n-case still alive

Discussion in 'adware, spyware & hijack cleaning' started by tgf, Dec 20, 2003.

Thread Status:
Not open for further replies.
  1. tgf

    tgf Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    15
    Hi
    I can't get rid of n-case, though I've been working on it for a long time.
    Here is my hijack this log. Hope you guys can help me.

    Thanks

    TGF
     

    Attached Files:

  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi tgf,

    First can you send me this file ? :

    adiras.exe

    [ unzy @ wilders.org ]

    Thanks

    Then have only HijackThis running and fix :

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ddm3dia.dll
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [VYCFLPSVY] C:\WINDOWS\VYCFLPSVY.exe
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [ohrswlgc] C:\WINDOWS\ibmssp.exe

    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

    Reboot after doing so and remove :

    C:\WINDOWS\VYCFLPSVY.exe <- this file
    C:\WINDOWS\ibmssp.exe

    I'll keep you posted about the adiras.exe file

    You should also update to the latest Service Pack of ypur XP (SP1) as well as the latest IE security and version updates at windowsupdate.com

    Hope this helps,

    Cheers,
     
  3. tgf

    tgf Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    15
    Hi Unzy
    Thanks for answering.
    First, I can't get the file ADIRAS.EXE It seems it's only a key in the registry. Do you think the real file exists anyway ??
    Second, I deleted the file 'C:\WINDOWS\VYCFLPSVY.exe ' cause I found it was responsible for the 'N-CASE ALERT' message.
    Third I'm going to follow your hints about Hijack this and keep you informed.
    Cheers
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi tgf,

    Maybe the file is hidden. Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192
    But it is possible that the file was removed and the startup entry was left behind.

    Regards,

    Pieter
     
  5. tgf

    tgf Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    15
    Morning Pieter

    And thanks to all of you for your advices. I followed your last hints regarding how to manage my HIJACK THIS LOG and everithing is ok now.
    Regarding ADIRAS.EXE file, I'll check, after reading what they say about unhiding files, at the link you indicate.

    Thanks a lot.

    tgf
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi tgf,

    Unzy did all the hard work. :)
    Glad we could help,

    Pieter
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    You can remove n-case in the following manner also.

    http://www.spysweeper.com/n-case-removal.html



    How to manually remove N-Case Spyware from your system?

    * WARNING : Modifying your registry or system files can render your system unusable in case of any error. We strongly recommend you to Download Spy Sweeper to safely remove n-case and other spyware adware trojan horses and more.

    As several files may be in use currently when NCase has infected your system, you should first start Windows in Safe Mode, generally by pressing F8 when the computer restarts and choosing Safe Mode for the list of choices.

    Remove the Startup Entry in the Registry


    Open you registry using regedit


    Open HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


    right-click the entry 'msbb' inside it, and click 'Delete'



    Also check for a randomly-named entry three or more letters long, pointing to a .EXE of the same name with the path in the Windows folder. Delete this registry entry and the file it points to.

    Open HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Uninstall


    Right-click and Delete the following folders nCase & msbb



    Open HKEY_Current_User\Software


    Right-click and Delete the folder called 180solutions



    Delete the NCASE folder inside inside Program Files. In older versions without an 'nCase' folder, look in the System folder (inside the Windows folder; called 'System32' under Windows NT, 2000 and XP, or just 'System' on Windows 95, 98 and Me), and delete msbb.exe.

    Remove the Active X Control (if present) Open Downloaded Program Files folder in your windows directory Right-click on the nCaseInstaller Class entry (if present) and click Delete

    Congratulations, you have successfully removed nCASE from your computer.

    In general we strongly recommend to use a anti spy software to remove ncase or other spyware as manually uninstalling and editing can seriously hurt your system
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    The problem is that in addition to the items mentioned, one or often several randomly named files will also be installed as part of an n-Case infection, and these need to be removed manually.

    A Hijack This log run on the infected machine is an invaluable help here.
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I fully agree that hijack this is invaluable in these cases. I ran across this article and since it had to do with n-case I posted it just as a point of interest although it would work in most cases. ;)
     

    Attached Files:

Thread Status:
Not open for further replies.