's watcher, svcproc.exe. All applications continued to function normally, and verclsid never showed up again.
This showed me that verclsid was doing it's job and was fighting off a file that was embedding itself into Windows Explorer during Winlogon. The instability of the desktop and windows was the symptom, that otherwise would have gone unnoticed, while the Desktop.exe file did whatever dirty work it was programmed to do.
I hope this helps somebody else.
Wiz
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.