NCase

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Summary:	Loads at boot, and runs throughout your computing session, displaying advertising. May disable FlashTrack (a competing product) if it is found to be running.
Vendor Notes:	180Solutions has developed the largest Comparison Alternative Shopping Engine ever assembled. Our n-CASE software provides users with real-time comparison-shopping sources as they search for products and services online. 180Solutions, Inc. was founded in June of 1999 with one mission: To create technologies that deliver the right marketing message to the right people at the right time. Targeted, contextual marketing. If we developed technologies that target marketing messages properly -- then marketing would become honed, applicable content. The end result is that the user would appreciate the targeted content, and the advertiser would have a significantly improved return on investment. Over the past three years, we have worked hard developing technologies that fulfill our mission. n-CASE, and its supporting suite of technologies, is the result of that dedication. "Please be advised that all 180solutions applications are permission based installations requiring the user to explicitly accept the 180solutions End user License Agreement. 180solutions software does not collect or track any personally identifiable information. 180solutions' software also does not transmit information to any third parties. Our software is visible in the user's desktop computing environment clearly identifying itself in the listing of installed programs. Therefore, our applicaiton fails to meet the commercial standard for spyware as described in the Code of Back Channel Conduct." - Keith Smith, CEO, 180solutions, personal communication.
Alias:	Adware/nCase [Panda], n-CASE, Spyware/Dyfuca [Panda], TrojanDownloader.Win32.Dyfuca.g [Kaspersky], Trojan-Dropper.Win32.180Solutions.a [Kaspersky], Win32/Dyfuca.g!Trojan [Computer Associates]
See Also:	FavoriteMan · FlashTrack
Category:	Hijacker: Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product. Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page. Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.
Variants:	NCase.Alert NCase.Inst NCase.msbb
Similar Pests:	Hijacker · Adware · Browser Helper Object · Downloader
Origins
Group:	180solutions
Vendor:	180Solutions, Inc. was founded in June of 1999 with one mission: To create technologies that deliver the right marketing message to the right people at the right time. Targeted, contextual marketing. If we developed technologies that target marketing messages properly -- then marketing would become honed, applicable content. The end result is that the user would appreciate the targeted content, and the advertiser would have a significantly improved return on investment. Over the past three years, we have worked hard developing technologies that fulfill our mission. n-CASE, and its supporting suite of technologies, is the result of that dedication. We own the largest and easiest to use Comparison Shopping Network ever created, now with over 16 million users. The majority of our distribution comes by partnering with developers and providers of widely distributed, consumer-oriented software. By partnering with software providers, and bundling our n-CASE software (just over 100k in size) with other downloadable software applications, we provide our Distribution Partners with a critical revenue stream. When bundled with other software products, we don't charge the user for our software - and instead offer it to the consumer for free to install if they desire (a $4.99 value). Once installed, we provide the user with contextually based shopping alternatives which then generate money for us based on our partnerships with the comparison shopping sources. We can then either share with you a percentage of the revenue generated from your users, or pay you a flat fee per install, whichever you prefer. Our experience has shown that our software provides a valuable service to the end-user, and equally important it creates a new and vital revenue stream for our distribution partners.
By This Group:	180Solutions ·
Mailing Address:	180solutions, 5110 Carilon Point, Kirkland WA 98033
Phone:	425-522-1200. fax: 425-522-1199
EMail:	privacy@180solutions.com
URL:	http://www.180solutions.com/
Date of Origin:	January, 2003
Distribution
Distribution:	nCase.Inst is an ActiveX drive-by installer that will load nCase.msbb. This installer may be built into ads at some web sites. nCase is also bundled with many applications, including file sharing programs, FavoriteMan, and BookedSpace.
Prevalence:	NCase: 67.2% More Info
Clot Factor:	NCase: 3 The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:	NCase: Insufficient data to report growth
Operation
Advertising:	Yes. Delivers targeted ads based on both urls entered and keywords within those urls. Will also display non-targeted ads when your browser is not in use.
