23-08-2005, 12:25 AM
zango.exe : 180Solutions/N-Case adware variant
block-checker.exe http://forum.mess.be/index.php?showtopic=10889 you decide.
ac16059d153.exe also very suspicious looking, I cant find any info on it though.
hyandex.exe NTROOTKIT Trojan or 'WareOut'
http://www.doxdesk.com/parasite/WareOut.html
http://vil.nai.com/vil/content/v_135403.htm
http://vil.nai.com/vil/content/v_134117.htm
KeywordFinder.exe Trojan - Part of wareout.
http://www.doxdesk.com/parasite/WareOut.html
WareOut.exe - See above.
WhatsNewBot.exe - See above.
Bogobot.exe - See above.
UserSp1.exe - See above. anyone else tired of this...
Q678341.exe
Hope that helps.
From above URL Wrote:Removal
nCase/msbb and rnd may include two uninstallers (if any), named âInsterstitial ad delivery by n-Caseâ and âPAD lookups by n-Caseâ. Both have to be used before the software is removed; both require internet access and simply attempt to download further uninstallers which also require internet access, and sometimes still donât work. Manual removal will probably be faster than this rigmarole.
The other variants have at most one installer, âUninstall 180Search Assistantâ or âZangoâ. This also requires internet access, and requires several stages of confirmation pages fetched from 180solutionsâs site, but does remove the software without a further download.
All uninstallers leave the nCase/Inst control in place, allowing nCase to be reinstalled without prompting. To remove this, open the Downloaded Program Files folder (inside the Windows folder) and delete the entry ânCaseInstaller Classâ (nCase/Inst/nc variant), â180SAInstaller Classâ (nCase/Inst/180SA variant) or âZangoInstaller Classâ (nCase/Inst/Zango variant).
Manual removal
Open the registry (click âStartâ, choose âRunâ and enter âregeditâ), select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and right-click the entry on the right with the name âmsbbâ (nc and msbb variants), âsaieâ, âsaieâ, âsaisâ, âsalmâ, âsaapâ, âsainâ, â180axâ, â180adsolutionâ, âzangoâ, or in the case of the rnd variant, a random name 3-9 lower-case letters long pointing at a .exe file of the same name.
Delete this entry, noting the filename it was pointed at. nCase can be installed in any location on the hard disc, depending on the whim of the installer. Common locations include in a folder in Program Files named ânCaseâ, ân-Caseâ, âMSBBâ, â180Solutionsâ and â180Search Assistantâ, along with the System32 folder (inside the Windows folder; called just âSystemâ on Windows 95/98/Me), the Temp folder (inside the user profile Local Settings folder in Documents and Settings, or directly in the Windows folder in Windows 95/98/Me) and the Application Data folder (inside the user profile folder or the Windows folder in 95/98/Me). It can also often be found inside the Program Files folder of another program that installed it.
For the Alert variant, also check the Run key for an entry with a random upper-case name 3-6 letters long pointing to a .exe file of the same name in the Windows folder. Note the name and delete the entry if there is one.
Restart the computer and you should be able to delete the files whose names you noted. You can also remove files using the names in the table above, stored in the same folders as the main executable, and the empty temporary folder named âFLEOKâ, along with any icon (.ico) files nCase has downloaded to put onto the desktop.
To clean up, you can also delete the registry keys in HKEY_CURRENT_USER\Software and HKEY_LOCAL_MACHINE\Software with the name âmsbbâ (nc, rnd, msbb variants), âsaieâ, âsaisâ, âsalmâ, âsaapâ, âsainâ, â180solutionsâ or âzangoâ and, if present, the uninstall key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall called ânCASEâ, âmsbbâ or âzangoâ.
block-checker.exe http://forum.mess.be/index.php?showtopic=10889 you decide.
ac16059d153.exe also very suspicious looking, I cant find any info on it though.
hyandex.exe NTROOTKIT Trojan or 'WareOut'
http://www.doxdesk.com/parasite/WareOut.html
Quote: Use the entry in the Control Panelâs Add/Remove Programs list to remove the software, then restart the computer, open the Windows folder and delete the file wotmp.tmp or wotmp11.tmp, then open the System32 folder (inside the Windows folder, called just âSystemâ on Windows 95/98/Me) and delete the file wosys.dll or wosysdll.dll.NTROOTKIT:
To clean up the fake spyware traces WareOut installs, open the registry (click âStartâ, choose âRunâ, enter âregeditâ) and select the keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. For each, look at the entry list on the right and delete entries using the names/filenames above. Then select the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks and delete the randomly-numbered entries on the right except the default search hook {CFBFAE00-17A6-11D0-99CB-00C04FD64497}.
http://vil.nai.com/vil/content/v_135403.htm
http://vil.nai.com/vil/content/v_134117.htm
KeywordFinder.exe Trojan - Part of wareout.
http://www.doxdesk.com/parasite/WareOut.html
WareOut.exe - See above.
WhatsNewBot.exe - See above.
Bogobot.exe - See above.
UserSp1.exe - See above. anyone else tired of this...
Q678341.exe
Quote:# Determination: BadJust quarantine it.
# This program has a file name of Q678341.EXE. It has a file size of 3,493 bytes and is found in the folder [%PROGRAMFILES%\WINDOWS MEDIA PLAYER\].
# We do not currently have any Vendor or Product Information about this program.
# This program has been run as part of a download process.
# This program was first seen by our users on Jul 9 2005. Only one user has seen this specific version of this program on their PC. This program has only been seen in operation once within our user base. We have only seen this one version of this program in use within our user base.
# This program is malware and is not considered safe, it is part of a Malware group sometimes referred to as Win32/Suspicious_M.gen. It should be Jailed
Hope that helps.


![[Image: 1142118JykvC.png]](http://armory.mmo-champion.com.nyud.net:8080/sig.php/1142118JykvC.png)