C:\cp1041.nls
Win32:Trojan-gen. {Other}
Virus/Worm

I booted up my computer this morning and Avast warned me it found this worm/virus. I’ve tried running Spyware Doctor and SUPERAntiSpyware and it has not helped. Here’s a HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:23 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\trint\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\trint\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra ‘Tools’ menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\trint\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

–
End of file - 8033 bytes

it looks like a false positive… can you send the file to www.virustotal.com and post the result here?

On the other hand, why should a .nls file be in the root of C: drive?

* Presence of the "cp1041.nls" file in the root folder (though name may vary, it has been consistent to date) * Possible unauthorized outgoing SMTP communications on TCP port 25

http://vil.nai.com/vil/content/v_141857.htm

okpokernet doesn’t have a third party firewall so he can’t check for unusual activity.

Would a rootkit scan be of any use if the malware has a hidden “watchdog”?:

Though no samples have yet been seen to confirm, there are reports of this threat having a "watchdog" capability or parent component, typically via a patch to NDIS.SYS. If this is the case, Spam-Xarvester may be re-created by the patched file after cleaning. In this situation it may be necessary to first restart in Safe Mode and manually replace the patched NDIS.SYS file with a known clean copy of the appropriate version for your operating system and patch level.

ig: oh… you’re right… anyway - the result from virtotal would be useful

Ok this is even more weird. I did a complete search of my system for the cp1041.nls and its not found via Search. I checked to make sure that show hidden files/folders was selected and it was. Any ideas?

Hi okpokernet,

I’d look for and remove any rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

Hi okpokernet,

Time to load up gmer and have a scan, you get it here:
http://www.gmer.net/index.php

polonus

I’ve ran Panda Antirootkit, Blacklight, AVG Anti-Rootkit, and GMER. All have found nothing. According to them, no root kits could be found.

Btw, what did you do when avast! detected the malware? Did you instruct it to delete the file, or… ?

I moved the file to chest as reccomended by Avast.

Can you send the files from Chest to Alwil for analysis?

Well, if you moved it to Chest, there’s no wonder you can’t find it anywhere on disk

Hi okpokernet,

This was the malware that avast has put in the chest, where it can do no further harm (like a prisoner in a high security cell):
Summary : Trojan.Spam-RUCrzy.Process

Company : Unknown

Description : Trojan multi-threat spam email generator component

Trojans are programs that can appear to serve a legitimate purpose but actually have an unwanted or harmful effect.

A large segment of trojan programs download other harmful software components to a user’s PC without his/her knowledge.

This application is most likely downloaded and installed by another application that is considered to be adware or spyware.

Threat Level (1-10) : 8

Processes : (varies)
CP1041.NLS

polonus

I sent the last several occurrences as you suggested.

I also noticed there are also several copies of totour.exe in the chest as well.

I knew I was protected. I would just like to have it removed so I stop receiving the Virus Warning notification each time I turn my computer on.

What are the warnings you are getting (is it also the same as before) ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

If the file keeps coming back then it isn’t because it is in the chest but because there would appear to be other elements to this infection restoring/downloading it again.

Since you haven’t got a third party firewall as FWF mentioned you have no unauthorised outbound firewall protection to stop malware being downloaded.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

• There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
  See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php later set of results

When I turn my computer on, Avast pops up stating “Warning…A virus has been detected.”

The infected file is C:/cp1041.nls
Type: Malware
Win32:Trojan-gen

While i was in the chest, I noticed that there were just as many cases of totour.exe as there was of cp1041.nls. Totour.exe is located in the C:/Windows/SYSTEM32 and cp1041.nls is just stated as C:

I’ve downloaded Comodo since it was suggested and am quite pleased with it so far.

So long as there are no more recurrences of totour.exe I wouldn’t worry about that for the time being and concentrate on the real issue with cp1041.nls. The .nls file type is (Code Page for) National Language Support, so I assume that you are using some form of language support on your system ?

I did some searching and it would seem that this file is restored by ndis.sys file in the windows\system32 folder.
This is in a very long SAS forum topic that is also quite old, http://forums.superantispyware.com/viewtopic.php?=&p=2243.

This is from the same link that FWF gave http://vil.nai.com/vil/content/v_141857.htm

Characteristics -

Only an individual library component has been available for analysis so far. Reports indicate that it is dropped or installed by another piece of malware, typically using the following path and filename:

* C:\cp1041.nls

Multiple variants have been seen, though the file size so far is consistently in the 85-90KB range. Analysis of the variants seen to date indicates they are likely used to generate and/or send email spam from the host system.

Modifications to the LSP stack and patching of the system file NDIS.SYS are reported in conjunction with the presence of Spam-Xarvester. Multiple instances have been cited reporting that the NDIS.SYS file will re-create the file if it is deleted. System instability (random reboots, blue-screen errors, etc.) are also associated with the presence of this threat and the installing malware.

Based on the two links and info above, search your system for NDIS.SYS and upload that to VirusTotal for checking and report the findings.

Also keep your eyes open for emails being sent without your having sent them, avast icon rotating at the same time as the email icon is in the system tray.

I found 5 copies of the file in various folders. The other 4 turned up entirely clean but this one came up different.

NDIS.SYS Location: C:/WINDOWS/SYSTEM32/DRIVERS
0 bytes size received / Se ha recibido un archivo vacio

The other copies were located in
C:/I386
C:/Windows/ServicePackFiles/i386
C:/Windows/$NtServicePackUninstall$
C:/Windows/$NtUninstallKB826942$