cp1041.nls removal help

[herring]

I am unable to follow the semi-automated steps I was directed to because the affected system is in an infinite bluescreen/reboot loop. Here is the original post and reply at the McAfee site.

********************************
I tried to install VirusScan on a laptop that has a virus (flagged by cp1041.nls in the root directory) and the laptop is now in an infinite loop of bluescreen/reboot. I can boot into SafeMode, but removing the cp1041.nls file does not change the symptom.

How do I remove this virus from safe mode? I have access to the internet (obviously) from other, protected computers in the house.

*********
herring

Register at this Forum then follow these Steps post the required log in that forum,not here.

They`ll be able to assist you in removing any infection(s).

*********
As I said in my first post, I cannot operate the laptop in any mode except safe mode. I could only do steps 1 (since add/remove software works in SafeMode) and 2 (since I already had Ad-Aware SE Personal on the system) before their process requires internet access and download capability, which I don't have.

The laptop in in a bluescreen/reboot infinite loop ever since I tried to download McAfee VirusScan onto it.

I need some manual assistance, I fear.

*********************************

I was unable to complete steps 3-5 with the infected laptop. It is a Toshiba Satellite 5205-S505 running XP Home Edition. The OS is downrev, but I was unable to upgrade it before the system went into its reboot loop. I can run in SafeMode and can collect more info manually, but I need some guidance.

Thanks for any help.

[sUBs]

1. Download this file & transfer it to the afflicted machine -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[herring]

I downloaded the file to this computer and tried writing it to a CD to move it over to the infected laptop, but some part of the program didn't move. It seemed to run anyway. I will try to complete the remaining instructions asap.

It stopped the bluescreen/reboot cycle and the laptop is now on the home network, but unable to get to the internet. This will therefore require some workarounds to complete the 5 step process. In the meantime, here is the ComboFix report and the Quarantined files report.



"123" - 2007-05-04 11:15:55 Service Pack 2 [SAFE MODE]
ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\system32\sony.exe.exe
C:\WINDOWS\rising448.exe
C:\WINDOWS\rising92.exe
C:\WINDOWS\rising996.exe
C:\WINDOWS\system32\ldhje783.dll
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\wincom32.sys
C:\WINDOWS\system32\winsub.xml
C:\windows\system32\explorer.exe
C:\WINDOWS\server.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\notedad.exe
C:\WINDOWS\system32\wtoloxsypnxrf.dll
C:\WINDOWS\system32\rpcc.dll
C:\cp1041.nls


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTLDR.SYS
-------\LEGACY_POOF
-------\LEGACY_WINCOM32
-------\kprof
-------\ntldr.sys
-------\poof


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:54 96,256 --a------ C:\WINDOWS\system32\sony.exe
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 21:39 32,768 --a------ C:\WINDOWS\system32\mp43.exe
2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-03 05:50:10 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh
2007-04-28 04:32:18 37,861 ----a-w C:\WINDOWS\system32\lsasss.exe
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"xrunwin"="C:\\WINDOWS\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"start"="C:\\WINDOWS\\server.exe"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 11:18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt1b9-1025

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-1b9-1025.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 16384 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


********************************************************************

Completion time: 2007-05-04 11:18:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-04 11:18

Code:

2007-04-27 21:31      38066    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp4.tmp.dll.vir
2007-04-27 21:37      238043    --a------    C:\Qoobox\Quarantine\C\WINDOWS\svchost.exe.vir
2007-04-27 21:39      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\IExplorer.dll                                                              .dbt.vir
2007-04-27 21:39      32768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\NOTEDAD.EXE.vir
2007-04-27 21:46      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rising448.exe.vir
2007-04-27 21:46      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\server.exe.vir
2007-04-27 22:00      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rising996.exe.vir
2007-04-27 22:01      369664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rising92.exe.vir
2007-04-27 22:35      38066    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpC.tmp.dll.vir
2007-05-02 22:50      10000    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ldhje783.dll.vir
2007-05-02 22:50      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wtoloxsypnxrf.dll.vir
2007-05-02 22:50      25088    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\koos.exe.vir
2007-05-02 22:50      30208    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\poof.vir
2007-05-02 22:50      30720    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcc.dll.vir
2007-05-02 22:50      4    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winsub.xml.vir
2007-05-02 22:50      96256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir
2007-05-02 22:50      99    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\svcp.csv.vir
2007-05-02 22:51      48931    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir
2007-05-02 22:51      57344    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wincom32.sys.vir
2007-05-03 14:11      38066    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp1.tmp.dll.vir
2007-05-03 14:32      36864    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\Explorer.exe.vir
2007-05-04 10:50      8426    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wincom32.ini.vir


