Jump to content
vanders

I also have the CP1041.nls infection. Please help!!!!!!!!!

Recommended Posts

Hiya,

I unfortunately have been infected with CP1041.nls

It's disconnecting me from the internet and now my pc randomly reboots :(

I have Windows XP Service Pack 2

I have downloaded HJT, Icesword etc but am a bit unsure how to use them.

I'm aware that I may need a clean ndis.sys file.

Can anyone help before I resort to formatting my HDD, sigh

Share this post


Link to post
Share on other sites

It sounds like you have afew issue's above the spambot if you have not done,download and run a full SAS scan with the most recent deinitions update.

https://www.superantispyware.com/

What had/dose SAS remove.In the preference tab you can find log reports stored.

I will need a contact email address to send the file too.Best to PM the addy :wink:

Share this post


Link to post
Share on other sites
SUPERAntiSpyware Scan Log

Generated 04/17/2007 at 07:18 PM

Application Version : 3.6.1000

Core Rules Database Version : 3219

Trace Rules Database Version: 1229

Scan type : Quick Scan

Total Scan Time : 00:22:23

Memory items scanned : 473

Memory threats detected : 2

Registry items scanned : 776

Registry threats detected : 0

File items scanned : 28732

File threats detected : 11

Trojan.Downloader-MSNETAX

C:\WINDOWS\SYSTEM32\BXUAKAGHJEEOT.DLL

C:\WINDOWS\SYSTEM32\BXUAKAGHJEEOT.DLL

Trojan.Spam-RUCrzy

C:\CP1041.NLS

C:\CP1041.NLS

Adware.Tracking Cookie

C:\Documents and Settings\Jamie V\Cookies\jamie_v@adopt.euroclick[2].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@adbrite[1].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@www.yourtracking[2].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@mediaservices.myspace[1].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@ad.uk.tangozebra[1].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@ads.adbrite[1].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@partypoker[1].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@4.adbrite[2].txt

C:\Documents and Settings\Jamie V\Cookies\jamie_v@ads.pesfan.co[1].txt

Ok try this fix for interent connectivity issue.In the SAS main GUI select preferences button.Goto repairs tab and run repair broken network connection(Winsock LSP chain).

LMK if this sorts it and clean NDIS.sys is on the way :)

Share this post


Link to post
Share on other sites

Take the file that i have sent to you and copy it into your windows/system32/drivers folder and the unzip it(extract).

Please use this powerful forensic tool only as directed!!

Download IceSword>>>

http://www.majorgeeks.com/Icesword_d5199.html

and install it.

Next up boot into safe mode.

Locate your clean copy of ndis.sys and right click to highlight and select *copy*

Now go up into Drivers folder and next open IceSword.

Using the file option on the lefthand column of IceSword navigate through the folder tree to windows/system32/drivers folder selected.Locate on the list of drivers on the main screen the ndis.sys and highlight it.Next right click and highlight *forced delete* and nuke the file,do not reboot as advised but imediately in the drivers folder right click to paste the clean ndis.sys.

Whilst you have IceSword installed force delete the cp1041.nls which is located on C/ .

Do not delete anything else without instruction :!:

Reboot

Next up i need you to check some other other files if they are present by uploading them to the VirusTotal service.

http://www.virustotal.com/en/indexf.html

* Some are legitimate system files so there presence alone does not equal something bad but we are just checking to see if they have been patched :wink:

System32 folder

Winlogon.exe

main.sys(if present there)

totour.exe

new_drv.sys

main.sys

Drivers folder

Ndis.sys (to check if the fix has taken)

ip6fw.sys

If any of these files are confirmed as malware we will have to get you run further diagnostic tools + fix's so please report back any *suspect* scan results.A full C&P of the complete report generated by VT is preferred when a detection is made(includes file size,MD5 and packers listed below the bulk report :wink:

Share this post


Link to post
Share on other sites

That's awesome, it has now gone.

Thanks for all your help mate.

I'll surf the web a bit safer in the future, lol

Thanks again :D

Share this post


Link to post
Share on other sites
I also need a clean ndis file. Do I PM my e-mail to someone?

Yep drop me a PM and i need to know which OS+service pack you are using.

Share this post


Link to post
Share on other sites

I downloaded Ice sword and saved it to my desktop. When I click on the exe file I get a warning message about extracting all files before proceeding with install. Am I doing something wrong? There is a second compressed file called cooperator within the main file...I am a real PC newbie, please dont be afraid to dumb it down for me :roll:

Share this post


Link to post
Share on other sites
I downloaded Ice sword and saved it to my desktop. When I click on the exe file I get a warning message about extracting all files before proceeding with install. Am I doing something wrong? There is a second compressed file called cooperator within the main file...I am a real PC newbie, please dont be afraid to dumb it down for me :roll:

No problemo,we all start at the same point along the line :)

On the downloaded Icesword file,right mouse click and select extract all.

