|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
05-03-2007, 05:19 PM
|
#1 (permalink) |
|
Registered User
Join Date: May 2007
Posts: 25
OS: XP
|
cp1041.nls removal help
I am unable to follow the semi-automated steps I was directed to because the affected system is in an infinite bluescreen/reboot loop. Here is the original post and reply at the McAfee site.
******************************** I tried to install VirusScan on a laptop that has a virus (flagged by cp1041.nls in the root directory) and the laptop is now in an infinite loop of bluescreen/reboot. I can boot into SafeMode, but removing the cp1041.nls file does not change the symptom. How do I remove this virus from safe mode? I have access to the internet (obviously) from other, protected computers in the house. ********* herring Register at this Forum then follow these Steps post the required log in that forum,not here. They`ll be able to assist you in removing any infection(s). ********* As I said in my first post, I cannot operate the laptop in any mode except safe mode. I could only do steps 1 (since add/remove software works in SafeMode) and 2 (since I already had Ad-Aware SE Personal on the system) before their process requires internet access and download capability, which I don't have. The laptop in in a bluescreen/reboot infinite loop ever since I tried to download McAfee VirusScan onto it. I need some manual assistance, I fear. ********************************* I was unable to complete steps 3-5 with the infected laptop. It is a Toshiba Satellite 5205-S505 running XP Home Edition. The OS is downrev, but I was unable to upgrade it before the system went into its reboot loop. I can run in SafeMode and can collect more info manually, but I need some guidance. Thanks for any help. |
|
     |
|
05-04-2007, 11:12 AM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: cp1041.nls removal help
1. Download this file & transfer it to the afflicted machine -> http://download.bleepingcomputer.com...a/ComboFix.exe
2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall |
|
|
|
|
05-04-2007, 12:10 PM
|
#3 (permalink) |
|
Registered User
Join Date: May 2007
Posts: 25
OS: XP
|
Re: cp1041.nls removal help
I downloaded the file to this computer and tried writing it to a CD to move it over to the infected laptop, but some part of the program didn't move. It seemed to run anyway. I will try to complete the remaining instructions asap.
It stopped the bluescreen/reboot cycle and the laptop is now on the home network, but unable to get to the internet. This will therefore require some workarounds to complete the 5 step process. In the meantime, here is the ComboFix report and the Quarantined files report. "123" - 2007-05-04 11:15:55 Service Pack 2 [SAFE MODE] ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\pdp.exe.exe C:\WINDOWS\system32\sony.exe.exe C:\WINDOWS\rising448.exe C:\WINDOWS\rising92.exe C:\WINDOWS\rising996.exe C:\WINDOWS\system32\ldhje783.dll C:\WINDOWS\system32\tmp1.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll C:\WINDOWS\system32\tmpC.tmp.dll C:\WINDOWS\system32\koos.exe C:\WINDOWS\system32\poof C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\wincom32.ini C:\WINDOWS\system32\wincom32.sys C:\WINDOWS\system32\winsub.xml C:\windows\system32\explorer.exe C:\WINDOWS\server.exe C:\WINDOWS\svchost.exe C:\WINDOWS\system32\IExplorer.dll .dbt C:\WINDOWS\notedad.exe C:\WINDOWS\system32\wtoloxsypnxrf.dll C:\WINDOWS\system32\rpcc.dll C:\cp1041.nls ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NTLDR.SYS -------\LEGACY_POOF -------\LEGACY_WINCOM32 -------\kprof -------\ntldr.sys -------\poof ((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 )))))))))))))))))))))))))))))))))) 2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-05-02 22:54 96,256 --a------ C:\WINDOWS\system32\sony.exe 2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll 2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft 2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-27 21:39 32,768 --a------ C:\WINDOWS\system32\mp43.exe 2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-03 05:50:10 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys 2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft 2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh 2007-04-28 04:32:18 37,861 ----a-w C:\WINDOWS\system32\lsasss.exe 2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "xrunwin"="C:\\WINDOWS\\svchost.