Folder PATH listing
Volume serial number is 50C2-A2C7
C:\QOOBOX
\---Quarantine
    \---C
        \---WINDOWS
            |   NOTEDAD.EXE.vir
            |   rising448.exe.vir
            |   rising92.exe.vir
            |   rising996.exe.vir
            |   server.exe.vir
            |   svchost.exe.vir
            |   
            \---system32
                    Explorer.exe.vir
                    IExplorer.dll                                                              .dbt.vir
                    koos.exe.vir
                    ldhje783.dll.vir
                    pdp.exe.exe.vir
                    poof.vir
                    rpcc.dll.vir
                    sony.exe.exe.vir
                    svcp.csv.vir
                    tmp1.tmp.dll.vir
                    tmp4.tmp.dll.vir
                    tmpC.tmp.dll.vir
                    wincom32.ini.vir
                    wincom32.sys.vir
                    winsub.xml.vir
                    wtoloxsypnxrf.dll.vir

[sUBs]

You still have a lot of malware on the machine. But let's concentrate of fixing your connectivity issues first. I shall require further info:


Open notepad and copy/paste the text in the quotebox below into it:

Code:

@vfind -tf c:\ndis.* >\search.txt
notepad \search.txt
exit

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run. Then post the log which it produces

[herring]

Thanks for the quick reply. Here is the output from the fix.bat test.

c:\WINDOWS\system32\dllcache\ndis.sys
c:\WINDOWS\system32\drivers\ndis.sys


I was also able to run the dss.exe and have the output from that. I didn't do avgas, spywareblaster or spypad since I thought they might interact adversely with your other instructions. Let me know if I should run them. Here is the dss.exe output.

Deckard's System Scanner v20070426.43
Run by 123 on 2007-05-04 at 11:56:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-04 18:56:39 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-04 11:59:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\123\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O2 - BHO: (no name) - {aa971e4f-e1bf-491e-9d4d-a933c161e48f} - C:\WINDOWS\system32\ipmtup.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1178171246394
O20 - Winlogon Notify: ipmtup - C:\WINDOWS\system32\ipmtup.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe"


-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - NOTEDAD.EXE %1
.reg - regfile - shell\edit\command - NOTEDAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 windev-1b9-1025 - c:\windows\system32\windev-1b9-1025.sys
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Files created between 2007-04-04 and 2007-05-04 -----------------------------

2007-05-04 11:21:27 21504 --a------ C:\WINDOWS\system32\wjsrxurdf.dll
2007-05-03 14:32:05 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-05-02 22:54:28 96256 --a------ C:\WINDOWS\system32\sony.exe
2007-05-02 22:48:32 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31:17 0 d-------- C:\Documents and Settings\123\Application Data\Lavasoft
2007-04-27 22:31:12 0 d-------- C:\Program Files\Lavasoft
2007-04-27 22:29:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 21:39:23 32768 --a------ C:\WINDOWS\system32\mp43.exe <Not Verified; Microsoft; mjxc3>
2007-04-27 20:55:13 22110 --a------ C:\WINDOWS\system32\ipmtup.dll
2007-04-27 17:18:34 0 d-------- C:\Documents and Settings\123\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2007-04-27 21:33:28 0 d-------- C:\Program Files\ltmoh
2007-04-27 21:32:18 37861 --a------ C:\WINDOWS\system32\lsasss.exe
2007-03-23 09:17:14 0 d-------- C:\Program Files\Messenger


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{aa971e4f-e1bf-491e-9d4d-a933c161e48f} C:\WINDOWS\system32\ipmtup.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"xrunwin"="C:\\WINDOWS\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"start"="C:\\WINDOWS\\server.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-04 at 12:00:13 ---------

[sUBs]

Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\sony.exe
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\ipmtup.dll
C:\WINDOWS\system32\drivers\ndis.sys
C:\WINDOWS\system32\lsasss.exe
C:\Qoobox\Quarantine\C\WINDOWS\system32\sony.exe.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.


