PDA

View Full Version : ncompat.tlb



otter357
2006-03-23, 04:37
Hi I just joined although I have used spybot for a while. Let me say this, I'm no expert. But I too have the ncompat.tlb file. And the V codec thing that spybot partially removed. Like you, I wanted to remove it. I couldn't delete the file so I started up in safe mode and then deleted it. However, after that, explorer, (the program one uses to look at files, not the internet browser) would never work correctly after that, and would shut down on its own all the time.

So I reinstalled my operating system (windows 2000 professsional) and all was well. But I always get that V codec ncompat.tlb warning when I run spybot.

That's all I know so far. Maybe one of these big brains can help us.:scratch:

I'm pretty curious myself. I've searched around a little, and then decided to come here. I read somewhere that the ncompat.tlb file has something to do with encryption, and is not dangerous in itself, but can be used by other programs..or something...

I stress to you that I don't know what I'm talking about. I saw your note and you know the rest. All the best, Otter357

tashi
2006-03-23, 09:44
otter357

Could you try to post a Spybot log?


Open SpyBot, check for and get any updates available.
Close all browsers, check for problems and fix everything found in red
Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except

Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

otter357
2006-03-23, 18:26
Hi tashi thanks for taking a look;
I followed your instructions as exactly as I could. I use the adv option usually, but still did this as you ordered.

3 notes:
When one gets the V codec in red, the first time spybot goes to fix it, it gets fixed except for this sub catagory we both mentioned the ncompat.tlb file

(winnt/system32/ncompat.tlb)

spybot asks if it can run on startup to fix it, but when one does this, spybot is still unable to remove the file.

second and third note...I did have the option of unchecking "do not report diabled or known legitimate items" I did that and let that be my default anyway.



I didn't ..did not..have the option of unchecking "include a list of services in report" or "include uninstall list in report".

The other eight options I have here are,

"Include results of last test in report" "include system information in report"
"include Active X List in report" "Include BHO list in report"
"include startup list in report" "include process list in report"
"Include browser pages in report" "Include a list of Winsock LSPs in report"

I checked them all

See pretty early down where it says "fixing V codec failed"? I bolded it


thanks for looking at this for us I am curious.........the resulting log file is attached:

THANKS TASHI.......from OTTER357 and that other person

tashi
2006-03-23, 19:33
Hello otter357.

Ah I see that you are using Spybot-S&D version 1.3.

Please read the following:

Version 1.4 :Systems Supported (http://www.safer-networking.org/en/spybotsd/index.html)
Note:Windows 2000. Some functions need administrator rights


Spybot-S&D Version 1.4 Download (http://www.spybot.info/en/download/index.html)


Uninstalling Previous Spybot-S&D (http://www.safer-networking.org/en/faq/27.html)



Tutorial (http://www.spybot.info/en/tutorial/index.html)



Solution to fix the pop-ups in TeaTimer. (http://forums.spybot.info/showthread.php?t=122)


If you could install 1.4 (make sure you update after installing) scan and post another log, we can proceed from there. :)

Also please see:
Sun Microsystems~Java. Check it is up-to-date & old versions removed (http://forums.spybot.info/showthread.php?t=2559)
The log shows old versions that should be removed.

otter357
2006-03-24, 08:03
Greetings Tashi,

Did as instructed, uninstalled all previous java and spybot editions, then deleted appropriate folders and registry entries, re installed both of the aforementioned, ran spybot and attached the attached log.

But the V codec ncompat.tlb entry remains. Is it possible that this entry is not spyware? When I deleted the file, explorer (the internal one not the browser) wouldn't run correctly.

The new version spybot did remove some old active x stuff from symantec that were obsolete, the previous version of spybot wouldn't remove them...

Otter357

otter357
2006-03-24, 08:07
log about v codec ncompat.tlb attached

LonnyRJones
2006-03-24, 10:03
Hello
"But the V codec ncompat.tlb entry remains. Is it possible that this entry is not spyware? "

No its a sign of an infection, was your desktop ever hijacked ?

Post the results of one or better yet two free online scans
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please

otter357
2006-03-24, 16:04
Greetings Tashi et. al.
before i read your post i did an online scan from trend micro, it found the spyfalcon thing and trojan named troj_zlob.hs. PCillin failed to clean it quarantined, and then seemingly permitted me to delete.

