cnml.exe

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have found this bit of $&*! on my computer. It seems to be a bit of
malware that refuses to be defeated. It generate 3 other files 2 exe and a
dll. The dll name matches one of the exe. They are all random letters one
being the reverse of the other, and the folder is random as well. In my case
it is

C:\Program Files\wprtstxx

RMwDGoBL.dll
RMwDGoBL.exe
LBoGDwMR.exe
cnml.exe

I have done some googleing of this cnml.exe and have come across some VERY
involved and VERY technical babble that I can't decode, hlaf page long log
files being posted to forums, then tons of registry key changes and then more
logs and so on and so forth. I belive this file(s) may be causing the
problems I reported in another post about slow booting. (this malware seems
to connect to the net and slows everything down when it does so.) I can't
delet the files or force close them in task manager (they keep respawning). I
even tried going into Safe Mode under Admin and tried to delete the folder,
but recived an access denied. Can anyone here save me from throwing my HD out
the 2nd story window?

 

[Malke]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Bobby W. wrote:

> I have found this bit of $&*! on my computer. It seems to be a bit of
> malware that refuses to be defeated. It generate 3 other files 2 exe
> and a dll. The dll name matches one of the exe. They are all random
> letters one being the reverse of the other, and the folder is random
> as well. In my case it is
>
> C:\Program Files\wprtstxx
>
> RMwDGoBL.dll
> RMwDGoBL.exe
> LBoGDwMR.exe
> cnml.exe
>
> I have done some googleing of this cnml.exe and have come across some
> VERY involved and VERY technical babble that I can't decode, hlaf page
> long log files being posted to forums, then tons of registry key
> changes and then more logs and so on and so forth. I belive this
> file(s) may be causing the problems I reported in another post about
> slow booting. (this malware seems to connect to the net and slows
> everything down when it does so.) I can't delet the files or force
> close them in task manager (they keep respawning). I even tried going
> into Safe Mode under Admin and tried to delete the folder, but recived
> an access denied. Can anyone here save me from throwing my HD out the
> 2nd story window?

If you can't follow the technical directions - and yes, removing malware
can require a lot of skill and patience - then take your computer to a
good local professional (not a BestBuy or CompUSA type of store). I'll
give you my usual malware removal steps, but some malware requires
more. There is no getting around it. There is also no shame in taking
your machine to a shop for fixing; I don't hesitate to take my car to
the mechanic.

First delete all Temporary and Temporary Internet Files. Then:

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.tomcoyote.com/hjt/ - HijackThis
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.

 

[arnie]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have been having the same problem. There is also another file....

profile.dat

I have tried norton antivirus 5.0, ad-aware, spybot (which runs extra
slow) and the new beta version of microsoft antispy.

Ad-aware and antispy always finds problems which I fix but these files
never seem to go. When I boot my system it takes a while to boot up
and my CPU usage is at 100%. After a while it corrects itself and all
my drivers finally load up dropping the CPU usage to a normal single
digit level. I also cannot get rid of these in my task manager. I
have tried multiple ways to enter safe mode but nothing helps. I too
would appreciate any help.

Thanks.

 

[Malke]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Arnie wrote:

> I have been having the same problem. There is also another file....
>
> profile.dat
>
> I have tried norton antivirus 5.0, ad-aware, spybot (which runs extra
> slow) and the new beta version of microsoft antispy.
>
> Ad-aware and antispy always finds problems which I fix but these files
> never seem to go. When I boot my system it takes a while to boot up
> and my CPU usage is at 100%. After a while it corrects itself and all
> my drivers finally load up dropping the CPU usage to a normal single
> digit level. I also cannot get rid of these in my task manager. I
> have tried multiple ways to enter safe mode but nothing helps. I too
> would appreciate any help.
>
> Thanks.

Follow the instructions given in my previous post.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Don't go to any complicated solutions.

For the record, I got the same problem, and the resolution, without
having to reboot stuff or safe mode or whatever,

- first, use a tool from sysinternals.com called process explorer. with
this tool, kill the process Tree (not just one process) to get rid of
the running executables.
- second, notice that even so, the files are not deletable. No
problem.
- just go to the directory with the mangled name and rename the
directory.That's it . After renaming, delete all the files inside
the directory and then the directory.

That's all.

May be u want to use hijackThis to cleanup the startup command, but
since the exe's are gone, all is well

Hope it helps.



--
deuxexbox
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1518136.html

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

deuxexbox wrote:
> *Don't go to any complicated solutions.
>
> For the record, I got the same problem, and the resolution, without
> having to reboot stuff or safe mode or whatever,
>
> - first, use a tool from sysinternals.com called process explorer.
> with this tool, kill the process Tree (not just one process) to get
> rid of the running executables.
> - second, notice that even so, the files are not deletable. No
> problem.
> - just go to the directory with the mangled name and rename the
> directory.That's it . After renaming, delete all the files inside
> the directory and then the directory.
>
> That's all.
>
> May be u want to use hijackThis to cleanup the startup command, but
> since the exe's are gone, all is well
>
> Hope it helps. *


Thanks! Just did this and worked for me. You just got to love the
sysinternals stuff don't you?



--
timmarz
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1518136.html

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The Netherlands here!

I have had the same problem deleting cnml.exe but i did it!

Follow the next steps:

1) start up in safemode without having acces to the internet

2) find folder:tsvxxxts (with search)

3) Rename the folder to : kustsvxxxts

4) Delete this folder to watecan

5) empty wastecan

6) Reboot your computer and run ad-aware or hitman pro and keep on
repeating untill there are no alerts (3 times at the most was it for
me)

7) reboot your comp again and its gone with the wind

Tip: download hitmanpro at 'www.hitmanpro.nl'
(http://www.hitmanpro.nl/) this program combines all the spy and adware
machines in one!


--
dennisteet
------------------------------------------------------------------------
dennisteet's Profile: http://www.iamnotageek.com/member.php?userid=13341
View this thread: http://www.iamnotageek.com/showthread.php?t=1819054713