Author Topic: Please help Avast found this trojan file cp1041.nls  (Read 62455 times)

0 Members and 1 Guest are viewing this topic.

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #105 on: January 18, 2008, 06:35:25 PM »
File NDISTAPI.SY_ received on 01.18.2008 18:29:41 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 9.
Estimated start time is between 63 and 90 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 5329 bytes
MD5: a199a73d962b0f9bde38c9904316fed7
SHA1: c17f9cadf71fa4a1a584f475864bcf923ebbf899
PEiD: -

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #106 on: January 18, 2008, 06:44:02 PM »
File NDISUIO.IN_ received on 01.18.2008 18:36:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 982 bytes
MD5: 85196099ef453a0519fd14addeac9803
SHA1: cdb4aa4e04fef7cca6a893b60b7a252073d1fd23
PEiD: -

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #107 on: January 18, 2008, 06:53:08 PM »
File NDISWAN.SY_ received on 01.18.2008 18:44:57 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 46262 bytes
MD5: 5e34173a4516ddeb68579ac5eadaefa8
SHA1: adff53dcf77edf21f837c8ab7a66c6a883bc2964
PEiD: -

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #108 on: January 18, 2008, 07:07:33 PM »
File NDPROXY.SY_ received on 01.18.2008 18:54:20 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 19324 bytes
MD5: d90862b77e4d64db5e03272747c13199
SHA1: 7ec51c892aa55fca727d2b650ae54b48178d1322
PEiD: -

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #109 on: January 18, 2008, 07:16:10 PM »
File NDPTSP.TS_ received on 01.18.2008 19:10:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 25489 bytes
MD5: 2ae0afe9ce0fbccececcffbedfbb6289
SHA1: d1f840d77a1370e707186e4d5ce3890fe07205d0
PEiD: -

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #110 on: January 18, 2008, 07:46:50 PM »
Did you find 1, even a renamed copy in the :/WINDOWS/SYSTEM32/DRIVERS?
I don't think I saw any of these below.  I looked again and did another search. 

C:/Windows/ServicePackFiles/i386
C:/Windows/$NtServicePackUninstall$
C:/Windows/$NtUninstallKB826942$
 
I'll wait for my next instructions.
Thanks!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #111 on: January 18, 2008, 09:58:17 PM »
Hi those are legit files 9the last ones you posted) for that folder. I'm between a rock and a hard place here. I'm certain your existing ndis.sys is infected. I can't find much on a file name ndis(2).sys in the system32. The one in the i386 folder should be compressed. I'll have to get on an xp machine to confirm that. Once we can piece this together we can safely remove the infected one and replace it with a clean copy, moving it to the right folder if nesseccary.


Can you make these two batch files for me please. They  will find all the ndis*.sys files in the windows\sysem32 and the system32\drivers folders.

Copy and paste the following text into a new notepad

Dir C:\WINDOWS\System32\drivers\ndis*.sys >> ndis.txt
Start ndis.txt


Click file, click save as. Set it to save in Desktop. Name the file (including the  " " marks) "seek.bat"

Click save.

Copy and paste the following text into a new notepad

Dir C:\WINDOWS\System32\ndis*.sys >> ndis1.txt
Start ndis1.txt



Click file, click save as. Set it to save in Desktop. Name the file (including the  " " marks) "seek1.bat"

You should now have two files on your desktop with an icon like the one at the end of this post.

Double click the files and copy and past the results in your next reply.

Oh, yes, What is the full path to the 1386 folder?

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #112 on: January 18, 2008, 10:07:49 PM »
C:\WINDOWS\I386
Is this the path you are looking for?
Here is the first one
 Volume in drive C has no label.
 Volume Serial Number is C8A0-69CB

 Directory of C:\WINDOWS\System32\drivers

08/10/2004  02:00 PM           182,912 ndis(2).sys
04/15/2007  06:03 PM           281,348 ndis.sys
08/10/2004  02:00 PM             9,600 ndistapi.sys
06/21/2005  03:52 AM            14,592 ndisuio.sys
08/10/2004  02:00 PM            91,776 ndiswan.sys
               5 File(s)        580,228 bytes
               0 Dir(s)  172,932,501,504 bytes free
Here is the second one
 Volume in drive C has no label.
 Volume Serial Number is C8A0-69CB

 Directory of C:\WINDOWS\System32

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #113 on: January 18, 2008, 10:35:38 PM »
Yes, perfect. This, I think will be easy.

Please copy and paste the rest of this post into a note pad and save it to your desktop. You will need it because you will be in safe mode.  ;D

Please boot to safe mode.

Once in safe mode, open windows explorer make sure the folder options are set like this:

Open the Folder Options in the Control Panel.  On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files and hide known extentions are not checked.  Click OK.


