Please explain this...

jessica · August 20, 2006, 5:41am

What the heck is this? ??? Has something turned my firewall evil? I have been fighting back and fourth with Microsoft because I am certain that SP2 and PChealth do more than we are told. Thanks, Jessi (I hope the screenshot uploaded).

[attachment deleted by admin]

egemen · August 20, 2006, 8:05am

Hi Jessica,

I dont see anythng wrong there. What exactly is it you are suspicious about? NumZombies is a CPF registry key which is used internally to determine DDOS attacks.

jessica · August 20, 2006, 9:05am

Oh, my bad…I have a really bad report from WinPfind so I figured something got Comodo. I spent forever making rules, didn’t want to loose them. I got infected from 1st boot on fresh XP install to the Update site. The doof at Microsoft would not accept the fact I got redirected and downloaded gawd knows what instead of the 40+ updates from WU. Have screenshots, files, .dll’s ect to send to one of the tech’s when he gets in later this morning. Whatever it is uses Remote Desktop to do it’s nasties so I can pass any antivirus out there. Look in Automation Objects on the ActiveX snap in, thats along the lines of what has been added/manipulated. Ever heard of this???

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 19/08/2006
Time: 10:04:01 AM
User: N/A
Computer: AAWIKI_AB619729
Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at Microsoft Support.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 72 75 6e 64 6c 6c rundll
0018: 33 32 2e 65 78 65 20 35 32.exe 5
0020: 2e 31 2e 32 36 30 30 2e .1.2600.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 68 75 6e 67 61 70 70 20 hungapp
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

hang module hungapp, version 0.0.0.0 Never heard of a program made to hang… neither did the guy on the phone at Microsoft huh…

Found this…C:\WINDOWS\system32\mtwcnl32.dll

Like I said I went straight to MS update 1st boot and let Auto Update retrieve files, and then on a cloned copy of the new install I used the custom option. Same result. Did a government wipe on the HDD before install and even flashed the bios before I started.

EricCryptid · August 20, 2006, 9:17am

Hi Jessica,
Goodness that sound bad. I had some problems with HP software that made me have to do a factory reinstall. To get rid of the ActiveX components in Explorer that may be causing problems, dowload “Free Internet Eraser” on the 2nd tab (I think) there’s an option to delete Installed ActiveX Programs. select that along with whatever else you want to remove and then click Clean & ReBoot. See if that fixes the problem for you.

Eric

pandlouk · August 20, 2006, 9:42am

Hi Jessika,

did you have a firewall active before connecting in internet (XP firewall or CPF)?

egemen · August 22, 2006, 7:38pm

jessica post:3:

Oh, my bad…I have a really bad report from WinPfind so I figured something got Comodo. I spent forever making rules, didn’t want to loose them. I got infected from 1st boot on fresh XP install to the Update site. The doof at Microsoft would not accept the fact I got redirected and downloaded gawd knows what instead of the 40+ updates from WU. Have screenshots, files, .dll’s ect to send to one of the tech’s when he gets in later this morning. Whatever it is uses Remote Desktop to do it’s nasties so I can pass any antivirus out there. Look in Automation Objects on the ActiveX snap in, thats along the lines of what has been added/manipulated. Ever heard of this???

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 19/08/2006
Time: 10:04:01 AM
User: N/A
Computer: AAWIKI_AB619729
Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at Microsoft Support.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 72 75 6e 64 6c 6c rundll
0018: 33 32 2e 65 78 65 20 35 32.exe 5
0020: 2e 31 2e 32 36 30 30 2e .1.2600.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 68 75 6e 67 61 70 70 20 hungapp
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

hang module hungapp, version 0.0.0.0 Never heard of a program made to hang… neither did the guy on the phone at Microsoft huh…

Found this…C:\WINDOWS\system32\mtwcnl32.dll

Like I said I went straight to MS update 1st boot and let Auto Update retrieve files, and then on a cloned copy of the new install I used the custom option. Same result. Did a government wipe on the HDD before install and even flashed the bios before I started.

If you have received that file from microsoft software updates, then they are distributing a trojan according to the http://info.ahnlab.com/securityinfo/virus_view_eng_new2.jsp?SEQ_NO=4839

But some sites may distribute this by using buffer overflows in internet explorer without your notice. Are you sure you did not surf any site before committing updates?

Egemen