Can't get rid of NcaseSpy

Since several days each time I power on my PC, I have a warning from Avast “Virus was found”, this time NcaseSpy is in C:\windows\ynydonsd.exe.tmp. Each time a new exec file is corrupted. I scanned and deleted DCx.tmp in various directories (found by Avast Cleaner) but obviously there is still a ‘root’ of the worm in my system.

Avast procet my system properly from a lot of incoming ‘infected mail’, but I can’t get rid of this NcaseSpy

What should I do ?

Thanks.

Scan for the worm at trend micro http://housecall.trendmicro.com

Report to me the FULL path of all infected files it finds and the names of the virus it finds. I can then give you the instructions to remove it useing F-Secure’s tool

Hello,
I ran AVEU847 from http://housecall.trendmicro.com

it found AGOBOT (and deleted it) hereunder is the path

Load Damage Cleanup Template (DCT) “C:\Documents and Settings\JF\Mes documents\Antivirus\AVEU847\tsc.ptn” (version 306) [success]
WORM_AGOBOT-2[virus found]

This morning when I booted, I had again Ncasespy with the file
c:\windows\etwniz.exe.tmp

Thanks.

I tried to re run sysclean.com and got alert from Avast with new infected files in the same directory:

readme.txtz
sysclean.exezz
tsc.binz
tsc.iniz
tsc.ptnz
vsapi32.dllz

Jeff-
If it is agobot- update windows!!! update! update! update!
Read :
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SY

I cannot stress how important it is to keep your system updated.I assume you are using XP.Set avast to do a boot scan. The following is from Trend:(if you don’t want to look!)

"This memory-resident worm exploits certain vulnerabilities to propagate across networks. Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:
Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
RPC Locator vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-001.asp

It attempts to log on to systems using a predefined list of user names and passwords. It also has backdoor capabilities and may execute malicious commands on the host machine. It terminates antivirus-related processes and dropped files by other malware. It also steals CD keys of certain game applications.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager.
On Windows 95/98systems, pressCTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
SYSCONF.EXE

Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Video Process = “sysconf.exe”
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Video Process = “sysconf.exe”
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Removing the Malware Entries in the HOSTS file

Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.

Open the following file using a text editor such as Notepad.
%System%\drivers\etc\HOSTS
Delete the following entries:
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
Save the file HOSTS and close the text editor.
Note: %System% is the Windows System folder, which is usually C:\Windows\System or C:\WINNT\System32. "

Then,after all that,(whew)
disable system restore and restart
run avast
restart and run avast again
run trend micro again
use a firewall (not just the one in XP)
keep windoze and avast up to date
use a spam blocker
lock down avast
install Spybot Search+Destroy(use the immunize tool)
install Spyware Blaster(use in conjunction w\Spybot)
learn “safe hex”
just a note-
microsoft announced that they estimate 8 million infected computers with Blaster worm
Thanks Bill !!!
-max

I do update everytime I receive msg from Windows
There are no ‘critical’ updates required by windows (checked today)
The only updates that I haven’t done are:

KB833998 to buy music online, which I don’t do
KB826942 for Wifi that I don’t use
Microsoft .NET Framework version 1.1, français

Now I’m going to spend some time to understand and do your long todo list !!!

Thanks for your help.

keep [b]windoze[/b] updated
Max has seen the light!!!!!!!! Now if we can just get you to a nice new Power Mac G5 ;D

It is not only a WindowsUpdate problem, but also of weak passwords…

At least:
ALL passwords/PINs etc etc. used/entered on this PC should be changed immediately.
And additional (online) scanners should be used to test for hidden malware

The system is compromised, so if the PC is used for privacy-related stuff, or the data on it is valuable, it should be reinstalled from scratch:

  • Data backup
  • Format C:
  • Reinstall windows
  • Apply ServicePacks & newer Patches OFFLINE
  • Secure WIN, IE etc…
    :wink:

Hey Mac-
send me a mac and I will learn to love it !!!
I don’t have a lot of money (fixed income)
I have built 4 pc’s from parts that I got from people getting new 'puters. Have spent very little and built a 667mz 512 ram XP pro / a 300 cyrix 128ram 98se
and 233mz 128ram ME. All run pretty smooth now- lol
I still have a lot to learn!!! Finally got home network up and running. I networked 3 using the XP machine as NAT router with cable modem.Updated the modem drivers from windoze update and it wouldn’t work after! thanx BILL!!(had to roll back to old drivers)
I would love someone to give me a Mac to try out!!!
-max

Max I sent you an instant message. so the moderators wont jump on us :wink:

Yesterday I couldn’t find any sysconf.exe in the task manager/process tab.
I doubled check with http://housecall.trendmicro.com and Panda ActiveScan online.
None of them found any virus.