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] "start"="C:\\WINDOWS\\server.exe" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /installquiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPEnh" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPLpr" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TFNF5" "hkey"="HKLM" "command"="TFNF5.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TosHKCW" "hkey"="HKLM" "command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TouchED" "hkey"="HKLM" "command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-04 11:18:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... HKLM\SYSTEM\CurrentControlSet\Services\winmgmt1b9-1025 scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\windev-1b9-1025.sys 139264 bytes C:\WINDOWS\system32\windev-peers.ini 16384 bytes scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 2 ******************************************************************** Completion time: 2007-05-04 11:18:55 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-05-04 11:18 Code:
2007-04-27 21:31 38066 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp4.tmp.dll.vir
2007-04-27 21:37 238043 --a------ C:\Qoobox\Quarantine\C\WINDOWS\svchost.exe.vir
2007-04-27 21:39 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\IExplorer.dll .dbt.vir
2007-04-27 21:39 32768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\NOTEDAD.EXE.vir
2007-04-27 21:46 369664 --a------ C:\Qoobox\Quarantine\C\WINDOWS\rising448.exe.vir
2007-04-27 21:46 369664 --a------ C:\Qoobox\Quarantine\C\WINDOWS\server.exe.vir
2007-04-27 22:00 369664 --a------ C:\Qoobox\Quarantine\C\WINDOWS\rising996.exe.vir
2007-04-27 22:01 369664 --a------ C:\Qoobox\Quarantine\C\WINDOWS\rising92.exe.vir
2007-04-27 22:35 38066 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpC.tmp.dll.vir
2007-05-02 22:50 10000 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ldhje783.dll.vir
2007-05-02 22:50 21504 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wtoloxsypnxrf.dll.vir
2007-05-02 22:50 25088 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\koos.exe.vir
2007-05-02 22:50 30208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\poof.vir
2007-05-02 22:50 30720 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcc.dll.vir
2007-05-02 22:50 4 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winsub.xml.vir
2007-05-02 22:50 96256 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir
2007-05-02 22:50 99 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\svcp.csv.vir
2007-05-02 22:51 48931 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir
2007-05-02 22:51 57344 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wincom32.sys.vir
2007-05-03 14:11 38066 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp1.tmp.dll.vir
2007-05-03 14:32 36864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\Explorer.exe.vir
2007-05-04 10:50 8426 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wincom32.ini.vir
Folder PATH listing
Volume serial number is 50C2-A2C7
C:\QOOBOX
\---Quarantine
\---C
\---WINDOWS
| NOTEDAD.EXE.vir
| rising448.exe.vir
| rising92.exe.vir
| rising996.exe.vir
| server.exe.vir
| svchost.exe.vir
|
\---system32
Explorer.exe.vir
IExplorer.dll .dbt.vir
koos.exe.vir
ldhje783.dll.vir
pdp.exe.exe.vir
poof.vir
rpcc.dll.vir
sony.exe.exe.vir
svcp.csv.vir
tmp1.tmp.dll.vir
tmp4.tmp.dll.vir
tmpC.tmp.dll.vir
wincom32.ini.vir
wincom32.sys.vir
winsub.xml.vir
wtoloxsypnxrf.dll.vir
Last edited by herring : 05-04-2007 at 12:35 PM. |
|
|
|
|
05-04-2007, 12:54 PM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: cp1041.nls removal help
You still have a lot of malware on the machine. But let's concentrate of fixing your connectivity issues first. I shall require further info:
Open notepad and copy/paste the text in the quotebox below into it: Code:
@vfind -tf c:\ndis.* >\search.txt notepad \search.txt exit It should look like this:  Double click on fix.bat & allow it to run. Then post the log which it produces |
|
|
|
|
05-04-2007, 01:17 PM
|
#5 (permalink) |
|
Registered User
Join Date: May 2007
Posts: 25
OS: XP
|
Re: cp1041.nls removal help
Thanks for the quick reply. Here is the output from the fix.bat test.
