Options

I Literally Had a Nightmare about nCase! HELP!

Unknown
edited August 2004 in Spyware & Virus Removal
Alright, I have tried for three weeks to eliminate nCase 180 solutions spyware from my system. Last night (this is no joke) I dreamed that a guy who was wearing a black shirt that said "nCase" was rolling around with a shotgun shooting people. I'm a normal guy, with a normal life, this shows how much of a pain this "virus" has been. Please help me. I have run all of the following: Spybot, Spysweeper, and Adaware. And, I have run your remove 180 solutions. Everything, I've done everything! BUT everytime I reboot, that nCase is back on my system. Everytime I access the internet AFTER spysweeper removes it, it reloads itself. This thing is amazing! I've just about stripped my registry to the bone. Please help return my sanity. Here's my Hijack This log AFTER running adaware, spybot and spysweeper. Thank you guys millions for helping me with this!

Logfile of HijackThis v1.98.2
Scan saved at 6:01:16 PM, on 8/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\bretiuxh.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: DNSProxyObj Class - {06594350-D723-11D8-9669-0800200C9A66} - c:\windows\system32\DNSProxy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKCU\..\Run: [winmatrix.exe] C:\Program Files\WinMatrix XP\WinMatrixXP.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


Thank you, thank you, thank you!!!!

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited August 2004
    omg that IS serious ;D

    Delete the following:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: DNSProxyObj Class - {06594350-D723-11D8-9669-0800200C9A66} - c:\windows\system32\DNSProxy.dll

    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe

    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

    Then, in safe mode, make sure you can view hidden system files and folders. Go to C:\WINDOWS\SYSTEM32\ and delete the following:

    DNSProxy.dll

    Then, delete this whole folder:

    C:\Program Files\WindUpdates\

    Let's start with that, then post a new log.
  • Petersod
    edited August 2004
    Thanks for the help, Prime. You're awesome.

    I deleted all of the files you told me too, but now I can't access the internet...(?) I'm accessing through my roommates computer. Does that have something to do with deleting the DNSproxy.dll? I don't know. Anyway, here's my new HJT log. Any information would be great. Thanks, again.

    Logfile of HijackThis v1.98.2
    Såan saved at 12:14:34 AM, on 8/2å/2004
    Platform: Windows XP SP1å(WinNT 5.01.2600)
    MSIE: Internåt Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:åWINDOWS\System32\smss.exe
    C:\WåNDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\åINDOWS\system32\services.exe
    Cå\WINDOWS\system32\lsass.exe
    C:åWINDOWS\system32\svchost.exe
    Cå\WINDOWS\System32\svchost.exe
    å:\WINDOWS\System32\svchost.exe
    åC:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\åymantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symaåtec Shared\ccEvtMgr.exe
    C:\WINåOWS\system32\spoolsv.exe
    C:\WIåDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    c:\Program Fileå\Norton AntiVirus\navapsvc.exe
    åC:\Program Files\Common Files\Såmantec Shared\ccApp.exe
    C:\WINåOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Påogram Files\ZoneAlarm\zlclient.åxe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Muåtimedia Card Reader\shwicon2k.eåe
    C:\Program Files\Webroot\SpyåSweeper\SpySweeper.exe
    C:\Progåam Files\HP\Digital Imaging\binåhpqtra08.exe
    C:\WINDOWS\System32\HPHipm11.exe
    C:\WINDOWS\Syståm32\wuauclt.exe
    C:\WINDOWS\Sysåem32\devldr32.exe
    C:\Program Fåles\Internet Explorer\iexplore.åxe
    C:\Program Files\Hijack Thiå\hijackthis\HijackThis.exe

    Oå - BHO: AcroIEHlprObj Class - {å6849E9F-C8D7-4D59-B87D-784B7D6Bå0B3} - C:\Program Files\Adobe\Aårobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7å42484F} - C:\Program Files\Spybåt - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class -å{BDF3E430-B101-42AD-A544-FADC6Bå84872} - c:\Program Files\Nortoå AntiVirus\NavShExt.dll
    O4 - HåLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Sharåd\ccApp.exe"
    O4 - HKLM\..\Run:å[Zone Labs Client] "C:\Program åiles\\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXEåC:\WINDOWS\System32\NvCpl.dll,NåStartup
    O4 - HKCU\..\Run: [winåatrix.exe] C:\Program Files\WinMatrix XP\WinMatrixXP.exe
    O4 - åKCU\..\Run: [SpySweeper] "C:\Prågram Files\Webroot\Spy Sweeper\åpySweeper.exe" /0
    O4 - Startupå spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpaåSub.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = å:\Program Files\HP\Digital Imagång\bin\hpqtra08.exe

    I don't know what those funky symbols are. Try to ignore them. Thank you, again.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited August 2004
    It may have something to do with zonealarm. Try turning zonealarm off temporarily and see if that fixes your internet access...
  • Petersod
    edited August 2004
    I'm noticing that the Spam Subtract.exe keeps showing up even after I delete it. Is that my problem?
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited August 2004
    Could be.. Is there an uninstaller for spam subtract?
  • Petersod
    edited August 2004
    My internet works now! I disabled Zone Alarm, like you said, Prime, and now it works. You're awesome. BUT...nCase is still there! Ahhhh!!

    I uninstalled Spamsubtract. They wanted me to take a survey when I uninstalled, but I said no thanks.

    Here's what I'm thinking and tell me if I'm crazy. When I run Spysweeper, which scans my system ultra-fast (and detects nCase everytime) I try and watch the folders it's scanning. Now, this scan goes really fast and the folders are changing quickly, but I've gotten pretty good at noticing when it detects nCase. I think it's in the following folder: (I don't know enough to tell if it's in the registry or the c: drive)

    micrsoft\windows\current version\............. (somewhere in there)

    I ran regedit and looked into this folder. Now I came across two folders which had weird stuff in them. A folder called P3P (under Internet Settings)and a folder called shared .dlls which is filled with thousands of .digital link libraries. Could it be hiding in one of these? They're too long to post.

    If I'm getting too "out there," Prime, let me know and I'll try something else.
    Thanks for taking the time and working with me. There is hope!!
Sign In or Register to comment.