Tech Support Forum - View Single Post

herring · 05-04-2007, 09:50 PM

I created the requested CAB and submitted it to the bleepingcomputer site along with the link to this thread.

I followed the instructions for the registry merge.

I then created the batch file listed above (called fix2.bat) and ran it on the affected computer. It seemed to run successfully. Afterwards I appear to have improved connectivity on my LAN, so it is getting a little easier to execute your requests. I still do not have internet connection through IE, although my wireless router software indicates that it thinks I have an internet connection.

Here is the combofix log (called combofix2.txt):

"123" - 2007-05-04 11:15:55 Service Pack 2 [SAFE MODE]
ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\system32\sony.exe.exe
C:\WINDOWS\rising448.exe
C:\WINDOWS\rising92.exe
C:\WINDOWS\rising996.exe
C:\WINDOWS\system32\ldhje783.dll
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\wincom32.sys
C:\WINDOWS\system32\winsub.xml
C:\windows\system32\explorer.exe
C:\WINDOWS\server.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\notedad.exe
C:\WINDOWS\system32\wtoloxsypnxrf.dll
C:\WINDOWS\system32\rpcc.dll
C:\cp1041.nls

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NTLDR.SYS
-------\LEGACY_POOF
-------\LEGACY_WINCOM32
-------\kprof
-------\ntldr.sys
-------\poof

((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))

2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:54 96,256 --a------ C:\WINDOWS\system32\sony.exe
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 21:39 32,768 --a------ C:\WINDOWS\system32\mp43.exe
2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-03 05:50:10 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh
2007-04-28 04:32:18 37,861 ----a-w C:\WINDOWS\system32\lsasss.exe
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"xrunwin"="C:\\WINDOWS\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"start"="C:\\WINDOWS\\server.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 11:18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt1b9-1025

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-1b9-1025.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 16384 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2

********************************************************************

Completion time: 2007-05-04 11:18:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-04 11:18

05-04-2007, 09:50 PM	#7 (permalink)
herring Registered User Join Date: May 2007 Posts: 25 OS: XP	Re: cp1041.nls removal help I created the requested CAB and submitted it to the bleepingcomputer site along with the link to this thread. I followed the instructions for the registry merge. I then created the batch file listed above (called fix2.bat) and ran it on the affected computer. It seemed to run successfully. Afterwards I appear to have improved connectivity on my LAN, so it is getting a little easier to execute your requests. I still do not have internet connection through IE, although my wireless router software indicates that it thinks I have an internet connection. Here is the combofix log (called combofix2.txt): "123" - 2007-05-04 11:15:55 Service Pack 2 [SAFE MODE] ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\pdp.exe.exe C:\WINDOWS\system32\sony.exe.exe C:\WINDOWS\rising448.exe C:\WINDOWS\rising92.exe C:\WINDOWS\rising996.exe C:\WINDOWS\system32\ldhje783.dll C:\WINDOWS\system32\tmp1.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll C:\WINDOWS\system32\tmpC.tmp.dll C:\WINDOWS\system32\koos.exe C:\WINDOWS\system32\poof C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\wincom32.ini C:\WINDOWS\system32\wincom32.sys C:\WINDOWS\system32\winsub.xml C:\windows\system32\explorer.exe C:\WINDOWS\server.exe C:\WINDOWS\svchost.exe C:\WINDOWS\system32\IExplorer.dll .dbt C:\WINDOWS\notedad.exe C:\WINDOWS\system32\wtoloxsypnxrf.dll C:\WINDOWS\system32\rpcc.dll C:\cp1041.nls ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NTLDR.SYS -------\LEGACY_POOF -------\LEGACY_WINCOM32 -------\kprof -------\ntldr.sys -------\poof ((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 )))))))))))))))))))))))))))))))))) 2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-05-02 22:54 96,256 --a------ C:\WINDOWS\system32\sony.exe 2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll 2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft 2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-27 21:39 32,768 --a------ C:\WINDOWS\system32\mp43.exe 2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-03 05:50:10 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys 2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft 2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh 2007-04-28 04:32:18 37,861 ----a-w C:\WINDOWS\system32\lsasss.exe 2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "xrunwin"="C:\\WINDOWS\\svchost.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] "start"="C:\\WINDOWS\\server.exe" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /installquiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPEnh" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPLpr" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TFNF5" "hkey"="HKLM" "command"="TFNF5.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TosHKCW" "hkey"="HKLM" "command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TouchED" "hkey"="HKLM" "command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-04 11:18:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... HKLM\SYSTEM\CurrentControlSet\Services\winmgmt1b9-1025 scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\windev-1b9-1025.sys 139264 bytes C:\WINDOWS\system32\windev-peers.ini 16384 bytes scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 2 ****************************************************************** Completion time: 2007-05-04 11:18:55 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-05-04 11:18