cnml.exe

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have found this bit of $&*! on my computer. It seems to be a bit of
malware that refuses to be defeated. It generate 3 other files 2 exe and a
dll. The dll name matches one of the exe. They are all random letters one
being the reverse of the other, and the folder is random as well. In my case
it is

C:\Program Files\wprtstxx

RMwDGoBL.dll
RMwDGoBL.exe
LBoGDwMR.exe
cnml.exe

I have done some googleing of this cnml.exe and have come across some VERY
involved and VERY technical babble that I can't decode, hlaf page long log
files being posted to forums, then tons of registry key changes and then more
logs and so on and so forth. I belive this file(s) may be causing the
problems I reported in another post about slow booting. (this malware seems
to connect to the net and slows everything down when it does so.) I can't
delet the files or force close them in task manager (they keep respawning). I
even tried going into Safe Mode under Admin and tried to delete the folder,
but recived an access denied. Can anyone here save me from throwing my HD out
the 2nd story window?
6 answers Last reply
More about cnml
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Bobby W. wrote:

    > I have found this bit of $&*! on my computer. It seems to be a bit of
    > malware that refuses to be defeated. It generate 3 other files 2 exe
    > and a dll. The dll name matches one of the exe. They are all random
    > letters one being the reverse of the other, and the folder is random
    > as well. In my case it is
    >
    > C:\Program Files\wprtstxx
    >
    > RMwDGoBL.dll
    > RMwDGoBL.exe
    > LBoGDwMR.exe
    > cnml.exe
    >
    > I have done some googleing of this cnml.exe and have come across some
    > VERY involved and VERY technical babble that I can't decode, hlaf page
    > long log files being posted to forums, then tons of registry key
    > changes and then more logs and so on and so forth. I belive this
    > file(s) may be causing the problems I reported in another post about
    > slow booting. (this malware seems to connect to the net and slows
    > everything down when it does so.) I can't delet the files or force
    > close them in task manager (they keep respawning). I even tried going
    > into Safe Mode under Admin and tried to delete the folder, but recived
    > an access denied. Can anyone here save me from throwing my HD out the
    > 2nd story window?

    If you can't follow the technical directions - and yes, removing malware
    can require a lot of skill and patience - then take your computer to a
    good local professional (not a BestBuy or CompUSA type of store). I'll
    give you my usual malware removal steps, but some malware requires
    more. There is no getting around it. There is also no shame in taking
    your machine to a shop for fixing; I don't hesitate to take my car to
    the mechanic.

    First delete all Temporary and Temporary Internet Files. Then:

    1) Scan in Safe Mode with current version (not earlier than 2004)
    antivirus using updated definitions.

    Before you remove malware, get LSPFix or WinSockFix for XP - see links
    below.

    2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
    programs are free, so use them both since they complement each other.
    There is a new version of CWShredder from Intermute. I would not
    install the other Intermute programs, however. Alternately, there are
    CoolWebSearch malware removal steps at SilentRunners.

    Be sure to update these programs before running, and it is a good idea
    to do virus/spyware scans in Safe Mode. Make sure you are able to see
    all hidden files and extensions (View tab in Folder Options).

    If the malware remains even after you used Ad-aware and Spybot, you can
    scan with HijackThis. HijackThis is an excellent tool to discover and
    disable hijackers, but it requires expert skill. See below for
    HijackThis links, including sites where you can post your HJT logs. A
    combination of HijackThis and About:Buster works well in removing the
    About:Blank homepage hijacker. Again, this is an expert tool and
    novices should get help with it.

    3) If you are running Windows ME or XP, you should disable/enable System
    Restore after the system is clean because malware will be in the
    Restore Points. With ME, you must disable System Restore completely.
    With XP, you can delete all but the most recent (presumably clean)
    System Restore point from the More Options section of Disk Cleanup
    (Run>cleanmgr).

    4) Make sure you've visited Windows Update and applied all security
    patches. Do not install driver updates from Windows Update.

    5) Run a firewall.

