OpsanBlog

Michael Coates - Microsoft Pragmatic Evangelist

My Latest Tweet
    Follow my Tweets

    MIX10

    Posted with:
     Windows Live Writer
     Download Live Writer

    My Windows Live Local Collections:
     Las Vegas
     Los Angeles
     San Jose
     Seattle
     Washington, DC
     My Walks

    Article Categories

    Archives

    Post Categories

    Bloggers

    CmdLineExt02.dll: Identifying, Explaining, Removing

    I've observed this file installing in the user's temp directory (typically c:\documents and settings\username\temp) when Unreal Tournament is played.  I found some (unverified) references on the web regarding files of this type impacting CD operations.  If you try to delete the file (even when Unreal isn't running), the system complains of it being in use.

    This file gets created after reboots because of four references in the registry:

    [HKEY_CLASSES_ROOT\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}\InprocServer32]
    (file path)
    [HKEY_CLASSES_ROOT\TypeLib\{9869EFA6-18E9-11D3-A837-00104B9E30B5}\1.0\0\win32]
    (file path)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}\InprocServer32]
    (file path)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9869EFA6-18E9-11D3-A837-00104B9E30B5}\1.0\0\win32]
    (file path)

    I created a .reg file to get rid of it (you can cut and paste, saving as a .reg file):

    Windows Registry Editor Version 5.00

    [-HKEY_CLASSES_ROOT\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}\InprocServer32]
    [-HKEY_CLASSES_ROOT\TypeLib\{9869EFA6-18E9-11D3-A837-00104B9E30B5}\1.0\0\win32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}\InprocServer32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9869EFA6-18E9-11D3-A837-00104B9E30B5}\1.0\0\win32]
    (the '-' sign inside the bracket removes the designated key).

    To remove CmdLineExt02.DLL:

    1. remove the registry keys (either manually, or by creating a .reg file).
    2. reboot the system.
    3. navigate to the users temp directory and delete CmdLineExt02.dll.

    One way to keep it removed:

    1. after the steps above, create a new text file named CmdLineExt02.dll (this file will be zero length).
    2. set permissions on the new file to the administrator login only (this will prevent the file from being recreated).

    Now, there's not guarantee that the folks who place this file on your system won't sort out a way to change the name to something other that which we recognize, but if you do have issues with this version, this technnique will resolve them.  Further, you can use this technique to thwart other similar intrusions.

    posted on Wednesday, January 05, 2005 8:49 PM

    Feedback

    # re: CmdLineExt02.dll 9/16/2005 10:12 AM robert

    i find files in the system 32 folder called cmd32 cmd32.dll and cmd are thes related to CmdLineExt02.dll

    # re: CmdLineExt02.dll 9/16/2005 2:24 PM Michael Coates

    More than likely, no. First, make sure you can see file extensions in Windos Explorer ('cmd32' should have an extension). You can also right-click and select properties to determine the source of the file.

    Isolate any suspect files and do a virus / spyware scan on them just to be safe.

    The CmdLineExt02.dll file typically appears in the directories specified by the TEMP environment variable.

    HTH

    # re: CmdLineExt02.dll 9/17/2005 6:36 PM D00d

    It is scaring the shit outta me!

    # re: CmdLineExt02.dll 9/17/2005 7:24 PM Dbob

    I think it worked. I did all the steps, but for the last 2, those files were already gone. I hope this keeps this file out, because it was really starting to freak me out.

    # re: CmdLineExt02.dll 10/2/2005 12:14 PM robert

    how do you set the permissions on the new file to the administrator login only

    # re: CmdLineExt02.dll 10/2/2005 5:18 PM Michael Coates

    Right-click on the file and click the 'security' tag. Click 'advanced', de-selecting 'inherit permissions'. Remove all groups (you'll likely see one called 'everyone') and add back the local administrator (not the administrators group), granting the local admin full rights. Ensure you don't log on to the system as the local administrator account to do work online (you should use an account other than 'administrator' when working on the system).

    # re: CmdLineExt02.dll 10/22/2005 12:37 AM easy way to get rid of it

    tasklist /M cmd* and i found that explorer.exe is using this file. then make a bat file to do:

    taskkill /IM explorer.exe /F
    delete CmdLineExt02.dll
    explorer
    exit

    taskkill will end the processes which are that file (in our case explorer) delete u know what will do and explorer will restart the explorer task

    # re: CmdLineExt02.dll 10/22/2005 3:58 PM opsan

    Hey, thanks for adding that comment. You'll still need to do the reg removal and potentially the empty file creation to ensure it doesn't show up again.

    # re: CmdLineExt02.dll 7/27/2007 11:05 AM Narachi

    It doesn't work on my PC. Every Time i want to start WC 3, antivir says that there's a Virus in C:/Documents/.../temp/DmdLineExt02.dll, a trojan horse called TR/Agent.BYZ . I removed the registry files and the cmd file, but it doesn't go away, every time I delete it and reboot or want to start a game, it's there again.

    Can any1 help me?

    # re: CmdLineExt02.dll: Identifying, Explaining, Removing 7/27/2007 11:07 AM Narachi

    hmm I meant CmdLineExt02.dll of course, not dmd and so on

    # re: CmdLineExt02.dll: Identifying, Explaining, Removing 7/27/2007 8:39 PM per4mer

    Hey Narachi, Im having the same problem. Everytime i start my WC3 my Anti-virus keeps detecting the exact same thing... i tried the above method but not to sure where i stick the newly created CmdLineExt02.dll file. Can anyone help us please?

    # re: CmdLineExt02.dll: Identifying, Explaining, Removing 7/27/2007 11:57 PM problemer

    I'm in the same position...
    That problem started a few days ago and it's annoying me...
    But I maybe fixed it:
    The next time you start Wc3 and the .dll appears you shouldnt erase it.
    Get "Security Task Manager" this program detects .dll's.
    Start it, search for the CmdLineExt02.dll and put it into quarantaine.
    When you put it into quarantine the program erases every autostart entry, which makes this .dll.

    # re: CmdLineExt02.dll: Identifying, Explaining, Removing 7/28/2007 1:21 AM problemer

    ok, i tried it but st manager didn't found the dll...
    fuck...

    # re: CmdLineExt02.dll: Identifying, Explaining, Removing 7/31/2007 12:29 PM problemer

    Solution:
    create a file with the name of the trojan and make ist undeletable...
    finished^^

    # re: CmdLineExt02.dll: Identifying, Explaining, Removing 12/30/2007 9:46 AM CmdLineExt_killa

    Easy remove from registry:

    Search registry for "11D3-A837-00104B9E30B5" in all fields, but not for exact string. Delete all items that pop up. If the parent to found key looks suspicious, whack it as well, using good judgement.

    Title  
    Name  
    Url
    Comments   
    The opinions expressed herein are my own and are not intended to represent those of my employer.