Solved Internet not running right...

Hi Alex

No not yet.
Do a scan only with HJT and try to fix these two enties,

O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll

Then reboot, run HJT again and post a new log.
Please leave the header in the log.

Thanks
Geri

 

================ HJT =====================
Logfile of HijackThis v1.99.1
Scan saved at 11:35:38 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
===================================================

Still there....

I have a different problem now; perhaps related to Avenger not running properly?

Problem: I installed AVG and all applications appeared to run OK. Then I installed Comodo firewall, and everthing has slowed down.
MAIN PROBLEM: Outlook Express, which used to take a couple of seconds to check my three email accounts, now takes minutes or does not connect at all. I have not been able to receive (check) my emails all evening.

Should I uninstall Comodo? Could it be causing the problem with Avenger?

Thanks
Alex

 

Sorry for buttin in again Geri

Alex,

Geri's first Avenger script did not contain the colon after Files to delete.

Mine did.

I just want to make sure when you tried to run it again that the colon was present. ???

While I'm here, did you reboot after installing Comodo? If not, do so and see if your access times are back to normal.

 

Dave, (& Geri)
2) Yes, I rebooted after installing Comodo, and many, many times after that. Interestingly, Outlook Xprs appears to be running OK now. Go figure!

1) Correct - the Avenger instruction needed the colon. It ran fine, but, it couldn't find the file!
============== Avenger ======================
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cpjnulxa
*******************
Script file located at: \??\C:\WINDOWS\system32\hynsfvnv.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Could not open file C:\WINDOWS\SYSTEM32\mbpimbp.dll for deletion
Deletion of file C:\WINDOWS\SYSTEM32\mbpimbp.dll failed!
Could not process line:
C:\WINDOWS\SYSTEM32\mbpimbp.dll
Status: 0xc0000022
Completed script processing.
*******************
Finished! Terminate.
===========================================

HJT log immediately after running Avenger
==================== HJT =========================
Logfile of HijackThis v1.99.1
Scan saved at 5:24:51 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
=============================================

How can WinExplr list it, and HJT find it, but not Avenger?
BTW, the mbpimbp.dll file properties state its creation on 27 July, and last accessed today.

Thanks!

Alex

 

Hey Dave

No Problem, this may just need your expertize to fix this.

Hi Alex
OK I have another tool I'd like you to try.

Download and Run OTMoveIt
Download OTMoveIt by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

After this if the machine did not reboot, please do so and post a new HJT log.

If this don't work I'll talk to Dave and see if he can work something up.

Thanks
Geri

 

Geri, (& Dave)
I tried that twice, but it did not work.

The first time I left checked "[ ] Unregistered Dll's.." and it gave me an error and did not find the file.

The second time I removed the check "[ ] Unregistered Dll's.. ", and it did not give me an error, and on the right hand side the results said:

"File move failed. C:\WINDOWS\SYSTEM32\mbpimbp.dll scheduled to be moved on reboot.
Created on 08/02/2007 20:53:03 "

I rebooted and ran HJT (below)

That file must be stuck there with super glue. Maybe we have to remove it under protected mode? (I haven't had to do that in so long that I am not sure I remember how to do it.)

BTW, I will not be able to work on my computer after tonight until Monday night, so if I do not respond to your suggestions right away, it does not mean that I am not interested; I'll get back as soon as I can.

Thanks

Alex
========================= HJT ====================
Logfile of HijackThis v1.99.1
Scan saved at 9:00:14 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A8B89759-2E40-4963-AD90-8BDDBA7A267F} - c:\windows\system32\mbpimbp.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O20 - Winlogon Notify: sxkmkffj - C:\WINDOWS\SYSTEM32\mbpimbp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

===================================================

 

I think this might be a permissions problem.

If you have XP Pro, open any explorer window and click Tools>Folder Options>View tab. Scroll to the bottom and uncheck 'use simple file sharing'. OK out. If you have XP Home, just logon in safe mode. Then .......

Right click the mbpimbp.dll file and select properties. Click the Security tab. Is your username listed? If so, click on it and check the lower pane and make sure you have full control. If not listed, click Advanced. On the Owner tab, select your name and click Apply. Click OK and OK to exit the properties page. Now select properties again, Security tab, then click Add. Type your username then click Check names. Your username/machine name should now be present. Click OK. Now click your username in the upper pane, then check Full control in the lower pane. Apply and OK out.

See if you can delete the file.

If successful, scan with HijackThis and fix those two entries. reboot and do another scan.

 

Dave,
I will try that at another time - it's too late now.

However, I just tried to check me emails, and Outlook X is not working again - it can't connect! I never had that problem before - -

Is it OK to just uninstall Comodo?
Thanks
Alex

 

Certainly. Might want to give Zone Alarm Free a try. A good firewall is important to have.

See you on Mon, or at your earliest convenience.

 

See interspersed answers:

Sorry...
Alex

 

Let's make sure we haven't missed something before continuing.

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop. If you already have ComboFix, delete it and get an updated version.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Dave -

That ComboFix is some pogram!

DONE!!!!