    Links to help with malware:

    Software/Methods:
    http://www.safer-networking.org - Spybot Search & Destroy
    http://www.lavasoftusa.com - Ad-aware
    http://www.tomcoyote.com/hjt/ - HijackThis
    http://www.intermute.com/spysubtract/cwshredder_download.html
    http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
    http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
    removing spyware
    http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

    HijackThis:
    http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
    Eshelman
    http://aumha.net - forums
    http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
    forum
    http://www.wilderssecurity.com/
    http://forums.tomcoyote.org/

    General:
    http://aumha.net - look under "Security" for various forums
    http://rgharper.mvps.org/cleanit.htm
    http://mvps.org/winhelp2002/unwanted.htm
    http://www.aumha.org/a/parasite.htm - The Parasite Fight
    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    Malke
    --
    MS MVP - Windows Shell/User
    www.elephantboycomputers.com
    In Memoriam - MVP Alex Nichol
    The world is diminished without him.
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I have been having the same problem. There is also another file....

    profile.dat

    I have tried norton antivirus 5.0, ad-aware, spybot (which runs extra
    slow) and the new beta version of microsoft antispy.

    Ad-aware and antispy always finds problems which I fix but these files
    never seem to go. When I boot my system it takes a while to boot up
    and my CPU usage is at 100%. After a while it corrects itself and all
    my drivers finally load up dropping the CPU usage to a normal single
    digit level. I also cannot get rid of these in my task manager. I
    have tried multiple ways to enter safe mode but nothing helps. I too
    would appreciate any help.

    Thanks.
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Arnie wrote:

    > I have been having the same problem. There is also another file....
    >
    > profile.dat
    >
    > I have tried norton antivirus 5.0, ad-aware, spybot (which runs extra
    > slow) and the new beta version of microsoft antispy.
    >
    > Ad-aware and antispy always finds problems which I fix but these files
    > never seem to go. When I boot my system it takes a while to boot up
    > and my CPU usage is at 100%. After a while it corrects itself and all
    > my drivers finally load up dropping the CPU usage to a normal single
    > digit level. I also cannot get rid of these in my task manager. I
    > have tried multiple ways to enter safe mode but nothing helps. I too
    > would appreciate any help.
    >
    > Thanks.

    Follow the instructions given in my previous post.

    Malke
    --
    MS MVP - Windows Shell/User
    www.elephantboycomputers.com
    In Memoriam - MVP Alex Nichol
    The world is diminished without him.
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Don't go to any complicated solutions.

    For the record, I got the same problem, and the resolution, without
    having to reboot stuff or safe mode or whatever,

    - first, use a tool from sysinternals.com called process explorer. with
    this tool, kill the process Tree (not just one process) to get rid of
    the running executables.
    - second, notice that even so, the files are not deletable. No
    problem.
    - just go to the directory with the mangled name and rename the
    directory.That's it :-). After renaming, delete all the files inside
    the directory and then the directory.

    That's all.

    May be u want to use hijackThis to cleanup the startup command, but
    since the exe's are gone, all is well

    Hope it helps.


    --
    deuxexbox
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message1518136.html
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    deuxexbox wrote:
    > *Don't go to any complicated solutions.
    >
    > For the record, I got the same problem, and the resolution, without
    > having to reboot stuff or safe mode or whatever,
    >
    > - first, use a tool from sysinternals.com called process explorer.
    > with this tool, kill the process Tree (not just one process) to get
    > rid of the running executables.
    > - second, notice that even so, the files are not deletable. No
    > problem.
    > - just go to the directory with the mangled name and rename the
    > directory.That's it :-). After renaming, delete all the files inside
    > the directory and then the directory.
    >
    > That's all.
    >
    > May be u want to use hijackThis to cleanup the startup command, but
    > since the exe's are gone, all is well
    >
    > Hope it helps. *


    Thanks! Just did this and worked for me. You just got to love the
    sysinternals stuff don't you?


    --
    timmarz
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message1518136.html
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The Netherlands here!

    I have had the same problem deleting cnml.exe but i did it!

    Follow the next steps:

    1) start up in safemode without having acces to the internet

    2) find folder:tsvxxxts (with search)

    3) Rename the folder to : kustsvxxxts

    4) Delete this folder to watecan

    5) empty wastecan

    6) Reboot your computer and run ad-aware or hitman pro and keep on
    repeating untill there are no alerts (3 times at the most was it for
    me)

    7) reboot your comp again and its gone with the wind

    Tip: download hitmanpro at 'www.hitmanpro.nl'
    (http://www.hitmanpro.nl/) this program combines all the spy and adware
    machines in one!


    --
    dennisteet
    ------------------------------------------------------------------------
    dennisteet's Profile: http://www.iamnotageek.com/member.php?userid=13341
    View this thread: http://www.iamnotageek.com/showthread.php?t=1819054713
Ask a new question

Read More

Windows XP