This unzips the compressed files into a unzipped folder including the main file for IceSword which we need to use.Don't worry about extracting *cooperator*.

You will then have 2x IceSword folders on your dektop,one is the compressed download file(Zipped) which you can now delete.The second is the decompressed folder with the software/tool in that we need to use :)

If you double left click on the main icesword executable it will open the main GUI of the tool up.If you look to the left-centre of the box for the button that says file and click it will open up the start of a folder tree(ala windows explorer for IceSword).If you goto c/ and then windows by using the + symbol to expand the folder tree and then system32 and drivers folder.whilst drivers folder is highlighted look to the right and you will see a scrolling list of files in the driver folder and this is where you need to locate ndis.sys and highlight by clicking on its line.

At this point you need your clean copy of ndis.sys preselected for pasting=

Unzip the file that i send you and copythe ndis.sys file in the decompressed folder by right click and selecting copy.

Goto *My Computer*,navigate to C:/Windows/System32/Drivers folder and open it.Hold this window open in the background(do not minimise) and bring IceSword to the front by clicking your mouse on it.

At this point Icesword has the patched ndis.sys highlighted so right click and force delete it,do not reboot but immediately right mouse click on drivers folder window and select paste immediately.

This if done correct(and fast) will substitute the patched system file for a clean copy without giving the system or the malware chance to kick off :wink:

At that point use IceSword *forced delete*on the .nls file on C:/ but do not delete anyother files without further instructions :!:

Next up reboot and run another SAS scan.Post back the SAS scan log generated.You will find this located in the SAS main interface.Preference options>>>Statistic's/Reports tab.

All the best :)

Share this post


Link to post
Share on other sites

Awesome! I am clean.

:D

Thank you very much for your help, I was definitely stumped.

A quick question about Icesword - Would it be safe to use it to force delete all those old files that for some reason or other I get errors when I try to delete them? Like AOL and Yahoo folders for example?

Share this post


Link to post
Share on other sites

IceSword is my app of choice when it comes to killing files that refuse to delete . Keep in mind that legit files that refuse to delete often have residual start points in your registry that prevent deletion .

If you take AutoRuns for a spin first you can often find and terminate that registry start point . On reboot the file will often delete without incident .

AutoRuns : http://www.microsoft.com/technet/sysint ... oruns.mspx

Regardless IceSword and AutoRuns are both must have applications for anyone that is between intermediate and expert in terms of technical skills .

Share this post


Link to post
Share on other sites
I also need a clean ndis file. Do I PM my e-mail to someone?

Your most welcome :D

With regards *forced delete* IceSword. It is extremly good at deleting the undeletable but should be used with caution because, first off it dosn't make backups of what it has deleted, should you make an error and secondly it can delete system files that will cripple your computer if misused.

Which is why I always advise folks not to use unless you know what you are doing or have been advised.

All the best

Share this post


Link to post
Share on other sites

Hi everybody and guess what! I have the same problem with the 1041.nls and i cant erase it permanently. I need a clean copy of ndis.sys but i cant find it over the internet. Can you help me too on this?

Share this post


Link to post
Share on other sites
Hi everybody and guess what! I have the same problem with the 1041.nls and i cant erase it permanently. I need a clean copy of ndis.sys but i cant find it over the internet. Can you help me too on this?

Hi drifter and welcome to the SAS forums:)

If you have'nt already i would recommend that you download and run a full system scan with SAS>>>

https://www.superantispyware.com/

You will need a clean copy of ndis.sys,i can supply this if you PM an email address and which OS/service pack you have installed eg WinXP Pro SP2.

You will then need to follow the instructions in this post>>>

https://forums.superantispyware.com/view ... =2881#2881

Share this post


Link to post
Share on other sites

Thanks for your reply I understand that you would probably get tired by now trying to answer the same questions so many times!!

My OS is winXP home SP2. My email is visible now in my profile

The symptoms I have are the same with the others plus that I get the blue screen sometimes especially when I try to run some exe files witch install new programs

Share this post


Link to post
Share on other sites
Thanks for your reply I understand that you would probably get tired by now trying to answer the same questions so many times!!

My OS is winXP home SP2. My email is visible now in my profile

The symptoms I have are the same with the others plus that I get the blue screen sometimes especially when I try to run some exe files witch install new programs

:oops: I missed the profile option,anyhow catch :)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...