S&D cannot be deleted. S&D and IE exe cannot be launched

Status
Not open for further replies.
Well the file associated with this is randomly named so what you disabled is fine.

  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    Go to
    StartBtn.gif
    -> Run -> copy/paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall

    killall.JPG

  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt
 
Same problem. Small Combobox window just goes away. Tried in normal mode with my regular logon and in safe mode with the admin logon.
 
Run these programs in order please.

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).






  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.



  • Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

    Run rkill repeatedly until it's able to do it's job. This may take a few tries.

    You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.



The try Combofix again
 
Hi,

Sometimes you have me run stuff in safe mode and other times in the normal log on. You did not say which to try these under. I tried them under the normal logon.

I ran exe helper. Did not need to run twice since I did not get the message you said I might get.

Here is the Exehelper log

exeHelper by Raktor
Build 20100414
Run at 21:01:56 on 01/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I ran rkill (the first one) and Exployer cycled.

Here is the Rkill log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/09/2011 at 21:04:15.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\Paul Brown\My Documents\RCA Detective\RCADetective.exe


Rkill completed on 01/09/2011 at 21:04:30.

I see RCADetective. While I cannot remember what that is exactly, I have had it quite some time. It is part of something I installed and it has not been giving me trouble. I think it came with the software that I use to transfer my digital voice recorder files over to a CD. So, while I guess that a virus could potentially find the file and embed itself there, the file itself is not the virus because I had it long before the virus.

You did not say which way to run Combifix. I ran the version from the Start -> Run -> "%userprofile%\desktop\combofix.exe" /killall

I got the same results. That is, the tiny window, then it closed without finishing.
 
Good Morning,

You should run all the programs from your usual account , not administrator and try to run them first in normal windows, then safemode .

Bring up Task Manage using CTRL+ALT+DELETE. See if any of these processes are running ...Kill process on each one one at at time until CF runs

findstr
sed
grep.
nircmd.exe
nircmd.cfexe
swsc.cfexe
* .. or any other process that has the .cfexe extension except for CFxxx.cfexe

If ComboFix is still 'hung', then kill process on CFxxx.cfexe
 
Good morning,

None of the processes you mentioned are running. I tried everything again in normal mode, same results, Combofix does not run. I tried everything again in safe mode, normal logon ID. Same results. I am attaching a pic of my task manager in a zipped file. I am inserting the exehelper and rkill logs.


exeHelper by Raktor
Build 20100414
Run at 06:26:55 on 01/10/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/10/2011 at 6:28:13.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe


Rkill completed on 01/10/2011 at 6:28:18.
 
You need to click on Combofix to run and when it quits then go into taskmanager and see if those processes are running and kill them.

If that dont get it going than try this.

Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Code: 
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\Eventlog]
"Start"=dword:00000004

Save this as fix.reg Choose to "Save type as - All Files"

Double click on fix.reg & allow it to merge into the registry

Reboot the machine once this is done and run combofix again.
 
Hi,

If you have not disabled Eventlog yet, hang off a bit.

Do this.

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe


Now where going to remove the bad entry from the windows registry

[cmz vmkd] <--Check System Services again and make sure this is disabled

Click "Start"> "Run"> type in Regedit tap Enter Key

Make sure "My Computer" is highlighted

Click "Edit"> "Find"
Type in [cmz vmkd] tap Enter Key.
Right Click on the file if found and select "Delete"

Tap the "F3" Key to find the next entry of the file. Continue using the "F3" Key until it's finished searching.

Close Regedit.


Then try CF again
 
Last edited:
Per your instructions in post #48, I skipped post #47.

Logged onto XP normally using my normal ID

You did not way what options to select in ERUNT so I backed up once using Sys Reg + Current User and again using all three check boxes (cannot recall the name of the third one... something like all other)

The bad boy was not disabled under system devices. I disabled it.

Tried RegEdit. Found it in 6 places but I was prevented from deleting any of them. (Do not recall the exact text but after I right clicked and selected delete, it said something to the order that I cannot or was not able to delete the files.
 
Want you to know that with this being new and hard to remove we have a lot of helpers looking in to see how to remove it.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :regfind
[cmz vmkd]
:filefind
[cmz vmkd]
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
I am thankful for all of the great minds that are working on this. I appreciate it. Hopefully I am giving you good feedback that you can use to help other people in the future.

The program ran for a while and then just closed. Here is the contents of the log:

SystemLook 04.09.10 by jpshortstuff
Log created at 20:47 on 10/01/2011 by Paul Brown
Administrator - Elevation successful

========== regfind ==========

Searching for "[cmz vmkd]"


Suspecting that the program was killed, and judging that there are two commands, I thought I would try to run them individually. However, when I tried to launch the program, it did not open again. Did not give me the "cannot file file" error though either.

I am suspecting that one of the commands is you wanting to know the registry locations. Therefore, the registry search you had me do previously, I did again Not wanting to try and write them down since reg keys are so messy, I made screen shots of the keys. Since I am in my regular logon (where I have handy screen capture software), I am going to make three pics (each holding two of the 6 key locations) and then open all three pics and make one pic and send that to you. That way, you can see it all in one nice spot.

I cannot recall if you askedpreviously for a registry search on vbma3a2b or if I just did it out of curiosity but I went ahead and searched again for it now. The value is in a lot of places so I will not be able to combine them all in one pic. Instead, there will be a set of 12 pics showing the different registry locations/values.
 