This morning I Powered on my PC and got a message from Avast:
Virus found Win32:NCaseSpy C:\Windows\vabyn.exe.tmp (VPS 0404-2) 04/05/2004.

(I have an ADSL line wich start automatically when I logon)

I checked in the task manager/process tab and I couldn’t find any sysconf.exe in it!

?!?

Thanks.

I’m beginning to think that AVAST is yielding false Ncasespy positives in some cases. It’s reported it on several boots, but http://housecall.microtrends doesn’t turn up the virus, and neither did a scan with Trojan Remover.

However, it does report it like it’s an infection (in a different file on each boot, ever AFTER running the scans, and running Avast’s virus cleaner as well.)

Any ideas anyone? Should I just format the whole drive and start over?

(I can’t seem to find any information on Ncasespy as well, as far as what it attacks, how it registers itself, etc.)

Since one week, I try to understand better how it works,

It seems that there is no resident worm, since I checked with all available tools, and found no alert.

I tried not to connect to the net for one full day => No virus was detected.

But each time I boot (and connect to the net via ADSL) in less than one minute I have an alert from AVAST with a new xxxxx.exe.tmp file
which I move to the chest.

I checked with a previous list of all my files in c:\windows, none of the detected infected files xxxxx.exe was previously in the directory before the connection.

=> I beleive that I have no virus active in my system, but each time I connect one infected file is sent (by whom ?) It is not related to any apparent mail.

Thanks if anyone as any idea with those information.

Have the same problem. NcaseSpy is only detected bij Avast. Other computers on my network or other users on the “infected” machine don’t get any warnings.
When I get a warning and I click on "send message to Avast to help…"then I get redirected to a website advertising other anti-virus software.
But I still don’t know how to get rid of it.

Well I think I found the solution.

http://www.doxdesk.com/parasite/nCase.html

or even better:

http://www.safer-networking.org/

Jeff,

If you want an easy way out from this mess and I guess you have learn your mistake, all you can do is kill your HD mean is time to reformat your computer from scratch and it going to get harder to do it the manual cleaning way.

The safest way I do and it always work and it up to you to take my advise, I have never had 1 single bloody virus and trojans on my HD for 4 years straight.

Here are my advise safe list.

  1. It time to kill your HD mean FDISK or REFORMAT.

  2. When all your drives are dead clean and reformat.

  3. Install your MS Operating System (recommend Windows XP Pro).

  4. Set your Internet up don’t install the firewall yet trust me.

  5. When you finished your OS and your Internet connecting go STRAIGHT to MS Window Update and get all the Critical Updates and Service Packs, I mean all of it 100%.

  6. When all your Critical Updates and Service Packs are installed 100%, than you can install your firewall I strongly recommend ZoneAlarm free version or buy the Pro version.

  7. After the firewall installed the following list.

a) Avast 4 Home or Avast 4 Pro you pick get the latest patch and check for virus and run TrendMicro HouseCall free online virus checking make sure you are all clear 100% free from virus and trojans.

b) Ad-aware and get the latest patch and kill everything trust me.

c) Spybot - Search & Destroy v1.2 and get the latest patch and kill everything trust me.

d) You pick you Popup Ad stopper I recommend PopupCop v2.0.3.20 (This is the best software you won’t be sorry)

e) SpywareBlaster v3.1 and get the latest patch enable all protection.

f) SpywareGuard v2.2 and get the latest patch enable all protection.

g) HijackThis v1.97.7 just save the log copy and paste the log on the Avast Forum for someone to check your Hijack log.

  1. Once eveything is back to normal and all clear from virus and trojans, you can now install all your everyday used software the way you had it. If you need the add a Spam protection software for email go ahead.

  2. Check for virus again run Avast and Houscall if is 100% all clear.

  3. Install Norton Ghost and back everthing up on your CD’s because you have the cleanest software and safest backup just in case you might get hit again.

That is my strongest advise and believe me I have never had 1 single bloody virus and trojans on my HD for 4 years straight.

Is your choice to trust me or not I am just trying to help you protected your PC without any problems.

Is your choice to trust me or not I am just trying to help you protected your PC without any problems.
Jeff I recommend you trust speedyPC. he knows his antivirus stuff :)