Computer problems and/or questions

[Phantom_RAcast]

zango.exe : 180Solutions/N-Case adware variant

Removal

nCase/msbb and rnd may include two uninstallers (if any), named ‘Insterstitial ad delivery by n-Case’ and ‘PAD lookups by n-Case’. Both have to be used before the software is removed; both require internet access and simply attempt to download further uninstallers which also require internet access, and sometimes still don’t work. Manual removal will probably be faster than this rigmarole.

The other variants have at most one installer, ‘Uninstall 180Search Assistant’ or ‘Zango’. This also requires internet access, and requires several stages of confirmation pages fetched from 180solutions’s site, but does remove the software without a further download.

All uninstallers leave the nCase/Inst control in place, allowing nCase to be reinstalled without prompting. To remove this, open the Downloaded Program Files folder (inside the Windows folder) and delete the entry ‘nCaseInstaller Class’ (nCase/Inst/nc variant), ‘180SAInstaller Class’ (nCase/Inst/180SA variant) or ‘ZangoInstaller Class’ (nCase/Inst/Zango variant).
Manual removal

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and right-click the entry on the right with the name ‘msbb’ (nc and msbb variants), ‘saie’, ‘saie’, ‘sais’, ‘salm’, ‘saap’, ‘sain’, ‘180ax’, ‘180adsolution’, ‘zango’, or in the case of the rnd variant, a random name 3-9 lower-case letters long pointing at a .exe file of the same name.

Delete this entry, noting the filename it was pointed at. nCase can be installed in any location on the hard disc, depending on the whim of the installer. Common locations include in a folder in Program Files named ‘nCase’, ‘n-Case’, ‘MSBB’, ‘180Solutions’ and ‘180Search Assistant’, along with the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me), the Temp folder (inside the user profile Local Settings folder in Documents and Settings, or directly in the Windows folder in Windows 95/98/Me) and the Application Data folder (inside the user profile folder or the Windows folder in 95/98/Me). It can also often be found inside the Program Files folder of another program that installed it.

For the Alert variant, also check the Run key for an entry with a random upper-case name 3-6 letters long pointing to a .exe file of the same name in the Windows folder. Note the name and delete the entry if there is one.

Restart the computer and you should be able to delete the files whose names you noted. You can also remove files using the names in the table above, stored in the same folders as the main executable, and the empty temporary folder named ‘FLEOK’, along with any icon (.ico) files nCase has downloaded to put onto the desktop.

To clean up, you can also delete the registry keys in HKEY_CURRENT_USER\Software and HKEY_LOCAL_MACHINE\Software with the name ‘msbb’ (nc, rnd, msbb variants), ‘saie’, ‘sais’, ‘salm’, ‘saap’, ‘sain’, ‘180solutions’ or ‘zango’ and, if present, the uninstall key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall called ‘nCASE’, ‘msbb’ or ‘zango’.

block-checker.exe http://forum.mess.be/index.php?showtopic=10889 you decide.

ac16059d153.exe also very suspicious looking, I cant find any info on it though.

hyandex.exe NTROOTKIT Trojan or 'WareOut'
http://www.doxdesk.com/parasite/WareOut.html

Use the entry in the Control Panel’s Add/Remove Programs list to remove the software, then restart the computer, open the Windows folder and delete the file wotmp.tmp or wotmp11.tmp, then open the System32 folder (inside the Windows folder, called just ‘System’ on Windows 95/98/Me) and delete the file wosys.dll or wosysdll.dll.

To clean up the fake spyware traces WareOut installs, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. For each, look at the entry list on the right and delete entries using the names/filenames above. Then select the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks and delete the randomly-numbered entries on the right except the default search hook {CFBFAE00-17A6-11D0-99CB-00C04FD64497}.

NTROOTKIT:
http://vil.nai.com/vil/content/v_135403.htm
http://vil.nai.com/vil/content/v_134117.htm

KeywordFinder.exe Trojan - Part of wareout.
http://www.doxdesk.com/parasite/WareOut.html

WareOut.exe - See above.

WhatsNewBot.exe - See above.

Bogobot.exe - See above.

UserSp1.exe - See above. anyone else tired of this...

Q678341.exe

# Determination: Bad


# This program has a file name of Q678341.EXE. It has a file size of 3,493 bytes and is found in the folder [%PROGRAMFILES%\WINDOWS MEDIA PLAYER\].


# We do not currently have any Vendor or Product Information about this program.


# This program has been run as part of a download process.


# This program was first seen by our users on Jul 9 2005. Only one user has seen this specific version of this program on their PC. This program has only been seen in operation once within our user base. We have only seen this one version of this program in use within our user base.


# This program is malware and is not considered safe, it is part of a Malware group sometimes referred to as Win32/Suspicious_M.gen. It should be Jailed

Just quarantine it.

Hope that helps.