Please find and delete the following files/folders:

C:\WINDOWS\SYSTEM32\ncompat.tlb
C:\PROGRAM FILES\Security Toolbar
C:\WINDOWS\SYSTEM32\1024
C:\Documents and Settings\user\Desktop\backups\backup-20050718-224541-270.inf

Does McAfee tell you where the ExploitMht.redir.gen is being detected?

I have deleted all of the files you requested except for C\windows\system32\ncompat. I received a prompt indicating that it is in use by another person or program.

I have not received another notification regarding the Exploit.mhtredir file. I'll definitely let you know next time that pops up. However, I received 2 new ones located in C\Quarantine named nvctrl.exe Vir2 & nvctrl.exe Vir3. They are listed as Trojans as well.

I am also receiving what appears to be an automatic update from Windows. Is this safe?

Try booting into safe mode and then deleting this file:

C:\windows\system32\ncompat.tlb

======================

Could you zip this file and email a copy to me?

C\windows\system32\89o9e8ea.exe

masterj3000 AT hotmail DOT com (Replace AT with @ and DOT with .)

Open your McAfee antivirus and then empty the quarantine.

MasterJ

Uh-oh. I deleted that file from safe mode and rebooted. It appears that everything is back. The spywarestrike, the dialer, the nvctrl.exeVir2 (NewmalwareJ). Should I start over with smitrem, ad-aware,ewido, panda??/ Here is the current HJT.

I just e-mailed that file to you.

C\windows\system32\89o9e8ea.exe


Logfile of HijackThis v1.99.1
Scan saved at 9:23:05 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fc77a08cba52ad57cf2f0a10d4723036\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [89o9e8ea] C:\WINDOWS\System32\89o9e8ea.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107991039750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141440535593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Go ahead and try those scans again. Nothing reappeared in your log though.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Could you check to make sure you sent 89o9e8ea.exe. I received 89o9e8ea.ini.

I followed your instructions and there is only one named 89o9e8ea. Bummer. Any ideas?

Don't worry about that file then. It seems fine.

You said that everything is back. Could you explain exactly what symptoms you have?

This post has been edited by MasterJ: Mar 5 2006, 09:06 PM

Ok, here's pretty much what happens when I turn on the computer. After a couple minutes, without even touching anything, the McAfee will notify me with the following:

id23DA.temp C\windows\system32\1024 deleted-Spyware strike.


About one minute later, another will be added:

cdljjpmd.exe C\windows\temp dialer program-move failed.


Shortly after, a new prompt(16 bit MS-DOS-subsystem) will appear in the middle of my screen:

C\docume~1\user\locals~1\temp\h91746.exe
The ntvdm cpu has encountered an illegal instruction. Cs:0d9c IP: 63 68 65 2f 31
I can either close or ignore this one.

When I log on to IE, I have the extra security tool bar.


About 25 minutes later, I'll receive another addition to the Mcafee:

idCC7.tmp C\Windows\system32\1024


One minute later:

ncnkaomd .exe C\documents and settings\user\local settings\temp dialer program-move failed


This whole cycle will continue to add and repeat. Sometimes the following will be added:

nvctrl.exe Vir2 and nvctrlVir 3 in C\quarantine under new trojanj with a user id of Bob-R7KE08LQ7BH and client ID 0(BOB-R7KE08LQ7BH)


I don't know who Bob is, but I have a few other names for him.

I haven't done anything since. I thought it would be best for you to see the exact symptoms first. Let me know what you think and thanks for all of your help.

Let's try this.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run another scan with panda and post the results here.

MasterJ

The ATF cleaner removed 13,786,136 bytes.

Here's the Panda results.

Incident Status Location

Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ncompat.tlb
Adware:adware/securitytoolbar Not disinfected C:\PROGRAM FILES\Security Toolbar
Adware:adware/spywarestrike Not disinfected C:\WINDOWS\SYSTEM32\1024
Adware:adware/megasearch Not disinfected Windows Registry

Is there a file in the system32 folder named msvol.tlb?

I unchecked the hidden files and hide protected files and I couldn't find msvol.tlb.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click Download Now to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

MasterJ

Sorry to be a pest. Should I run the custom or typical?

Typical