Win32:Trojano-803 [Trj] C:\temp\NCasePackage.exe

[REDACTED]

I have deleted the temp folder, many times. The Trend micro found where it was hiding, i deleted that folder. I'm going to re-run in safe mode again and delete the temp folder from there.  I disabled system restore as well.  So once this Trend Micro is done scanning, i'll restart in safemode, delete the temp folder in  CP, reboot and delete the cache and scan again. *crosses fingers*  Whenever i have run avast after the virus went off, it scanned clean even though it was not repaired/deleted/moved to the chest. We shall see tomorrow at 10:37pm  

[REDACTED]

Bleh ya know, as much problems as this is causing me, i am sure it will be much easier to wipe it. I have had this system for 2 weeks, and i have all of two programs installed on it that I use, Everquest 2 and Teamspeak. Heh. It just figures, i have never got a virus in my entire span of using computers, and i get my brand spanking new one and there we go  I really appreciate your guys' help, but i figure it will be much easier and less stressful to just wipe it since i have nothing much on the computer in the first place.

[Lisandro]

Ok, if you want that, but be sure to install, since from beginning and before browsing or downloading emails the necessary protection: windows updates, antivirus, antispy, script blocker and firewall  

[whocares]

WindowsUpdates and/or Firewall MUST be Applied OFFLINE/before EVER connecting to the inet

otherwise, you'd very likely be infected via an Network/inet-Worm within the first half hour after going online (even if you DON'T browse or read Email)

 

I assume you have XP ?
so get the full Installer for Servicepack2 (280MB)
- from microsoft
- someone with fast connection
- a CD with a PC-magazine
 

[PrimeMadonna]

Click on the link in my signature and visit the malware removal section.

I cant access your link..
I have this same problem! I dont know how to get rid of it.

[galooma]

hi and welcome primemadonna
can you see in the last few blue lines below the text (what we call the signature) of the previous message from WHOCARES there are links to help that should steer you in the right direction.
good luck and come back if you need help  

[PrimeMadonna]

Hi and thanks ginblossom

Does anyone have any suggestion which one i should download to get rid of this Trojano-803 [Trj] C:\temp\NCasePackage.exe? i have no idea about how computer works.

[Eddy]

can you see in the last few blue lines below the text

Actually, the link in my signature has red letters

[ZYZYZY]

help me check pls which to be delete and which not to be delete and how i also got the Ncase virus and i think i got two different Ncase

Logfile of HijackThis v1.99.0
Scan saved at 11:44:04 PM, on 1/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\cheeyang\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F3 - REG:win.ini: load=???   ????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO:   - {43EECC68-FA34-4E71-A0CF-D840BB29EC37} - C:\WINDOWS\lbbho.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\zh-sg\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\zh-sg\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft System Checkup] wnetlogin.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c3.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



And one more thing is WindowserveAd a spyware or it is just a normal file and what file are spyware or adware which uses the name windows

[DavidR]

For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php then fix what is highlighted and get back to us again.

Or use Eddy's hijackthis analyser - Eddy's Website click the "HiJackThis Section" and also the "Malware removal instructions and applications" section.

[madzia]

hmm..HELP ME..i have this trojan..i can't remove them..i try destroy..help..help..i small speak english..

[dserkan]

hi

how can I clean this trojan I read your instructions
and installed hijackthis and hear log file what must ı do now?

Logfile of HijackThis v1.99.0
Scan saved at 10:39:20, on 13/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\essspk.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\DOWNLOADS\ÇEŞİTLİ PROGRAMLAR\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ba?lantylar
O2 - BHO: KolayBAR PopUp Blocker - {1C4E26EF-A354-45FE-81B0-62931E90889E} - C:\PROGRA~1\KolayBAR\KBBLOC~1.DLL
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1055,&Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &KolayBAR - {04970F9F-F2AB-4D1E-B842-313E1E2A3078} - C:\PROGRA~1\KolayBAR\KolayBAR.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c1.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA0CAD1F-9031-4F2D-BF58-57FDFCD54327}: NameServer = 212.156.4.1,212.156.4.6
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Mantyksal Disk Yöneticisi Yönetim Hizmetleri - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[DavidR]

Read my previous post and use the links provided.