You should have put both in SystemLook as per instructions, it will take multiple entries

Lets try deleting vbma3a2b , again, back up your registry with ERUNT

Click "Start"> "Run"> type in Regedit tap Enter Key

Make sure "My Computer" is highlighted

Click "Edit"> "Find"
Type in vbma3a2b tap Enter Key.
Right Click on the file if found and select "Delete"

Tap the "F3" Key to find the next entry of the file. Continue using the "F3" Key until it's finished searching.

Close Regedit.


DO NOT REBOOT and give CF another try
 
Sorry I was not clear enough on the last post. I DID try both commands at the same time. That is when/how the screen died.

In hopes of getting a partial log, I was then going to try one command at a time hoping that at least one of the two commands might succeed by itself. For example, perhaps the screen got through the first command and died on the second command so if I could the first one to run, then I could get that part of the log created.

I tried to delete vbma3a2b in the registry but was prevented from doing so. The message it gave was "Unable to delete all specified values"
 
Try this in Safemode


Disable or uninstall the [cmz vmkd] in device manager

Run regedit and try deleting the vbma3a2b entries again

Exit regedit and run CF
 
Safe mode; admin ID (not my ID with Admin auth):
Disabled in device manager.
Still cannot delete in the registry.
Also tried to delete [cmz vmkd] in the registry and could not delete that either.
 
I started to follow the instructions and a few things are coming up.

1. Back in the beginning, when the problem first started, I did have some Antivirus2010 windows popping up. I cannot recall but they probably had an OK button or something like that on them but I DO know that whatever the content of the window, I DID NOT interact with it. I closed the window with the "X" in the top right or down on the task bar.

2. I then went to control panel and uninstalled AC2010.

3. Yes, I realize that this was probably critical information that I should have put in my original post. My bad. Sorry about that. It is just that is seemed to "uninstall" so easily from control panel and then I had so much trouble with Net Nanny and SB S&D that I lost sight of the AV2010. Since the AV2010 windows never came back up anymore, I forgot all about it by the time I was creating my post.

4. When I started to following the instructions at
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=6635
there is a point that talks about
us?rinit.exe
I do not have that file (and yes, I tried DIR at the CMD and it did NOT show up.)

5. I wonder if the reason that us?rinit.exe in #4 (the point just above this one) did not show is because of what I did in #2 (further up in the this post) ????

6. I continued following the instructions for
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=6635
but when I got to the regedit part, I did NOT have
HKLM\System\CurrentControlSet\Services\Userinit

I have
HKLM\System\CurrentControlSet\Services\usbvideo
then
HKLM\System\CurrentControlSet\Services\vbma3a2b
No userinit inbetween them

6. Should I proceed with the instructions just skipping the parts that do not apply?

7. Also, should this be done under my normal login or safe mode/admin or what?

8. I scanned ahead on the instructions.
RE: [Drag each of the files in the list of "failed to open" files onto "inherit.exe" and click "ok" when prompted.]
I am not too sure what that means. Does that mean to launch/install Inherit.exe and some window will open and I drag the files into that window?

9. Of the 4 tools to be downloaded, one references gmer.net but I do not see in the instructions anywhere where that is to be used.
 
Good Morning, this is a real doozy to remove. Been at this a long time and this junk is getting harder and harder to remove.

Sometimes its best to back up your important data to a CD and reformat the drive and reinstall windows, this guarantees a 100% clean computer, but this is your call if you want to proceed with a reinstall.

The purpose of Inherit is that when a program is dragged into it it resets permissions that malware has reset so the tool will run. Sometimes it works and sometimes no.

GMER is run as a final scan to make sure its gone.


I have a few people looking this over, before we proceed let me look into a few things
 
What I would like you to do is to drag Combofix to the trash and we are going to download a fresh copy renamed.



But first do this, this picture shows it disabled but what you need to do is uninstall it

AV2010_devicemgr.png



Then this

Go to START > RUN - copy and paste usrini~1.exe /uninstall Then Enter

Then CF renamed

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Last edited:
Hi - I have a question before I proceed with the contents of post #59.

In Post #57, I had a question in point #8

QUOTE from my post, post #57
RE: [Drag each of the files in the list of "failed to open" files onto "inherit.exe" and click "ok" when prompted.]
I am not too sure what that means. Does that mean to launch/install Inherit.exe and some window will open and I drag the files into that window?
END-QUOTE

and in Post #58 you told me the purpose of the program but I was looking for more of a "what am I supposed to see" and "just how am I supposed to do it answer".

QUOTE from your post, post #58
The purpose of Inherit is that when a program is dragged into it it resets permissions that malware has reset so the tool will run. Sometimes it works and sometimes no.
END-QUOTE

My question is about the mechanics of using Inerit.exe. When I get to the part of the instructions that says

[Drag each of the files in the list of "failed to open" files onto "inherit.exe" and click "ok" when prompted.]

Does that mean that I do the install (and then execute) at that time (becuase I do not see any instructions for when to do the install)?

And, when it is running, just what am I dragging into the tool? Am I supposed to open up explorer, navigate to the file reported in Junction's log.txt file and drop it into there as if I were doing a file move?

Or. am I supposed to cut the text out of Junction's Log.txt file and paste it into the Inherit.exe window. And, if I am to do a cut and paste, how much of the text from the log am I to copy in? That is, if the log shows

Failed to open \\?\c:\\path\file: Access is denied.

do I copy/paste in

\\?\c:\\path\file (with both double \\'s?)

or

c:\\path\file (with the double \\ or a single \?)

or

Some some other sub-string of the log listing?
 
Status
Not open for further replies.
Back
Top