I had spybot run on reboot, it found 17 items and theoretically clened them all, but pc illin stil finds the mssearchnet.exe in my WINNT\system32 file. Yes it keeps trying to hijack my home page but history kill has blocked it so far.

also I get a note (titled in the bar) "16 bit MS-DOS Subsystem"

C:\WINNT\TEMP\h91746.exe
The NTVDM CPU has encountered an illegal instruction
CS:0524 IP:01d4 OP:63 68 65 2f 31 Choose "Close" to terminate the application

and you have the choice between close and ignore, I choose close
pcillin report and spybot report attached.

LonnyRJones
2006-03-24, 16:23
Fallow the instructions on this page and post the logs mentioned
http://forums.spybot.info/showthread.php?t=1958
there is no need for the initial before hijackthis log

Post them in replies to this thread, I'll ask tashi to move the thread to our malware section.

otter357
2006-03-24, 20:59
Well how about that. And i have the p cillin internet suite, firewall and anti virus, three kinds of spyware defenders, and run clam win anti virus as well. Ok i'll continue with this for fun. It sure has been an eye opener so far. Am printing out the page Lonnie directed me to, will fool around with the Kaspersky labs options, and will report back later.
All the best to tashi and Lonnie and you readers.
Otter357

otter357
2006-03-25, 19:59
very carefully and am posting the scan results.
those instructions were at
http://forums.sypbot.info/showthread.php?t=1958
http://forums.spybot.info/showthread.php?t=1958

attached are the logs requested.

This procedure alone though, did no good, the spyfalcon thing reurned each time.

But Panda has a trial period where you can download the titanium package and install it, get one update, then use it for 14 days.

These spyfalcon and other viruses even set the clock back on the panda titanium program so the first time I tried to run it, it said that the trial period has expired! Boy these hackers think of everything!

But even though you do get that message, from the Panda program, it still works. Get your update function works, and scanning works.
I scanned computer once and it seems to have cleared a lot if not all viruses, and I notice both the spyfalcon thing and the weird blinkin red ball with a white "x" that blinked on top of the little windows update tray icon is also gone. I think that scan is also attached, I'm running a second one now.

The Panda program made me uninstall the trend micro internet security suite and the clam win anti virus programs I had on my machine, but I think that it is getting the job done, and those other two did not. Outlook express still doesn't send mail, and there are some glitches left, but I think it got the majority of the problems, I just may have to reconfigurre some stuff.

Hope this data is useful to you. I feel like I'm getting an edjumacation, and that's usually fun.

This post has the maximum of five attachments, in temporal order I have 2 or three more..see them next post.

Thanks to all of you tashi and lonnie and the others. Will post again, and you readers, good luck!

otter357
2006-03-25, 20:06
here are the last three, again in chronological order.

Cheers all, happy computing! :)

otter357
2006-03-25, 20:37
The Panda program told me that my computer had a vulnerability that the automatic windows update does not catch.

MS04-011

When one reads up on (in the windows knowledge base) this patch the first few paragraphs, it seems to be only for NT 4 server platforms. But if one reads a bit farther down one sees that windows 2000 operating systems are also affected.

Following is some relevant text and links:

Brief Description

MS04-011 is not categorized as virus, worm, Trojan or backdoor. It is a critical vulnerability in Windows XP/2000 computers, known as LSASS Vulnerability, which allows to remotely execute arbitrary code in the vulnerable computer.

If exploited successfully, MS04-011 allows hackers to gain remote control of the affected computer with the same privileges as the logged on user. If this user had administrator rights, the hacker could take complete control of the system: create, modify or delete files, install programs, create new user accounts, etc.

This vulnerability is exploited by creating a specially crafted message and sending it to a vulnerable computer, which would execute the associated code.



If you have a Windows XP/2000 computer, it is recommendable to download and apply the security patch for this vulnerability available in the Microsoft Security bulletin MS04-011.

my 'puter seems cured and I installed this patch, so perhaps we'll have no more of this jazz.

Panda did much better than p-cillin, or clamwin, or zone alarm. I have a feeling the Kespersky Labs option is a good one too.

