[MasterJ]

Please find and delete the following files/folders:

C:\WINDOWS\SYSTEM32\ncompat.tlb
C:\PROGRAM FILES\Security Toolbar
C:\WINDOWS\SYSTEM32\1024
C:\Documents and Settings\user\Desktop\backups\backup-20050718-224541-270.inf

Does McAfee tell you where the ExploitMht.redir.gen is being detected?

[Advertisements]

I have deleted all of the files you requested except for C\windows\system32\ncompat. I received a prompt indicating that it is in use by another person or program.

I have not received another notification regarding the Exploit.mhtredir file. I'll definitely let you know next time that pops up. However, I received 2 new ones located in C\Quarantine named nvctrl.exe Vir2 & nvctrl.exe Vir3. They are listed as Trojans as well.

I am also receiving what appears to be an automatic update from Windows. Is this safe?

[peppers]

I have deleted all of the files you requested except for C\windows\system32\ncompat. I received a prompt indicating that it is in use by another person or program.

I have not received another notification regarding the Exploit.mhtredir file. I'll definitely let you know next time that pops up. However, I received 2 new ones located in C\Quarantine named nvctrl.exe Vir2 & nvctrl.exe Vir3. They are listed as Trojans as well.

I am also receiving what appears to be an automatic update from Windows. Is this safe?

[MasterJ]

Try booting into safe mode and then deleting this file:

C:\windows\system32\ncompat.tlb

======================

Could you zip this file and email a copy to me?

C\windows\system32\89o9e8ea.exe

masterj3000 AT hotmail DOT com (Replace AT with @ and DOT with .)

Open your McAfee antivirus and then empty the quarantine.

MasterJ

[peppers]

Uh-oh. I deleted that file from safe mode and rebooted. It appears that everything is back. The spywarestrike, the dialer, the nvctrl.exeVir2 (NewmalwareJ). Should I start over with smitrem, ad-aware,ewido, panda??/ Here is the current HJT.

I just e-mailed that file to you.

C\windows\system32\89o9e8ea.exe


Logfile of HijackThis v1.99.1
Scan saved at 9:23:05 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fc77a08cba52ad57cf2f0a10d4723036\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [89o9e8ea] C:\WINDOWS\System32\89o9e8ea.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107991039750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141440535593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

[MasterJ]

Go ahead and try those scans again. Nothing reappeared in your log though.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Could you check to make sure you sent 89o9e8ea.exe. I received 89o9e8ea.ini.

[peppers]

I followed your instructions and there is only one named 89o9e8ea. Bummer. Any ideas?

[MasterJ]

Don't worry about that file then. It seems fine.

You said that everything is back. Could you explain exactly what symptoms you have?

Edited by MasterJ, 05 March 2006 - 09:06 PM.

[peppers]

Ok, here's pretty much what happens when I turn on the computer. After a couple minutes, without even touching anything, the McAfee will notify me with the following:

id23DA.temp C\windows\system32\1024 deleted-Spyware strike.


About one minute later, another will be added:

cdljjpmd.exe C\windows\temp dialer program-move failed.


Shortly after, a new prompt(16 bit MS-DOS-subsystem) will appear in the middle of my screen:

C\docume~1\user\locals~1\temp\h91746.exe
The ntvdm cpu has encountered an illegal instruction. Cs:0d9c IP: 63 68 65 2f 31
I can either close or ignore this one.

When I log on to IE, I have the extra security tool bar.


About 25 minutes later, I'll receive another addition to the Mcafee:

idCC7.tmp C\Windows\system32\1024


One minute later:

ncnkaomd .exe C\documents and settings\user\local settings\temp dialer program-move failed


This whole cycle will continue to add and repeat. Sometimes the following will be added:

nvctrl.exe Vir2 and nvctrlVir 3 in C\quarantine under new trojanj with a user id of Bob-R7KE08LQ7BH and client ID 0(BOB-R7KE08LQ7BH)


I don't know who Bob is, but I have a few other names for him.

I haven't done anything since. I thought it would be best for you to see the exact symptoms first. Let me know what you think and thanks for all of your help.

[MasterJ]

Let's try this.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run another scan with panda and post the results here.

MasterJ

[peppers]

The ATF cleaner removed 13,786,136 bytes.

Here's the Panda results.

Incident Status Location

Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ncompat.tlb
Adware:adware/securitytoolbar Not disinfected C:\PROGRAM FILES\Security Toolbar
Adware:adware/spywarestrike Not disinfected C:\WINDOWS\SYSTEM32\1024
Adware:adware/megasearch Not disinfected Windows Registry

[MasterJ]

Is there a file in the system32 folder named msvol.tlb?

[peppers]

I unchecked the hidden files and hide protected files and I couldn't find msvol.tlb.

[MasterJ]

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click Download Now to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

MasterJ

[peppers]

Sorry to be a pest. Should I run the custom or typical?

[MasterJ]

Typical