cp1041.nls removal help

[herring]

Nope. Still get the "The page cannot be displayed" message.

[sUBs]

In that case, let's try getting FireFox in.

You shall need to download the installer from here > http://download.mozilla.org/?product...win&lang=en-US

[herring]

Yup, Firefox works. I installed without importing anything from IE. It took me to a google-like start page. I did a quick search and its alive.

This edit was done from the laptop.

[sUBs]

Since we now have a working browser, I would like you to download & run the program Hijackthis.exe. It may shed some light as to what's troubling IE.


----------------


Download http://www.bleepingcomputer.com/file...ckthis_sfx.exe

1. Double-click on the file you just downloaded.

2. Click on the "Unzip" button to install the newer version.

3. It will by default install to the directory - C:\Program Files\HiJackThis\

4. If it gives you an intro screen, just choose - Do a system scan and save a logfile.

5. If you don't get the intro screen, just hit [Scan] and then click on Save log.

6. Post the HiJackThis.log file

[herring]

I ran into a snag and wanted further counsel. When I clicked the link on the laptop it gave me a dialog box "Opening Hijackthis_sfx.exe" which said:
You have chosen to open:
Hijackthis_sfx.exe
which is a: Application
from: http://bleepingcomputer.com
Would you like to save this file?

then it give 2 boxes Save File and Cancel, but the Save File box is grayed out. This allows only a cancel.

When I click the link from this computer I get the standard Run/Save/Cancel options. Should I download it to my desktop and move it over to the laptop as before?

[sUBs]

This is indeed very strange. Please download it using the the other machine & transfer it via LAN

[herring]

Transferred it by LAN. Installed and started normally and gave an intro screen. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:03 PM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1178171246394
O20 - AppInit_DLLs:
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

[sUBs]

Quote:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182

Are you using a proxy server?

[sUBs]

I dont think you're using a proxy. :)

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O20 - AppInit_DLLs:


Tell me if IE's working now

[herring]

hmm ... got a dialog box "HijackThis"

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

**************************************

I got a warning about the removal of the BHO and then Hijack appeared to finish, but didn't display a logfile (and didn't appear to save a new one). I am going to perform another HijackThis scan ...

IE appears to work now, although no images are loading. Google loaded and did a search.

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:27 PM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1178171246394
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

[sUBs]

Great. We have IE working now.


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. We only require a report from it.
  It does not provide an option to clean/disinfect.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

[herring]

Troubles. I can load IE and get to this forum and click thru to the Kaspersky site. When I click on the Kaspersky Online Scanner button it opens a window and then pops up the Dialog Box to make a Dial-up Connection. When I "X" out of that I get the Kaspersky Online Scanner window; with Warnings and Benefits, Requirements, Privacy statements, asking me to push "Accept or Decline" buttons.

When I push the Accept button there is a quick message in the lower left on the Status Bar of the window which says: Error on Page.

I get no other messages or windows.

[sUBs]

Please check if IE's security settings are set to accept Kaspersky's ActiveX

[herring]

I made sure all the activeX related items were either Enable or Prompt. I then re-tried the Accept button described above and ... nothing happened.

I no longer got the status bar message, but no action occurred.

I suppose I may have missed a permission somewhere ...

[sUBs]

Let's see if we have better luck with another scanner

Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply

[herring]

I clicked thru to the site, agreed to the license and needed to install an ActiveX control to do the scan.

The first time it was scanning 14220 files. It got to 100% after about 10 minutes and then went to 14221 ... then crashed. The Microsoft window popped up asking to send a report then closed out IE. SO, no report.

I started it up again. This time it said it was scanning 14227 files. When it got to 100% it went to 14228, 14229, 14230 ... then crashed again. I again asked to send the report to Microsoft and all the windows closed.

I'll be back later in the morning ...

*edit* I should add that it identified at least 6-8 (maybe more) different trojan-like infected files. I wasn't quick enough to capture them.

[sUBs]

I just tried BitDefender's scan & experienced the same issues. There seems to be some problems with the scanner. Let's use another one ...

F-Secure Online Scanner - http://support.f-secure.com/enu/home/ols.shtml
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

• Then click the F-Secure Online Scanner Next Generation Beta link.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy and paste what's present under results in your next reply.

[herring]

I followed your link to the Fsecure page. I looked it over carefully but didn't find a link to F-Secure Online Scanner Next Generation Beta . I clicked the link at the bottom of the page, accepted the license agreement that was presented, and installed the ActiveX.

It then began a large download. 2 bytes from complete it gave a warning message saying it was unable to complete the download and returned me to (what I thought) was the same page. I hit Accept again and the scan atarted. The version on the scanning window was 3.0.19.

Here are the results: (I couldn't copy the links correctly ... hope that's enough)

Scanning Report
Sunday, May 06, 2007 07:44:59 - 08:02:58

Computer name: TOSHLAPTOP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 3 malware found
Possible Browser Hijack attempt (spyware)
http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Possible%20Browser%20Hijack%20attempt&orig='disk'

* System (Disinfected)

Trojan-Clicker.Win32.Agent.jh (virus)
http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Clicker.Win32.Agent.jh&orig='disk'

* C:\PROGRAM FILES\LTMOH\LTMOH.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.ConHook.bf (virus)
http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Downloader.Win32.ConHook.bf&orig='disk'

* C:\WINDOWS\SYSTEM32\COMEXT.DLL (Renamed & Submitted)

Statistics
Scanned:

* Files: 13144
* System: 2885
* Not scanned: 2

Actions:

* Disinfected: 1
* Renamed: 2
* Deleted: 0
* None: 0
* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-05-04
* F-Secure AVP: 7.0.171, 2007-05-05
* F-Secure Orion: 1.2.37, 2007-05-04
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Pegasus: 1.19.0, 2007-04-01

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

[sUBs]

Quote:

Result: 3 malware found

Actions:

* Disinfected: 1
* Renamed: 2

Results looks good. BitDefender probably took out some of the earlier findings.

Quote:

* C:\PROGRAM FILES\LTMOH\LTMOH.EXE (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\COMEXT.DLL (Renamed & Submitted)

These 2 files which were renamed. Please locate/upload them to me:

http://www.bleepingcomputer.com/subm....php?channel=4

The files should preferbaly be deleted after submission.


Do you still have any issues with the machine?

[herring]

LTMOH.EXE was indeed renamed and I will submit the renamed file at your link.

Unfortunately comext.dll is not renamed and is, in fact, in use. This means I am unable to move it.

I am still getting pop-ups. I fear there may still be something wrong.

Additionally, no images are loading in IE, although I guess that could be some browser setting somewhere.

That said, the system is working a lot better than it was. I have purchased a copy of McAfee for the laptop. Do you think it is safe to try to update Windows and install McAfee now? That was the action that threw the system into the bluescreen-reboot loop last time. Am I free to run Ad-Aware now also?

Thanks a lot for your help! :-)