What is n-case and how to remove this spyware
n-case, also known as nCase. Ncase is a Comparison Alternative Shopping Engine developed by 180Solutions. It appears to be installed via an ActiveX drive-by download or bundled with several file sharing programs and a few others. It will cause pop-up advertisements, can add shortcut items to the Startup or Desktop, and update itself.
There are a couple variants of Ncase, the normal one as well as at least one installed by an Active X drive-by download.
This n-caseis also known as:
•Adware/nCase - named by Panda.
• n-CASE - named by a.
• Spyware/Dyfuca - named by Panda.
• TrojanDownloader.Win32.Dyfuca.g - named by Kaspersky.
• Trojan-Dropper.Win32.180Solutions.a - named by Kaspersky.
• Win32/Dyfuca.g!Trojan - named by Computer Associates.
How to remove n-case - n-case removal
Instructions
|
Kill the following processes ncasepackage.exe, delmsbb.exe, elrubiovy.exe, ncaseadsuninstaller.exe, ncaseuninstaller.exe, op.exe, optimize.exe, password.exe, msbb.exe, msbb.exe, msbb[1].exe, msbb.exe, msbb.exe, hbinst.exe, hbsrv.exe, msbb.exe, msbb.exe, msbb.exe, msbb.exe, r3.exe, realmon.exe, rosoftlameencoderlimited.exe, rr.exe, s4setp.exe, samten.exe, aknqux.exe, cjq.exe, msbb.exe, fmtahovc.exe, ggbilw.exe, ghrxblvci.exe, ivdn.exe, neuobsiz.exe, qtw.exe, rym.exe, msbb.exe, msbb.exe, twxcd.exe, webassist.exe |
|
Unregister the following DLLs and reboot ddmp.dll, efmcnfyu.dll, ncaselib.dll, svga.dll.
ncmyb.dll in Documents and Settings\UserName\
ncmyb.dll in Documents and Settings\UserName\application data\
ncmyb.dll in Program Files\blue haven media\kazoom\
hbcoresrv.dll, hbhostie.dll, hbhostoe.dll, hbhostol.dll, hbtoolbar.dll in Program Files\hotbar\bin.3.6.0\
a2ksertl.dll in Program Files\murasu systems\anjal2000\
msbbhook.dll, ncmyb.dll in Program Files\n-case\
ncmyb.dll in Program Files\ncase\
ncaseinstaller.dll in Windows\downloaded program files\
ncmyb.dll in Windows\system32\
|
|
Delete these registry entries HKEY_CLASSES_ROOT\clsid\
HKEY_CLASSES_ROOT\ncaseinstaller.ncaseinstaller
HKEY_CLASSES_ROOT\typelib\
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\aknqux
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ghrxblvci
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ivdn
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rjw
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rym
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\twxcd
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\zxlextmik
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\c:\windows\downloaded program files\ncaseinstaller.dll
HKEY_LOCAL_MACHINE\typelib\
HKEY_USERS\.default\software0solutions
|
|
Remove the following files ddmp.dll, delmsbb.exe, efmcnfyu.dll, elrubiovy.exe, fiz1, gatorcontact.log, iconadd.log, inctrl.log, install.html, kyf.dat, license-rosoft-adware.txt, msbb.exe-1fca2923.pf, msbb.exe-2017b63e.pf, msbb_kyf.dat, ncaseadsuninstaller.exe, ncaselib.dll, ncaseuninstaller.exe, nt.bat, op.exe, optimize.exe, password.exe, popup.log, r3.exe, realmon.exe, riviera gold casino!.url, riviera gold casino.url, rosoftlameencoder.chm, rosoftlameencoderlimited.exe, rr.exe, s4setp.exe, samten.exe, spam.html, svga.dll, uninstall.log, webassist.exe.
ncasepackage.exe in c:\temp\
ncmyb.dll in Documents and Settings\UserName\
msbb.exe, ncmyb.dll in Documents and Settings\UserName\application data\
msbb.exe in Documents and Settings\UserName\fleok\
msbb[1].exe in Documents and Settings\UserName\local settings\temporary internet files\content.ie5\wv5ruyr9\
msbb.exe, ncmyb.dll in Program Files\blue haven media\kazoom\
msbb.exe in Program Files\blue haven media\kazoom\fleok\
n.class in Program Files\ebatesmoemoneymaker\system\code\
hbcoresrv.dll, hbhostie.dll, hbhostoe.dll, hbhostol.dll, hbinst.exe, hbsrv.exe, hbtoolbar.dll, install.scr in Program Files\hotbar\bin.3.6.0\
a2ksertl.dll in Program Files\murasu systems\anjal2000\
msbb.exe, msbbhook.dll, ncmyb.dll in Program Files\n-case\
msbb.exe in Program Files\n-case\fleok\
msbb.exe, ncmyb.dll in Program Files\ncase\
msbb.exe in Program Files\rosoft\audio tools\
aknqux.exe, cjq.exe, fmtahovc.exe, ggbilw.exe, ghrxblvci.exe, ivdn.exe, neuobsiz.exe, qtw.exe, rym.exe, twxcd.exe in Windows\
ncaseinstaller.dll, ncaseinstaller.inf in Windows\downloaded program files\
msbb.exe in Windows\fleok\
msbb.exe, ncmyb.dll in Windows\system32\
msbb.exe in Windows\system32\fleok\
|
|
Remove the following directories Documents and Settings\UserName\fleok
Program Files\ncase
Program Files\n-case
Program Files\rosoft\audio tools
Windows\fleok
|
How do I Remove NCase?
Because several files may be in use currently when NCase has infected your system, you should first start Windows in Safe Mode, generally by pressing F8 when the computer restarts and choosing Safe Mode for the list of choices.
n-Case can be removed following the instructions below:
1) Click Start | Run, Type regedit and click OK. The registry editor will open.
2) Locate the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, find the value 'msbb' and delete it.
In the right pane, look for value that looks random, for example 'ROQW'. Delete this value.
Exit the registry editor.
3)Restart your computer.
4) Delete the following files and directories, if they exists:
%ProgramsDir%\n-Case\
%ProgramsDir%\nCase\
%SystemDir%\msbb.exe
%SystemDir%\msbb.dll
%SystemDir%\msbb1.dll
%WinDir%\ncmyb.dll
Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
%SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramsDir% is a variable. By default, this is C:\Program Files. |