Thread: cp1041.nls removal help
View Single Post
Old 05-05-2007, 01:18 AM   #9 (permalink)
herring
Registered User
 
Join Date: May 2007
Posts: 25
OS: XP


Re: cp1041.nls removal help
Sorry ... I was naming my copies in the reverse order ...

Here is the one from more recently...

"123" - 2007-05-04 21:32:45 Service Pack 2
ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\"
Command switches used :: "/wow-drv winmgmt1b9-1025 /v ipmtup"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wjsrxurdf.dll
C:\cp1041.nls

Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
Restored copy from - "C:\WINDOWS\system32\dllcache\ndis.sys"


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-04 12:13 60 --a------ C:\fix.bat
2007-05-04 11:56 <DIR> d-------- C:\Deckard
2007-05-04 11:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:54 139,264 --a------ C:\WINDOWS\system32\windev-1b9-1025.sys
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 21:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-04 21:38:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-04 21:38
C:\ComboFix2.txt ... 2007-05-04 11:18
herring is offline