cp1041.nls help

Welcome to Major Geeks!

Two important pieces of information:

1. you must also install, update and configure the applications as requested in step 4 of the READ ME before you boot into safe mode.
2. when you boot into safe mode, you need to be logging into the same user account as you were logging into in normal mode. That is the account you are trying to clean. If you login to a different account, you may not see some of the tools you downloaded and installed especially if you did not follow our directions and install them where suggested. If you install things or even just download them to the Desktop or the documents folders for a particular user account, they will not be available when logged into a different user account.

You have an infection that infects as many as 4 different Windows system files. ndis.sys is just one of the infected files. We will need to replace it later. But we need you to run all steps of the READ ME and attach the requested logs before we can give you the correct proedure to run.

 

Posting this message cost you about 15.5 hours of additional waiting time to get an answer. Read the stickies! In particular, this one: Don't Bump! It Only Hurts You!!!

 

Correct! Since I don't know all of your problems, I cannot say for sure. And it also depends on what you plan on copying. The cp1041.nls file is from an infection that does infect one or more Windows system files. I would bet that your ndis.sys file is infected. Also I would bet that you cannot access the internet because of either or both of the below:

• your LSP chain is broken (this will show in your HJT log)
• the infected ndis.sys file is causing problems with your connection

I have fixed more than a dozen of these already, so I know we can fix it. Some are easier than others and it also depends on how good you are at following directions too.

You should try booting in safe mode to see if you can connect to the internet that way. This sometimes works. Use safe mode with networking!

Yes some of the new stuff will cause additional slow downs but that is temporary. After we get the malware removed we will be uninstalling certain tools. If you would attach the logs from the below, we can get started:

• GetRunKey
• ShowNew
• HijackThis

I'm ignoring Bitdefender and Panda since you have problems getting online.

 

You have exactly what I said you would have in message # 6. Until you start following directions, we are not going to get anywhere. I cannot help you if you never get any of the logs we need and that are requested in the READ ME. If you had immediately completed the instructions in message # 6 we could have avoided this problem. You need to get the below program onto the problem PC somehow and run it as requested.

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the x.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move x.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.


Also tell me everything you see listed in the Keep section and in the Remove section.

 

You need to run ALL of the READ & RUN ME and attach all 6 logs. You only attached two. Also your GetRunKey versions is now out of date. Download and use the current version.


Are you able to connect to the internet after removing the x.dll file. As I suspected, your ndis.sys file is infected.

 

You still have the same old version of GetRunKey. You need to download and use the current version as requested in my previous message.

You have two antivirus programs installed! Why? See step 3 of the READ ME. You must uninstall either McAfee or BitDefender10. Note if you are going to say you installed BitDefender 10 while running the READ ME, we did not ask you to install their antivirus program. We ask you to run an online scanner. Perhaps this explains why you crashed your PC.

After uninstalling one of the AVs, attach 3 new logs! (Make sure you use the new GetRunKey which is currently version 1.67). Also make sure you do not run ShowNew until you have terminated GetRunKey by closing the notepad popup!

Do you know how to use a Command Prompt window and do you know how to use DOS type commands to copy, rename and delete files?

 

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the mwdhf.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move mwdhf.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Download the attached JuanFix.zip file to your Desktop and extract the JuanFix.batfile from it to your Desktop. Then boot into safe mode and make sure you log into your normal user account that is used in normal boot mode (otherwise you will not find the JuanFix.bat file) . After booting in safe mode, double click on JuanFix.bat to run it. This will create a log file named c:\FixND.txt

NOTE: After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.

• Now close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.
• After reboot Attach the c:\FixND.txt file here. Then continue on to the below instructions!
• Also attach new logs from ShowNew and HJT

 

The JuanFix.bat script did not work. Did you notice any error messages? You should have! I forgot to put another file into the ZIP file to kill processes.

Also note that while it probably was not the reason for the script not woring, I did not ask you to do everything from safe boot mode. You should have started in normal boot mode and ran LSP-fix and then downloaded JuanFix.zip. Then you should have boot into safe mode to run JuanFix.bat. After shutting down you PC, you should have booted back into to normal mode and obtained new logs. The logs you posted are not useful since you were not in normal boot mode.

Download and use this new version of JuanFix.zip. Repeat the procedure for using it and attach new logs from NORMAL boot mode afterwards. You don't need to redo the LSP-fix part because that particular file may have renamed itself by now.

