Thread: cp1041.nls removal help
View Single Post
Old 05-04-2007, 01:55 PM   #6 (permalink)
sUBs
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,494
OS: N/A


Re: cp1041.nls removal help
Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\sony.exe
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\ipmtup.dll
C:\WINDOWS\system32\drivers\ndis.sys
C:\WINDOWS\system32\lsasss.exe
C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.


----------------


Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Lexmark_X79-55"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"xrunwin"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"start"=-
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
attrib -h -r -s -a c:\WINDOWS\system32\drivers\ndis.sys 
ren c:\WINDOWS\system32\drivers\ndis.sys ndis.sys.vir
copy /y /b /v c:\WINDOWS\system32\dllcache\ndis.sys c:\WINDOWS\system32\drivers\ndis.sys
catchme -l \Qoobox\Quarantine\catchme.log -k C:\WINDOWS\system32\windev-1b9-1025.sys
catchme -l \Qoobox\Quarantine\catchme.log -k C:\WINDOWS\system32\windev-peers.ini
del /a "C:\WINDOWS\system32\sony.exe
del /a "C:\WINDOWS\system32\mp43.exe
del /a "C:\WINDOWS\system32\lsasss.exe
cd /d "C:\Documents and Settings\123\Desktop\"
combofix.exe /wow-drv winmgmt1b9-1025 /v ipmtup
exit
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run. It shall trigger combofix to run.

I shall require to see ComboFix's log
__________________

Question - what have you done for the community today?
Last edited by sUBs; 05-07-2007 at 03:56 PM.
sUBs is offline