Storage Required:	NCase: at least 11257 KB
Browser Performance:	Likely to slow performance of Internet Explorer.
Risks
Privacy Issues:	Yes. When you enter a URL or keyword that is passed to the nCase server (bis.180solutions.com), a unique identifier is also sent to that server, so that your web usage may be tracked. According to some authorities, may also transmit your e-mail address, real name, and zip code from information stored in your registry.
Privacy Policy:	http://www.180solutions.com/PrivacyPolicy.aspx
Security Issues:	Yes. nCase can silently download and run code from its servers, as an "update" feature.
Productivity Issues:	Yes. May slow IE at startup.
Stability Issues:	Yes. In older systems lacking wininet.dll, may generate the error "msbb.exe file is linked to the missing export wininet.dll" There are also some reports of page fault errors.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Vigorously resists removal. If you try deleting the obvious files, you will get a popup warning, as shown. n-Case runs nCase.Alart, whose sole purpose is to monitor for removal attempts. This monitor might be invoked by a discrete entry at HKLM/software/Microsoft/Windows/Current Version/Run/ZXLEXTMIK with a value of c:\windows\zxlextmik.exe The name of this will vary from instance to instance. Instructions from the 180solutions site: Click on the Start button in the bottom left-hand corner of your screen. Move your mouse to Settings. Click on Control Panel. On the control panel, double-click Add/Remove Programs. Scroll down until you find Interstitial Ad Delivery by n-CASE or n-CASE. Click on the entry, then on the Change/Remove button. A dialog box will appear asking you to confirm that you want to disable ad delivery or remove n-CASE. [As noted above, doing this may cause the associated downloaded application to cease operating.] Click YES to proceed You will no longer receive n-CASE interstitial advertisements. In the Add/Remove Programs list, select n-CASE or PAD Lookups by n-CASE If neither of these entries is present in your Add/Remove Programs list, n-CASE has already been uninstalled.
	Stop Running Processes: Kill these running processes with Task Manager: c:\temp\ncasepackage.exe delmsbb.exe elrubiovy.exe ncaseadsuninstaller.exe ncaseuninstaller.exe op.exe optimize.exe profilepath+\application data\msbb.exe profilepath+\fleok\msbb.exe profilepath+\local settings\temporary internet files\content.ie5\wv5ruyr9\msbb[1].exe programfilesdir+\blue haven media\kazoom\fleok\msbb.exe programfilesdir+\blue haven media\kazoom\msbb.exe programfilesdir+\hotbar\bin\4.3.6.0\hbinst.exe programfilesdir+\hotbar\bin\4.3.6.0\hbsrv.exe programfilesdir+\n-case\fleok\msbb.exe programfilesdir+\ncase\msbb.exe programfilesdir+\n-case\msbb.exe programfilesdir+\rosoft\audio tools\msbb.exe rosoftlameencoderlimited.exe s4setp.exe systemroot+\aknqux.exe systemroot+\cjq.exe systemroot+\fleok\msbb.exe systemroot+\fmtahovc.exe systemroot+\ggbilw.exe systemroot+\ghrxblvci.exe systemroot+\ivdn.exe systemroot+\neuobsiz.exe systemroot+\qtw.exe systemroot+\rym.exe systemroot+\system32\fleok\msbb.exe systemroot+\system32\msbb.exe systemroot+\twxcd.exe webassist.exe
	Remove AutoRun Reference: Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\aknqux, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ghrxblvci, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ivdn, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rjw, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rym, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\twxcd, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\zxlextmik, delete it and reboot the machine immediately. If you find the value HKEY_USERS\s-1-5-21-725345543-1078145449-1343024091-500\software\microsoft\windows\currentversion\run\msbb, delete it and reboot the machine immediately.
	Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: ddmp.dll efmcnfyu.dll ncaselib.dll profilepath+\application data\ncmyb.dll profilepath+\ncmyb.dll programfilesdir+\blue haven media\kazoom\ncmyb.dll programfilesdir+\hotbar\bin\4.3.6.0\hbcoresrv.dll programfilesdir+\hotbar\bin\4.3.6.0\hbhostie.dll programfilesdir+\hotbar\bin\4.3.6.0\hbhostoe.dll programfilesdir+\hotbar\bin\4.3.6.0\hbhostol.dll programfilesdir+\hotbar\bin\4.3.6.0\hbtoolbar.dll programfilesdir+\murasu systems\anjal2000\a2ksertl.dll programfilesdir+\n-case\msbbhook.dll programfilesdir+\ncase\ncmyb.dll programfilesdir+\n-case\ncmyb.dll systemroot+\downloaded program files\ncaseinstaller.dll systemroot+\system32\ncmyb.dll