 

No! It still did not work! Are you noticing any error messages?

 

Are you running the procedure in safe boot mode as requested? It will not work if run in normal boot mode.

 

Okay for some reason, we are having a problem replacing the infected ndis.sys file with a good copy. This normal works okay when run in safe mode. We are going to have to do this manually from a command prompt windows while in safe boot mode. You better print the below instructions since you will have to make sure that no browsers opened also make sure you are disconnected from the internet too before you try to do the below steps.

• boot into safe mode
• run the JuanFix.bat file
• open a command prompt window by clicking Start, Run and enter cmd and click OK
• in the command prompt window enter the below commands one at a time and hit enter after each command. Make sure you take notes at each command and tell me what happens. I need good feedback here just incase this still does not work. ( the text in purple are helpful comments and are not part of the commands you enter)
  • cd c:\windows\system32\drivers <-- there is a space after the cd
  • copy ndis.sys ndis.sys.bad <-- there is a space after the copy and after the first ndis.sys
  • copy C:\WINDOWS\system32\dllcache\ndis.sys ndis.sys <-- there is a space after the copy and after the first ndis.sys
• now shutdown you PC by holding down the power button
• reboot after 15 seconds and then get a new log from ShowNew and attach it here.
• Also tell me the results of running the above commands. If you received any error messages be sure to tell me exactly what you received and when.

If you lose internet access, get a new HJT log and look for lines similar to the below:

O10 - Unknown file in Winsock LSP: c:\windows\system32\amfzuumautl.dll

The amfzuumautl.dll file name may have changed. Whatever you see there for a file name will have to be fixed using the LSP-fix procedure you have previous used but substitute in this new file name.

 

Did you have all browsers closed and were you disconnected from the internet?

In the folder where juanfix.bat is installed, tell me what other files you see.

 

Then that is the reason this has not been working all along! You did not extract ALL THE FILES from the ZIP file. The process.exe file that is inside of the zip is not on your Desktop and thus the juanfix.bat file cannot find it and should be giving you error messages . You must extract ALL files from the ZIP and then run it. If you do not see process.exe in the same folder as juanfix.bat, the procedure definitely will not work.

 

Are you not understanding my instructions about extracting process.exe from the JuanFix.zip file before running JuanFix.bat? I do not see process.exe on your Desktop. The fix will not work until you do this. Also did you run it in safe mode the last time? It must always be run in safe mode. Also you must not attempt to run the JuanFix.bat file from inside of the ZIP file.

Do you have your Windows XP SP2 bootable CD?

 

Okay thanks for addressing all of my concerns! Since this is not working for you and it as worked just like this in about 10 other threads where I have used the same approach, we have no other way to fix this other than using your Windows XP SP2 CD to boot to the recovery console and then replace the file from the command prompt of the recovery console. This should work without a problem since Windows will not be running.

All I can think of is that something on your PC (even in safe mode) is blocking the change to the ndis.sys file. This could be McAfee. So you have to possible courses.

1. Uninstall all of McAfee and then retry the fix (always run in safe boot mode) we have been using
2. Find your Windows XP CD and tell me when you have it. Make sure your PC is set in the BIOS to boot from CD before booting from the harddisk.

 

The fix seems to have worked. Hangon while I look at the rest of the logs.

 

Why do I see BitDefender Antivirus running in your HJT log? You must uninstall this!! Remember step 3 of the READ ME. Uninstall it now while a prepare a fix for remaining issues. OR is this an old log. The date shows it to be old?

I need a current HJT log!!

 

Sorry I think I may have been look at an old log some how. Your last HJT log is from June 20th. Working up a fix now.

 

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME


Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the amfzuumautl.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move amfzuumautl.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.

Repeat the above for mwdhf.dll if seen in LSP-Fix.


Now run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

I also recommend that you also fix the below BigFix process. It is a massive resource hog and does not need to run at boot up. Run it when you need it which will probably be never.
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes in normal boot mode! It would be best if you do not shut down your PC before doing this. So if you are in safe boot mode, don't shut off your PC tonight, just run it from that mode. If you are in normal mode right now, again do not shutoff your PC or reboot, just wait until you can run the procedure and reboot where requested.

 

Yes give it a try anyway. But after you attach the new logs, do not shutdown or reboot until you here back from me.

 

You're welcome. Your logs are clean!

Uninstall the CounterSpy trial now!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!