c:\WINDOWS\system32\dllcache\ndis.sys c:\WINDOWS\system32\drivers\ndis.sys I was also able to run the dss.exe and have the output from that. I didn't do avgas, spywareblaster or spypad since I thought they might interact adversely with your other instructions. Let me know if I should run them. Here is the dss.exe output. Deckard's System Scanner v20070426.43 Run by 123 on 2007-05-04 at 11:56:35 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- System Restore is disabled; attempting to re-enable...success. -- Last 1 Restore Point(s) -- 1: 2007-05-04 18:56:39 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-05-04 11:59:54 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.0.2900.2180) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe C:\WINDOWS\explorer.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\123\Desktop\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file) O2 - BHO: (no name) - {aa971e4f-e1bf-491e-9d4d-a933c161e48f} - C:\WINDOWS\system32\ipmtup.dll O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1178171246394 O20 - Winlogon Notify: ipmtup - C:\WINDOWS\system32\ipmtup.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: WUSB54GCSVC - GEMTEKS - "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe" -- File Associations ----------------------------------------------------------- .bat - batfile - shell\edit\command - NOTEDAD.EXE %1 .reg - regfile - shell\edit\command - NOTEDAD.EXE %1 -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 windev-1b9-1025 - c:\windows\system32\windev-1b9-1025.sys R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Files created between 2007-04-04 and 2007-05-04 ----------------------------- 2007-05-04 11:21:27 21504 --a------ C:\WINDOWS\system32\wjsrxurdf.dll 2007-05-03 14:32:05 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2007-05-02 22:54:28 96256 --a------ C:\WINDOWS\system32\sony.exe 2007-05-02 22:48:32 0 d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-04-27 22:31:17 0 d-------- C:\Documents and Settings\123\Application Data\Lavasoft 2007-04-27 22:31:12 0 d-------- C:\Program Files\Lavasoft 2007-04-27 22:29:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-27 21:39:23 32768 --a------ C:\WINDOWS\system32\mp43.exe <Not Verified; Microsoft; mjxc3> 2007-04-27 20:55:13 22110 --a------ C:\WINDOWS\system32\ipmtup.dll 2007-04-27 17:18:34 0 d-------- C:\Documents and Settings\123\Application Data\Adobe -- Find3M Report --------------------------------------------------------------- 2007-04-27 21:33:28 0 d-------- C:\Program Files\ltmoh 2007-04-27 21:32:18 37861 --a------ C:\WINDOWS\system32\lsasss.exe 2007-03-23 09:17:14 0 d-------- C:\Program Files\Messenger -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {aa971e4f-e1bf-491e-9d4d-a933c161e48f} C:\WINDOWS\system32\ipmtup.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "xrunwin"="C:\\WINDOWS\\svchost.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] "start"="C:\\WINDOWS\\server.exe" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /installquiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPEnh" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPLpr" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TFNF5" "hkey"="HKLM" "command"="TFNF5.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TosHKCW" "hkey"="HKLM" "command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TouchED" "hkey"="HKLM" "command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-05-04 at 12:00:13 --------- |
|
|
|
|
05-04-2007, 01:55 PM
|
#6 (permalink) | |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: cp1041.nls removal help
Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it. Paste the following list of filepaths into the Suspicious File Packer window: C:\WINDOWS\system32\sony.exe C:\WINDOWS\system32\mp43.exe C:\WINDOWS\system32\ipmtup.dll C:\WINDOWS\system32\drivers\ndis.sys C:\WINDOWS\system32\lsasss.exe C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. ---------------- Open notepad and copy/paste the text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
It should look like this:  Double click on fix.reg & allow it to merge into the registry --------------- Open notepad and copy/paste the text in the quotebox below into it: Code:
@echo off attrib -h -r -s -a c:\WINDOWS\system32\drivers\ndis.sys ren c:\WINDOWS\system32\drivers\ndis.sys ndis.sys.vir copy /y /b /v c:\WINDOWS\system32\dllcache\ndis.sys c:\WINDOWS\system32\drivers\ndis.sys catchme -l \Qoobox\Quarantine\catchme.log -k C:\WINDOWS\system32\windev-1b9-1025.sys catchme -l \Qoobox\Quarantine\catchme.log -k C:\WINDOWS\system32\windev-peers.ini del /a "C:\WINDOWS\system32\sony.exe del /a "C:\WINDOWS\system32\mp43.exe del /a "C:\WINDOWS\system32\lsasss.exe cd /d "C:\Documents and Settings\123\Desktop\" combofix.exe /wow-drv winmgmt1b9-1025 /v ipmtup exit It should look like this: Double click on fix.bat & allow it to run. It shall trigger combofix to run. I shall require to see ComboFix's log Last edited by sUBs : 05-07-2007 at 03:56 PM. |
|
|
|
|
|
05-04-2007, 10:50 PM
|
#7 (permalink) |
|
Registered User
Join Date: May 2007
Posts: 25
OS: XP
|
Re: cp1041.nls removal help
I created the requested CAB and submitted it to the bleepingcomputer site along with the link to this thread.