Hope that is a useful contribution and I wish you all the best in yur computing and your time in this life. All the best, and thanks, Otter357

LonnyRJones
2006-03-25, 21:12
Hi Otter

Appears you missed this in the instructions
Download FixSF.reg by right clicking here
http://www.bleepingcomputer.com/files/reg/FixSF.reg (http://www.bleepingcomputer.com/files/reg/FixSF.reg)
Selecting "save target as" (or if using Firefox - "save link as")
Double click the file and answer yes to the prompt. you should see a sucsessfull message ?

We did not suggest installing other antivirus programs, more than one is not a good idea, How many are installed now ?

Post a fresh hijackthis log please

otter357
2006-03-26, 01:55
Am only runnibg Panda trial version now (for anti virus and firewall)

otter357
2006-03-26, 07:43
http://www.bleepingcomputer.com/files/reg/FixSF.reg

bleeping computer and it modified my registry, althought the Panda antivirus/spyware may have already done something similar. Well, what do you think, is it cured? attached one last hijack this log.

Heard Mozart's Mass in C at the Atlanta Symphony tonite (he wrote it for his wedding but never finished it, there's a good joke in there somewhere) they had some good modern stuff as openers though. Then went for some good hip hop, minus the booty shaking and spinning car rims. It was smooth like post modern soul.
Nitey nite people
Otter

LonnyRJones
2006-03-26, 09:56
Good only one av program..

Start Hijackthis and place a check next to these.
016 - DPF: {3A38E687-EA94-39E9-E42B-722515BA73BB} - http://85.255.113.214/1/gdnUS2218
O16 - DPF: {766692C1-C49A-60B9-5B26-1D3E55B487D9} - http://85.255.113.214/1/gdnUS2218
O16 - DPF: {7BF27CD1-1E98-13DC-FC4D-4F620A751D12} - http://85.255.113.214/1/gdnUS2218
====================================
Hit fix checked and close Hijackthis.

Install SpywareBlaster (By JavaCool): http://www.javacoolsoftware.com/spywareblaster.html

Can you tell me what this is for ? >
O4 - Startup: Reboot.exe
Can you provide any information on this file ?
C:\WINNT\system32\Directx\mmc.exe

otter357
2006-03-27, 06:59
mmc.exe is the Microsoft Management Console and there is some literature, which of course I don't really understand, here http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/mmcsteps.mspx

the reboot.exe thing i have always been suspicious of, but don't know anything about. This forum http://forum.misec.net/board/Trojans;action=display;num=1072222157;start=15

discusses it and says that

Process File: reboot.exe
Process Name: REBOOT

Description: reboot.exe is a dos based application used to reboot the computer. Users are allowed to set delays for reboots through the command line prompter.


However there are a lot of forums that discuss it and some say it can be deleted without harm and others disagree.



Also, ewido keeps telling me there is a problem with “orthonapp.exe and I found this intelligent sounding post. Which I don’t completely understand.

http://castlecops.com/postp668937


Did the thing with Hijack this and am already running java cool's spyware blaster, which I keep updated.

Let me ask you something. Right this second I'm using panda's trial version, which seems to be better than the p cillin security suite I just paid for for the next year. But the scan from Kaspersky Labs sems to be even more thorough than the Panda one, its running right now and already sees three viruses the panda scan missed. You know I bought the p cillin suite after reading reviews that it is better than the Symantec Suite I had been using for a couple years.
One of the local tech authors, Bill Husted says the free zone alarm firewall with the free grisoft antivirus is as good as it gets. Do you have a recommendation for a product that really works?

Attached is a hijack this log
Thanks again Otter

LonnyRJones
2006-03-27, 11:19
Hi
Ive seen reboot and mmc before, its odd mms is in an diectx folder but is probaly ok, If you didnt put reboot there already know how to use it then it is suspect, fix it with hijackthis..

orthonapp.exe,
Are the other files mentioned present, or do they keep returning ?
usbadpt32.dll and WITBLOG.OCX


If you can get a paid for av program i suggest Nod32 by eset or Kaspersky
for free program AVG 7 , Antivir or Avast, dont install more than one.

Zone Alarm is a good choice for a firewall

Afraid no matter which program you use and additional scans, if you continue to try cracks/keygens P2P software you will continue to get infected
I suggest you unionstall any and all software/goodies you've obtained through p2p and delete what kav's online pointed out

tashi
2006-03-30, 20:42
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread. :)