================ ComboFix Log ===================
ComboFix 07-08-09.3 - "Alex" 2007-08-09 19:38:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.658 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Alex\APPLIC~1\Microsoft\60787.dat
C:\DOCUME~1\Alex\Desktop.\internet explorer.lnk
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\system32\drivers\bxqndehm.sys
C:\WINDOWS\system32\mbpimbp.dll
C:\WINDOWS\system32\RunOnce3.t__
C:\WINDOWS\system32\RunOnce3.tm_
C:\WINDOWS\system32\tmp6.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RRLRKWJI
-------\LEGACY_XJKYIVUR
-------\rrlrkwji
-------\xjkyivur


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-09 19:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 22:45 <DIR> d-------- C:\Temp CD Copy
2007-07-29 10:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-29 10:53 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Comodo
2007-07-29 10:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-29 10:51 <DIR> d-------- C:\Program Files\Comodo


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 17:15 --------- d-------- C:\DOCUME~1\Alex\APPLIC~1\U3
2007-07-22 16:37 121856 --a------ C:\WINDOWS\system32\ntdabzqb.dll
2007-07-16 19:37 359040 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-16 19:37 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-05 05:20 42496 --a------ C:\WINDOWS\system32\hecekvgs.dll
2007-06-24 10:07 --------- d-------- C:\Program Files\IMGSTAR2
2007-06-03 17:51 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-03 17:51 147729 --a------ C:\WINDOWS\system32\libssl32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant "= "C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-26 17:30]
"COMODO Firewall Pro "= "C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-29 10:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56]
"The Rush Limbaugh Show "= "C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe" [2006-01-23 12:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-08-26 11:37:50]

R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ac2ed56-bbbf-11db-aa24-000bcd980db4}]
AutoRun\command- F:\LaunchU3.exe -a


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 19:42:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 19:44:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 19:43

--- E O F ---
====================================================

=================== HJT =============================
Logfile of HijackThis v1.99.1
Scan saved at 8:03:20 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\HIJACK\Killer.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://206.80.72.3/SysCamInst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
======================================================

Maybe this it????

THANKS!

Alex

 

Yes, ComboFix is quite powerful.

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\hecekvgs.dll
C:\WINDOWS\system32\ntdabzqb.dll

FileLook::
C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys

DirLook::
C:\WINDOWS\system32\LogFiles

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

 

OK, done.
=================== ComboFix Log ====================
ComboFix 07-08-09.3 - "Alex" 2007-08-10 20:24:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.675 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Alex\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\hecekvgs.dll
C:\WINDOWS\system32\ntdabzqb.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hecekvgs.dll
C:\WINDOWS\system32\ntdabzqb.dll


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-09 19:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 22:45 <DIR> d-------- C:\Temp CD Copy
2007-07-29 10:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-29 10:53 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Comodo
2007-07-29 10:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-29 10:51 <DIR> d-------- C:\Program Files\Comodo


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 17:15 --------- d-------- C:\DOCUME~1\Alex\APPLIC~1\U3
2007-07-16 19:37 359040 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-16 19:37 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-06-24 10:07 --------- d-------- C:\Program Files\IMGSTAR2
2007-06-03 17:51 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-03 17:51 147729 --a------ C:\WINDOWS\system32\libssl32.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- C:\WINDOWS\system32\dllcache\tcpip.sys ----

Company: Microsoft Corporation
File Description: TCP/IP Protocol Driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: tcpip.sys

---- C:\WINDOWS\system32\drivers\tcpip.sys ----

Company: Microsoft Corporation
File Description: TCP/IP Protocol Driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: tcpip.sys

---- Directory of C:\WINDOWS\system32\LogFiles ----

2007-07-29 10:52 317 --a------ C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant "= "C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-26 17:30]
"COMODO Firewall Pro "= "C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-29 10:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56]
"The Rush Limbaugh Show "= "C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe" [2006-01-23 12:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-08-26 11:37:50]

R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ac2ed56-bbbf-11db-aa24-000bcd980db4}]
AutoRun\command- F:\LaunchU3.exe -a


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 20:26:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 20:27:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 20:27
C:\ComboFix2.txt ... 2007-08-09 19:44

--- E O F ---
===========================================

Thanks

Alex

 

Looks good. I am suspicious of a couple files though.

Please upload the following files to my submission channel. Leave a link back to this topic.

C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log

Then, submit them at jotti
Wait for each to complete the analysis and post the results here.

Thanks!

 

Dave,
See below:

 

I got the files. Thanks!

I haven't had time to do any analysis on the tcpip.sys files yet, but your ComboFix logs show that they were recently modified. I wouldn't be suspicious of that if they were of a different size and version, suggesting that you had installed the patched versions from Microsoft, which I recommend you do now, just to be on the safe side. So you know why they raise suspicion, there are infections that modify the tcpip.sys file(s) to raise the maximum number of connections. Many p2p programs do this to allow more connections to remote clients. Malware does it for the same reason, except that the data intended for transfer is different. Some malwares have been known to increase the maximum from the default of 10, to 155,000. At any rate, the patched versions referenced above, address a vulnerability in tcpip.sys

The LogFiles folder and it's contents suggest that you are using IIS error logging. Are you using IIS?
http://www.google.com/search?num=20&hl=en&newwindow=1&safe=off&q=IIS+++XP

Since the rest of your log looks good, let's do some cleanup.

Delete all of the following tools we have used, and the files/folders they created.

C:\avenger
C:\!Killbox
C:\QOOBOX
C:\VundoFix Backups
C:\WINDOWS\nircmd.exe
vundofix.exe
combofix.exe
avenger.exe
all combofix and vundofix logs and scripts
(did I miss any?)

Then;

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot.

Finally, let's make sure we haven't missed anything. Go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Select the appropriate Yes or No to receiving marketing information
• Click the Free Online Scan button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh HJT log.

Let us know how your computer is performing.