I followed the instructions for the registry merge. I then created the batch file listed above (called fix2.bat) and ran it on the affected computer. It seemed to run successfully. Afterwards I appear to have improved connectivity on my LAN, so it is getting a little easier to execute your requests. I still do not have internet connection through IE, although my wireless router software indicates that it thinks I have an internet connection. Here is the combofix log (called combofix2.txt): "123" - 2007-05-04 11:15:55 Service Pack 2 [SAFE MODE] ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\pdp.exe.exe C:\WINDOWS\system32\sony.exe.exe C:\WINDOWS\rising448.exe C:\WINDOWS\rising92.exe C:\WINDOWS\rising996.exe C:\WINDOWS\system32\ldhje783.dll C:\WINDOWS\system32\tmp1.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll C:\WINDOWS\system32\tmpC.tmp.dll C:\WINDOWS\system32\koos.exe C:\WINDOWS\system32\poof C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\wincom32.ini C:\WINDOWS\system32\wincom32.sys C:\WINDOWS\system32\winsub.xml C:\windows\system32\explorer.exe C:\WINDOWS\server.exe C:\WINDOWS\svchost.exe C:\WINDOWS\system32\IExplorer.dll .dbt C:\WINDOWS\notedad.exe C:\WINDOWS\system32\wtoloxsypnxrf.dll C:\WINDOWS\system32\rpcc.dll C:\cp1041.nls ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NTLDR.SYS -------\LEGACY_POOF -------\LEGACY_WINCOM32 -------\kprof -------\ntldr.sys -------\poof ((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 )))))))))))))))))))))))))))))))))) 2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-05-02 22:54 96,256 --a------ C:\WINDOWS\system32\sony.exe 2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll 2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft 2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-27 21:39 32,768 --a------ C:\WINDOWS\system32\mp43.exe 2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-03 05:50:10 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys 2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft 2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh 2007-04-28 04:32:18 37,861 ----a-w C:\WINDOWS\system32\lsasss.exe 2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "xrunwin"="C:\\WINDOWS\\svchost.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] "start"="C:\\WINDOWS\\server.exe" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /installquiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPEnh" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPLpr" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TFNF5" "hkey"="HKLM" "command"="TFNF5.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TosHKCW" "hkey"="HKLM" "command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TouchED" "hkey"="HKLM" "command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-04 11:18:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... HKLM\SYSTEM\CurrentControlSet\Services\winmgmt1b9-1025 scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\windev-1b9-1025.sys 139264 bytes C:\WINDOWS\system32\windev-peers.ini 16384 bytes scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 2 ******************************************************************** Completion time: 2007-05-04 11:18:55 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-05-04 11:18 |
|
|
|
|
05-05-2007, 12:57 AM
|
#8 (permalink) | |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: cp1041.nls removal help
Quote:
|
|
|
|
|
|
05-05-2007, 01:18 AM
|
#9 (permalink) |
|
Registered User
Join Date: May 2007
Posts: 25
OS: XP
|
Re: cp1041.nls removal help
Sorry ... I was naming my copies in the reverse order ...
Here is the one from more recently... "123" - 2007-05-04 21:32:45 Service Pack 2 ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\" Command switches used :: "/wow-drv winmgmt1b9-1025 /v ipmtup" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\wjsrxurdf.dll C:\cp1041.nls Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected Restored copy from - "C:\WINDOWS\system32\dllcache\ndis.sys" ((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 )))))))))))))))))))))))))))))))))) 2007-05-04 12:13 60 --a------ C:\fix.bat 2007-05-04 11:56 <DIR> d-------- C:\Deckard 2007-05-04 11:18 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-05-02 22:54 139,264 --a------ C:\WINDOWS\system32\windev-1b9-1025.sys 2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll 2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft 2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft 2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh 2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /installquiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPEnh" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SynTPLpr" "hkey"="HKLM" "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TFNF5" "hkey"="HKLM" "command"="TFNF5.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TosHKCW" "hkey"="HKLM" "command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TouchED" "hkey"="HKLM" "command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-04 21:38:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-04 21:38:10 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-05-04 21:38 C:\ComboFix2.txt ... 2007-05-04 11:18 |
|
|
|
|
05-05-2007, 03:16 AM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: cp1041.nls removal help
It's behaving a bit wierd. That's why I asked
Please delete these files: C:\WINDOWS\system32\windev-1b9-1025.sys C:\WINDOWS\system32\windev-peers.ini Then grab an updated copy of ComboFix from this link > http://download.bleepingcomputer.com...a/ComboFix.exe Run it & show me the resultant log. --------------- Another question - have you been vsiting Chinese sites? |
|
|
|