----------------


Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Lexmark_X79-55"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"xrunwin"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"start"=-

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
attrib -h -r -s -a c:\WINDOWS\system32\drivers\ndis.sys 
ren c:\WINDOWS\system32\drivers\ndis.sys ndis.sys.vir
copy /y /b /v c:\WINDOWS\system32\dllcache\ndis.sys c:\WINDOWS\system32\drivers\ndis.sys
catchme -l \Qoobox\Quarantine\catchme.log -k C:\WINDOWS\system32\windev-1b9-1025.sys
catchme -l \Qoobox\Quarantine\catchme.log -k C:\WINDOWS\system32\windev-peers.ini
del /a "C:\WINDOWS\system32\sony.exe
del /a "C:\WINDOWS\system32\mp43.exe
del /a "C:\WINDOWS\system32\lsasss.exe
cd /d "C:\Documents and Settings\123\Desktop\"
combofix.exe /wow-drv winmgmt1b9-1025 /v ipmtup
exit

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run. It shall trigger combofix to run.

I shall require to see ComboFix's log

[herring]

I created the requested CAB and submitted it to the bleepingcomputer site along with the link to this thread.

I followed the instructions for the registry merge.

I then created the batch file listed above (called fix2.bat) and ran it on the affected computer. It seemed to run successfully. Afterwards I appear to have improved connectivity on my LAN, so it is getting a little easier to execute your requests. I still do not have internet connection through IE, although my wireless router software indicates that it thinks I have an internet connection.

Here is the combofix log (called combofix2.txt):

"123" - 2007-05-04 11:15:55 Service Pack 2 [SAFE MODE]
ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\system32\sony.exe.exe
C:\WINDOWS\rising448.exe
C:\WINDOWS\rising92.exe
C:\WINDOWS\rising996.exe
C:\WINDOWS\system32\ldhje783.dll
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\wincom32.sys
C:\WINDOWS\system32\winsub.xml
C:\windows\system32\explorer.exe
C:\WINDOWS\server.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\notedad.exe
C:\WINDOWS\system32\wtoloxsypnxrf.dll
C:\WINDOWS\system32\rpcc.dll
C:\cp1041.nls


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTLDR.SYS
-------\LEGACY_POOF
-------\LEGACY_WINCOM32
-------\kprof
-------\ntldr.sys
-------\poof


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:54 96,256 --a------ C:\WINDOWS\system32\sony.exe
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 21:39 32,768 --a------ C:\WINDOWS\system32\mp43.exe
2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-03 05:50:10 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh
2007-04-28 04:32:18 37,861 ----a-w C:\WINDOWS\system32\lsasss.exe
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"xrunwin"="C:\\WINDOWS\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"start"="C:\\WINDOWS\\server.exe"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 11:18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt1b9-1025

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-1b9-1025.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 16384 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


********************************************************************

Completion time: 2007-05-04 11:18:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-04 11:18

[sUBs]

Quote:

Here is the combofix log (called combofix2.txt)

The new ComboFix log is called ComboFix.txt. ComboFix2.txt is the previous copy that was produced earlier

[herring]

Sorry ... I was naming my copies in the reverse order ...

Here is the one from more recently...

"123" - 2007-05-04 21:32:45 Service Pack 2
ComboFix 07-05.04.3.V - Running from: "C:\Documents and Settings\123\Desktop\"
Command switches used :: "/wow-drv winmgmt1b9-1025 /v ipmtup"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wjsrxurdf.dll
C:\cp1041.nls

Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
Restored copy from - "C:\WINDOWS\system32\dllcache\ndis.sys"


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-04 12:13 60 --a------ C:\fix.bat
2007-05-04 11:56 <DIR> d-------- C:\Deckard
2007-05-04 11:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:54 139,264 --a------ C:\WINDOWS\system32\windev-1b9-1025.sys
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 20:55 22,110 --a------ C:\WINDOWS\system32\ipmtup.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{aa971e4f-e1bf-491e-9d4d-a933c161e48f}"="C:\WINDOWS\system32\ipmtup.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipmtup

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 21:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-04 21:38:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-04 21:38
C:\ComboFix2.txt ... 2007-05-04 11:18

[sUBs]

Did you get any error messages while running ComboFix?

[herring]

None that I noticed. The system rebooted at the end of the process. I wasn't watching it every minute, so I may have missed one.