Then navigate to this folder

C:\WINDOWS\System32\drivers

click on the driver folder, then in the right hand panel locate this file

ndis.sys

please right click the file and chose rename

in the small box that appears over the file name please type ndis.old

left click near the file and confirm that the rename happened.


Now find this file

ndis(2).sys

please right click the file and chose rename

in the small box that appears over the file name please type ndis.sys

left click near the file and confirm that the rename happened.

If everything looks right, close windows explorer and reboot back into normal windows.

Let me know what happens, see you in about 10 minutes.  ;D




jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #114 on: January 18, 2008, 11:24:25 PM »
OK I have done everything from the last post.  So far so good.  I am waiting on the avast to see if it pops up.  Usually it would have popped up by now. 
So now what do I do to get rid of the infected file for good?  Then how do I test to make sure it is gone. 

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #115 on: January 18, 2008, 11:32:03 PM »
Good. I bet you miss it like a tooth ache.  ::)

Now we will give the sample to avast and turf the bum.  ;D
 
Please right click the "a" icon, select start avast. Once the interface opens, click on the chest.
 
In the chest, click the users section button and right click in the window on the right and select add.
 
Browse to this file
 
C:\WINDOWS\System32\drivers\ndis.old
 
click add
 
Make sure the file appears in the chest window and right click the file, select Email to alwil
 
copy and paste this text into the box
 
ATTN Maxx
 
infected ndsi.sys
 
http://forum.avast.com/index.php?topic=32733.msg274183#msg274183
 

 
click send.
 
 
 
 
 

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
 
Copy and paste all the text in the quote box below into Notepad.
 
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
 

Quote
File::
C:\WINDOWS\System32\drivers\ndis.old
 


This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
 

I'll have to review this entire post, I seem to have forgotten your other problem. Please describe what happening.

I'm sure the cp1041.nls problem is resolved.

I'm off to work but do the above and get back to me, I'll check when i can sneak away.

Thanks.
 
« Last Edit: January 18, 2008, 11:35:47 PM by oldman »

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #116 on: January 19, 2008, 12:50:03 AM »
Here is the log.  I don't see the file in the C:\WINDOWS\system32\drivers but is it still in the avast chest?  Do I need to delete it out of there?

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #117 on: January 19, 2008, 12:50:51 AM »
I don't think I had another problem....or at least not that I can recall. 

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #118 on: January 19, 2008, 01:14:25 AM »
OK....how is the best way to keep this from happening again.  What are the things I should keep running at all times to protect the computer?  When I start my computer the avast that comes up is the resident protection. I have to right click and click on the start antivirus and it runs a memory test and then I can scan the drives.  Is there a way to set this up to scan say every day/week or do I have to manually do it?  Any other software I need and you can sugget I get or keep to help with virus and spyware?  What would be the best ones to have and to work with avast.
Can I take off or uninstall any of the files we installed on the desktop and the logs?  Here is a list of the things I installed or saved. 
Advance Windows Care
HiJackThis
Combofix
Spyware Doctor
AVG Anti Root
Root Buster
Spyware Blaster
HiJackThis log
Wubofubd3u
Seek.bat
Seek1.bat
ndis.txt
ndis.txt
log.txt
lot2.txt
a file named back ups - I don't know where this one came from probably some how with all these things I have been doing.

Any other suggestions on what to leave on to keep me safe.  Can I take these above off the desktop and still be able to get to it in the all programs?  Do I need to keep the setup files like Wubofubd3u.exe now that I have installed it?  As I mentioned when I started this I am not a computer expert and everything I know I have learned by asking for help. Or by trail and error.  Should I clean out the chest for avast?  delete the items in there?  Should I run a clean up program like window washer and get rid of any temp files etc and then do a system restore after cleaning everything up?  I appreciate all your time and help with this.  You have no idea how much.  Once I get everything set up the way you suggest to keep the computer safe I will be a happy person.  I am sure I will have a few more questions later on tonight.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #119 on: January 19, 2008, 01:16:36 AM »
If you are doing ok, we'll clean up the tools that we used.

You can delete the file from the chest or leave it there. It can't run or be accessed from outside the chest. Normally, I'd suggest to leave it for a while, but in this case, there is no doubt it's infected, so go ahead and delte it. Just open the chest, click the users section button, right click the file and select delete.

Oh, yeah delete this guy, it was created when you booted into safe mode, avast doesn't start when going into save mode, so you wouldn't get a detection.. Then empty your recycle bin.

C:\cp1041.nls


And that's the last you should see of it.

While you are doing that, I'll put together a clean up list. And make some suggestions.