# task manager msconfig mmc.exe and sndvol32 all (possibly more) I am denied permission



## jonno7171 (Dec 19, 2004)

Please help...
I am running win xp home and have lost all sound. To make matters worse, I am being disallowed access to msconfig, mmc.exe, sndvol32 and who knows what else. I have run adaware-se (just now and can include the logfile) also hijack-this (ran in a seperate folder)...I am trying to follow the advice I have seen posted elsewhere here. Let's see, I have also run spybot S&D, and Trend micro's "house call" - house call found a whopping 308 viruses (all but one I could delete - the last is c:\winnt\system32\nnsdvkcrjc.exe- when I try to delete this gem I get a message saying that I am not allowed, this program may be running). 
When I attempt to run Task manager, it shows up for a brief instance then disappears.

I guess I will include the Hijack-this log to try to save time. Thanks for any assistance in this manner.

Logfile of HijackThis v1.99.0
Scan saved at 2:18:03 PM, on 12/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\ICQ\NDetect.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\NNSDVKCRJC.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wow.stratics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.swgcenter.com/index.asp?bhcp=1"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\twucapru.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\twucapru.slt\prefs.js)
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O2 - BHO: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSConfig] NNSDVKCRJC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - HKCU\..\RunOnce: [MSConfig] NNSDVKCRJC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102879317983
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O19 - User stylesheet: c:\winnt\java\my.css
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft DHCP Routing Client - Unknown - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE


----------



## Rollin' Rog (Dec 9, 2000)

In my past experience with this worm there has been no resolution to the "permissions" problem other than to reinstall XP. But follow these instructions for now and I will move you to the Security forum.








Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.intermute.com/spysubtract/cwshredder_download.html

Then:

*1 >> Restart in Safe Mode:* http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

*2 >> In Safe Mode run the CoolWebShredder* and have it "fix" detected problems. *Then run HijackThis* and check and "fix" the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O2 - BHO: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O4 - HKLM\..\Run: [MSConfig] NNSDVKCRJC.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\RunOnce: [MSConfig] NNSDVKCRJC.EXE

O19 - User stylesheet: c:\winnt\java\my.css

O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)

O23 - Service: Microsoft DHCP Routing Client - Unknown - C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE

^^ this last, "MSSvc.exe" loading through the Recycle bin, is the key to identifying the worm ( lovsan/msblaster). In the past it was usually accompanied by "Firedaemon", a utility used to install services, but not malicious in itself. You, insttead seem to have had "Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS" which may have performed the same function

*3 >> Go to Start > Run* and enter *cmd* and a command shell will open. At the prompt carefully type and enter each line:

*del C:\WINNT\System32\NNSDVKCRJC.EXE
*

>> empty the recycle bin.

*Additional cleanup instructions:* Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

Go to Start > Run, enter *%temp%* and then click Edit > Select All. Right click on the selected files and folders and delete them

* >> Reboot* and post a new Scanlog. Be advised the "permissions" issue will not be resolved. I'm going to see if I can solicit some others to look at this further.


----------



## jonno7171 (Dec 19, 2004)

ok...I tried what you suggested, I was still unable to delete several items that were on your list while I was in "safe mode", but I was able to re-run hijack-this in normal xp mode and the option was there to "fix" them. By the way, I could not access cmd through run while I was in safe mode...still being denied permission. While I was logging into safe mode a weird thing happened (actually, I'm not sure this is weird..might be normal) I was given the option of either logging in as administrator, or as owner. I chose Admin, hope I picked the right one. Thanks for your assistance and time in this matter. (Ugh I hope i don't have to reformat)

What follows is the latestest version of the hijack logfile:

Logfile of HijackThis v1.99.0
Scan saved at 11:05:02 PM, on 12/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\ICQ\NDetect.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\System32\NNSDVKCRJC.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\MsPMSPSv.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wow.stratics.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.swgcenter.com/index.asp?bhcp=1"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\twucapru.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\twucapru.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [MSConfig] NNSDVKCRJC.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - HKCU\..\RunOnce: [MSConfig] NNSDVKCRJC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102879317983
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


----------



## Rollin' Rog (Dec 9, 2000)

My apologies, I forgot that "cmd.exe" was also affected by this among others. And that throws a bit of a monkey wrench into a suggested solution to install secedit.exe on HOME and use it to reinstall security settings.

Do you have an XP Microsoft installation CD? That may be the only non destructive recovery.

For the file that won't delete, try rebooting in Safe Mode again, run HijackThis to fix the entries. (reboot using your current User Account if possible, otherwise the entry may not show up in HijackThis)

O4 - HKLM\..\Run: [MSConfig] NNSDVKCRJC.EXE

O4 - HKCU\..\RunOnce: [MSConfig] NNSDVKCRJC.EXE

Then manually navigate to:

C:\WINNT\System32\NNSDVKCRJC.EXE

and right click on it and rename it:

NNSDVKCRJC.bad

another option is to download, unzip and run the "killbox":

http://www.downloads.subratam.org/KillBox.zip

run it and place the file path in the field for file to be deleted:

C:\WINNT\System32\NNSDVKCRJC.EXE

check "end explorer shell" and "delete on reboot", then press the red button. I think however that you may get a permissions error here too.

You must have everything closed and be prepared to reboot.

Let's also try this, download the VX2 finder:

http://downloads.subratam.org/VX2Finder(126).exe

Run it and select "restore policy"

Again we may well encounter the "permissions" error with its use

edit: also go here and follow instructions to install secedit.exe anyway, we may not need to use cmd.exe to run it.

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/14903/WindowsSecurity_14903.html

And one more thing, do a search for cmd.exe and let me know where you have it besides the system32 folder.

If you find it in c:\I386, for example, try double clicking it to see if it opens without error. You can also try copying it to another folder such as My Documents and rename it *cmd2.exe* and try running it from there.

Finally, if you can run *regedit.exe* either before or after deleting/renaming NNSDVKCRJC.EXE

Navigate to:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

and if you see any "disallowrun" or "restrictrun" entries there, right click on them and delete them


----------