[sUBs]

It's behaving a bit wierd. That's why I asked

Please delete these files:

C:\WINDOWS\system32\windev-1b9-1025.sys
C:\WINDOWS\system32\windev-peers.ini


Then grab an updated copy of ComboFix from this link > http://download.bleepingcomputer.com...a/ComboFix.exe

Run it & show me the resultant log.


---------------


Another question - have you been vsiting Chinese sites?

[herring]

Deleted the requested files. Brought Combofix to this computer and moved it to the laptop over the LAN. Ran ComboFix and captured the log which is copied below.

I have not gone to any Chinese sites, but since the virus hit I was frequently asked if I wanted to install the Chinese character set, which I always declined.

The infected laptop is almost pristine, since its hard drive froze six months ago and I had a new one and a clean Windows installed. I use it infrequently when I travel. It is very empty of software and trash. I connected to a hotel network, updated a couple of text games I play and then my wife asked me to check foxnews.com, I think. Within seconds I was getting popups and odd behavior.

I never ran any downloaded files. I don't even think I clicked an unknown link. I have three other comps on my home net which all run McAfee. They are not affected. I was able to mount the laptop c: drive on this computer and scan it with McAfee which identified the cp1041.nls file but couldn't clean it.

Here is the ComboFix output:

"123" - 2007-05-05 9:46:31 Service Pack 2
ComboFix 07-05.05.4.V - Running from: "C:\Documents and Settings\123\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ipmtup.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-05 ))))))))))))))))))))))))))))))))))


2007-05-04 12:13 60 --a------ C:\fix.bat
2007-05-04 11:56 <DIR> d-------- C:\Deckard
2007-05-04 11:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-03 14:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-02 22:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-02 22:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 22:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-27 22:31 <DIR> d-------- C:\DOCUME~1\123\APPLIC~1\Lavasoft
2007-04-27 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 05:31:17 -------- d-----w C:\DOCUME~1\123\APPLIC~1.\Lavasoft
2007-04-28 04:33:28 -------- d-----w C:\Program Files\ltmoh
2007-03-23 16:17:14 -------- d-----w C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TosHKCW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_GTNDIS5

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-05 09:48:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-05 9:48:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-05 09:48
C:\ComboFix2.txt ... 2007-05-04 21:38
C:\ComboFix3.txt ... 2007-05-04 11:18

[sUBs]

ipmtup.dll is of chinese origins. It may hijack browser's homepage & redirect websearches to China sites.

Is the machine able to connect online yet?

[herring]

The Linksys software says that the system is connected to the access point and the Internet, but when I browse using IE every site says "The page cannot be displayed."

I am able to use the LAN from either this PC or the Laptop to exchange files within the house LAN.

I got the feeling the original virus was loading other malware. I got Ad-Aware onto the laptop before it went totally down and Ad-Aware scans were turning up new malware every few minutes when the system was connected. The longer I left it alone, the more was identified by Ad-Aware. I think I only got 2 McAfee scans in (done remotely over the LAN) before I lost contact.

I haven't done any of that since I started working with you.

[sUBs]

Let's check your internet connectivity by doing a ping test.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@ping google.com >\ping.txt&\ping.txt

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

[herring]

Google ping'd fine.

at the command line pinging www.google.com I got avg 45ms. The second time I did google.com and piped the output as you suggested (still from the command line) and got:

Pinging google.com [64.233.167.99] with 32 bytes of data:



Reply from 64.233.167.99: bytes=32 time=105ms TTL=242

Reply from 64.233.167.99: bytes=32 time=104ms TTL=242

Reply from 64.233.167.99: bytes=32 time=104ms TTL=242

Reply from 64.233.167.99: bytes=32 time=103ms TTL=242



Ping statistics for 64.233.167.99:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 103ms, Maximum = 105ms, Average = 104ms

[sUBs]

That means the problem shouldnt be related to your router.

Should be an IE problem. Do you have an alternative browser? Like FireFox?

[herring]

I have it on this machine, but not on the laptop. That laptop has almost nothing but a freshly installed copy of windows.

[sUBs]

Preferbaly, we should test another browser on the machine. If it works, we can then concentrate on IE.

Let's do another experiment. Instead of typing web urls, please try typing IPs instead. Try http://72.52.136.82/ . See if that brings you to TSF