Thread: cp1041.nls removal help
View Single Post
Old 05-04-2007, 12:10 PM   #3 (permalink)
herring
Registered User
 
Join Date: May 2007
Posts: 25
OS: XP


Re: cp1041.nls removal help
I downloaded the file to this computer and tried writing it to a CD to move it over to the infected laptop, but some part of the program didn't move. It seemed to run anyway. I will try to complete the remaining instructions asap.

It stopped the bluescreen/reboot cycle and the laptop is now on the home network, but unable to get to the internet. This will therefore require some workarounds to complete the 5 step process. In the meantime, here is the ComboFix report and the Quarantined files report.



"123" - 2007-05-04 11:15:55 Service Pack 2 [SAFE MODE]
ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\system32\sony.exe.exe
C:\WINDOWS\rising448.exe
C:\WINDOWS\rising92.exe
C:\WINDOWS\rising996.exe
C:\WINDOWS\system32\ldhje783.dll
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\wincom32.sys
C:\WINDOWS\system32\winsub.xml
C:\windows\system32\explorer.exe
C:\WINDOWS\server.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\notedad.exe
C:\WINDOWS\system32\wtoloxsypnxrf.dll
C:\WINDOWS\system32\rpcc.dll
C:\cp1041.nls


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTLDR.SYS
-------\LEGACY_POOF
-------\LEGACY_WINCOM32
-------\kprof
-------\ntldr.sys
-------\poof


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:54 96,256 --a------ C:\WINDOWS\system32\sony.exe
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 21:39 32,768 --a------ C:\WINDOWS\system32\mp43.exe
2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-03 05:50:10 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh
2007-04-28 04:32:18 37,861 ----a-w C:\WINDOWS\system32\lsasss.exe
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"xrunwin"="C:\\WINDOWS\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"start"="C:\\WINDOWS\\server.exe"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 11:18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt1b9-1025

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-1b9-1025.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 16384 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


********************************************************************

Completion time: 2007-05-04 11:18:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-04 11:18

Code:
2007-04-27 21:31      38066    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp4.tmp.dll.vir
2007-04-27 21:37      238043    --a------    C:\Qoobox\Quarantine\C\WINDOWS\svchost.exe.vir
2007-04-27 21:39      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\IExplorer.dll                                                              .dbt.vir
2007-04-27 21:39      32768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\NOTEDAD.EXE.vir
2007-04-27 21:46      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rising448.exe.vir
2007-04-27 21:46      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\server.exe.vir
2007-04-27 22:00      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rising996.exe.vir
2007-04-27 22:01      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rising92.exe.vir
2007-04-27 22:35      38066    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpC.tmp.dll.vir
2007-05-02 22:50      10000    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ldhje783.dll.vir
2007-05-02 22:50      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wtoloxsypnxrf.dll.vir
2007-05-02 22:50      25088    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\koos.exe.vir
2007-05-02 22:50      30208    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\poof.vir
2007-05-02 22:50      30720    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcc.dll.vir
2007-05-02 22:50      4    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winsub.xml.vir
2007-05-02 22:50      96256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir
2007-05-02 22:50      99    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\svcp.csv.vir
2007-05-02 22:51      48931    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir
2007-05-02 22:51      57344    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wincom32.sys.vir
2007-05-03 14:11      38066    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp1.tmp.dll.vir
2007-05-03 14:32      36864    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\Explorer.exe.vir
2007-05-04 10:50      8426    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wincom32.ini.vir


Folder PATH listing
Volume serial number is 50C2-A2C7
C:\QOOBOX
\---Quarantine
    \---C
        \---WINDOWS
            |   NOTEDAD.EXE.vir
            |   rising448.exe.vir
            |   rising92.exe.vir
            |   rising996.exe.vir
            |   server.exe.vir
            |   svchost.exe.vir
            |   
            \---system32
                    Explorer.exe.vir
                    IExplorer.dll                                                              .dbt.vir
                    koos.exe.vir
                    ldhje783.dll.vir
                    pdp.exe.exe.vir
                    poof.vir
                    rpcc.dll.vir
                    sony.exe.exe.vir
                    svcp.csv.vir
                    tmp1.tmp.dll.vir
                    tmp4.tmp.dll.vir
                    tmpC.tmp.dll.vir
                    wincom32.ini.vir
                    wincom32.sys.vir
                    winsub.xml.vir
                    wtoloxsypnxrf.dll.vir
Last edited by herring; 05-04-2007 at 12:35 PM.
herring is offline