	Clean Registry: Remove these registry items (if present) with RegEdit: HKEY_CLASSES_ROOT\clsid\{6eb5b540-1e74-4d91-a7f0-5b758d333702} HKEY_CLASSES_ROOT\ncaseinstaller.ncaseinstaller HKEY_CLASSES_ROOT\ncaseinstaller.ncaseinstaller.1 HKEY_CLASSES_ROOT\typelib\{18dd1792-64fb-42db-acbe-435c598045f4} HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6eb5b540-1e74-4d91-a7f0-5b758d333702} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\aknqux HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ghrxblvci HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ivdn HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rjw HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rym HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\twxcd HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\zxlextmik HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\c:\windows\downloaded program files\ncaseinstaller.dll HKEY_LOCAL_MACHINE\typelib\{6eb5b540-1e74-4d91-a7f0-5b758d333702} HKEY_USERS\.default\software\180solutions HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\software\180solutions HKEY_USERS\s-1-5-21-1960408961-1993962763-1343024091-1003\software\180solutions HKEY_USERS\s-1-5-21-725345543-1078145449-1343024091-500\software\180solutions HKEY_USERS\s-1-5-21-725345543-1078145449-1343024091-500\software\microsoft\windows\currentversion\run\msbb HKEY_USERS\s-1-5-583907252-823518204-839522115-1003\software\180solutions
	Remove Files: Remove these files (if present) with Windows Explorer: c:\temp\ncasepackage.exe ddmp.dll delmsbb.exe efmcnfyu.dll elrubiovy.exe fiz1 gatorcontact.log iconadd.log inctrl.log install.html kyf.dat license-rosoft-adware.txt msbb.exe-1fca2923.pf msbb.exe-2017b63e.pf msbb_kyf.dat ncaseadsuninstaller.exe ncaselib.dll ncaseuninstaller.exe nt.bat op.exe optimize.exe popup.log profilepath+\application data\msbb.exe profilepath+\application data\ncmyb.dll profilepath+\fleok\msbb.exe profilepath+\local settings\temporary internet files\content.ie5\wv5ruyr9\msbb[1].exe profilepath+\ncmyb.dll programfilesdir+\blue haven media\kazoom\fleok\msbb.exe programfilesdir+\blue haven media\kazoom\msbb.exe programfilesdir+\blue haven media\kazoom\ncmyb.dll programfilesdir+\ebatesmoemoneymaker\system\code\n.class programfilesdir+\hotbar\bin\4.3.6.0\hbcoresrv.dll programfilesdir+\hotbar\bin\4.3.6.0\hbhostie.dll programfilesdir+\hotbar\bin\4.3.6.0\hbhostoe.dll programfilesdir+\hotbar\bin\4.3.6.0\hbhostol.dll programfilesdir+\hotbar\bin\4.3.6.0\hbinst.exe programfilesdir+\hotbar\bin\4.3.6.0\hbsrv.exe programfilesdir+\hotbar\bin\4.3.6.0\hbtoolbar.dll programfilesdir+\hotbar\bin\4.3.6.0\install.scr programfilesdir+\murasu systems\anjal2000\a2ksertl.dll programfilesdir+\n-case\fleok\msbb.exe programfilesdir+\ncase\msbb.exe programfilesdir+\n-case\msbb.exe programfilesdir+\n-case\msbbhook.dll programfilesdir+\ncase\ncmyb.dll programfilesdir+\n-case\ncmyb.dll programfilesdir+\rosoft\audio tools\msbb.exe riviera gold casino!.url riviera gold casino.url rosoftlameencoder.chm rosoftlameencoderlimited.exe s4setp.exe spam.html systemroot+\aknqux.exe systemroot+\cjq.exe systemroot+\downloaded program files\ncaseinstaller.dll systemroot+\downloaded program files\ncaseinstaller.inf systemroot+\fleok\msbb.exe systemroot+\fmtahovc.exe systemroot+\ggbilw.exe systemroot+\ghrxblvci.exe systemroot+\ivdn.exe systemroot+\neuobsiz.exe systemroot+\qtw.exe systemroot+\rym.exe systemroot+\system32\fleok\msbb.exe systemroot+\system32\msbb.exe systemroot+\system32\ncmyb.dll systemroot+\twxcd.exe uninstall.log webassist.exe
	Remove Directories: Remove these directories (if present) with Windows Explorer: profilepath+\fleok programfilesdir+\ncase programfilesdir+\n-case programfilesdir+\rosoft\audio tools systemroot+\fleok
	Restore Settings: After following the instructions above, you will still need to restore your original settings and prevent this from happening again. Here''s how.
Research
File Analyses:	NCase: ddmp.dll · delmsbb.exe · efmcnfyu.dll · elrubiovy.exe · fiz1 · gatorcontact.log · iconadd.log · inctrl.log · install.html · kyf.dat · license-rosoft-adware.txt · msbb.exe · msbb.exe-1fca2923.pf · msbb.exe-2017b63e.pf · msbb_kyf.dat · ncaseadsuninstaller.exe · ncaseinstaller.dll · ncaseinstaller.inf · ncaselib.dll · ncasepackage.exe · ncaseuninstaller.exe · ncmyb.dll · nt.bat · op.exe · optimize.exe · popup.log · riviera gold casino!.url · riviera gold casino.url · rosoftlameencoder.chm · rosoftlameencoderlimited.exe · s4setp.exe · spam.html · uninstall.log · webassist.exe
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	Andrew Clover PestPatrol's Pest Research Center
Last Revised:	April 03, 2005

NCase

· Overview · · Origins · · Distribution · · Operation · · Risks · · Detection and Removal · · Research ·

Overview

Summary:

Vendor Notes:

Alias:

See Also:

Category:

Variants:

Similar Pests:

Origins

Group:

Vendor:

By This Group:

Mailing Address:

Phone:

EMail:

URL:

Date of Origin:

Distribution

Distribution:

Prevalence:

Clot Factor:

Growth:

Operation

Advertising:

Storage Required:

Browser Performance:

Risks

Privacy Issues:

Privacy Policy:

Security Issues:

Productivity Issues:

Stability Issues:

Detection and Removal

Automatic Removal:

Manual Removal:

Research

File Analyses:

More Info:

Research By:

Last Revised:

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·