Author Topic: Please help Avast found this trojan file cp1041.nls  (Read 62258 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #120 on: January 19, 2008, 01:48:15 AM »
To clean up the tools that we used


1.Click start button, click run, copy and paste the line below into the box, click ok

combofix /u



2.Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.

    Then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.


    3.Create a new restore point

    You must be logged on to an administrator account
    Go to Start - All Programs - Accessories - System Tools - System Restore.
    Click Create a restore point, and then click Next.
    In the text box labeled Restore Point Description, type a name for this restore point , click create

    Remove old restore points

    4.- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.



    5.Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

    CleanUp


    6. Update your java

    Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

     You do not have to install the Java Web Start ActiveX Control


    Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

    When the download is complete, Open Control Panel > Add/Remove Programs:

    Uninstall anything that says Sun Java, Java JRE, or similar.

    Close Add/Remove Programs.

    In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

    Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

    Double-click on the saved file to install the update.

    Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.

    Reboot your computer.



    And you may want to look at this:

    7. It looks like you are using windows firewall. It doesn't provide outbound protection. A third party firewall will.

    A discussion on free firewalls can be found here.

    http://forum.avast.com/index.php?topic=30808.0




    Avast will scan your computer as you open files, or files are accessed, this the resident protection. The on demand is when you scan the entire computer. Scheduled scans are not availible in the home version. A full weekly scan should be done.

    The tools clean up will take care of these

    HiJackThis
    Combofix
    HiJackThis log
    Wubofubd3u

    You can delete any notepads, logs that were created.

    Seek.bat
    Seek1.bat
    ndis.txt
    ndis.txt
    log.txt
    lot2.txt

    These are good guys

    Advance Windows Care
    Spyware Doctor
    AVG Anti Root
    Root Buster
    Spyware Blaster

    If you can run Spyware Doctor as resident, I'll give you the link to another one that is a bit more heaveywieght that you can run as an on demand. I also give you my suggested settings.

    Download  superantispyware

    First update SAS Then boot into save mode and set SAS up like this.

    Under Configuration and Preferences, click the Preferences button.
    Then click the Scanning Control tab.

    Under Scanner Options make sure the following are checked
    - CHECK ALL BOXES


    Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
    Under Complete Scan, choose Perform Complete Scan.
    ยท Click Next to start the scan.

    When the scan is done, quarentine everything found . Reboot if asked.


    Do the things in the list,in order, then post back and let me know how things are. I'll be happy to clarify anthing I can and answer your questions






jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #121 on: January 19, 2008, 04:03:35 AM »
Thanks....I'll work on this in the morning when I am fresh.  I am sure I will have some questions!
You are great!
 ;D

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #122 on: January 19, 2008, 04:55:39 AM »
You are welcome and your questions are welcome.   ;)  I'll try my best to answer them.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #123 on: January 19, 2008, 05:59:14 AM »
Quote
Then how do I test to make sure it is gone. 

If you did what I posted in the last post on Page 8, then the easiest way to see if it is gone
1. no avast alert
2. c:\cp1041.nls is not present
3. check the size of the C:\WINDOWS\System32\drivers\ndsi.sys file, it should remain about the same size 182,912b  or 178 kb

this of course would be after a reboot.  :)

 


jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #124 on: January 19, 2008, 09:05:54 PM »
I did a search for the cp1041.nls and nothing came up. 
The ndis.sys file is 178 KB
I followed all the directions except for I am not sure what I am doing when it comes to firewalls, how they work, which one to use etc.  I read through the post you told me about and it confused me even more.  I have two other computers in our home that are networked to this computer for the internet and one software program for our vacation rental company, they also share a printer so would installing one of these firewall programs interfer with them being able to access the internet?
I still have the Winpfind3 on my desktop...should I remove it?
I did the spyware doctor last night and it had some problems and supposedly fixed them now when I do a scan it doesn't show anything infected or any threats.
I did turn the on guard protection on of this software on.
Other than that everything seems to be working well.  I'm going to install avast on the other two computers to make sure they are OK too.  I just can't wait, it will be so much fun. 

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #125 on: January 19, 2008, 09:59:23 PM »
Glad it's going well. I saw the file in your last combofix log. I'd meant to add it to the comboscript that you last ran. That's why I asked you manually delete it. It was a 0 byte file, perhaps cleanup removed it.

Just check for the presence of the file.

One thing you could also do, is from safe mode, safe a copy of the ndis.sys file to a disk, just in case. this ever happens again. The file you have is the correct file for your windows. If the problem reoccured, you could remove the infected one and replace it with clean. Now you know how.

When you are not using the computer, boot into safe mode and run SAS. Computer off time is a good time to do any of your scans anyway.

Quote
I followed all the directions except for I am not sure what I am doing when it comes to firewalls, how they work, which one to use etc.  I read through the post you told me about and it confused me even more.  I have two other computers in our home that are networked to this computer for the internet and one software program for our vacation rental company, they also share a printer so would installing one of these firewall programs interfer with them being able to access the internet?
 

It will take some setting up, you would have to find a firewall that you liked and check out their forum for setup info. I would suggest checking out the firewall forums and see what you can learn before deciding. Properly configured, printer, file sharing, internet access should be no problem.

Winpfind3 should have went when you ran the OTMOVEIT clean up. It may just be a shortcut. Anyways just delete it.

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #126 on: February 26, 2008, 06:44:38 PM »
Just wanted to thank you again for all the time and knowledge you shared with me.  All is well still and running fine. 
Best wishes.
jbalcorn

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #127 on: February 27, 2008, 01:27:23 AM »
Hi, glad it's working out for you. Thanks for the feed back, it's nice to hear from people that have recieved help on this forum.