How to remove Win32/BHO.NCA trojan?

C:\WINDOWS\system32\blackbo.dll is infected with
Win32/BHO.NCA trojan.
This is an e-mail that alerts me for 10 days, from a friend station that some time I remote administering it. Two months before the infection, immediately after the os installation, there was installed: NOD32 last version-last update (daily update), Lavasoft, spybotsd, Hijackthis, spywareblaster. Despite of this, there is a Win32/BHO.NCA trojan, resident in the memory and infecting a dll, blackbo.dll.

I deactivated the system backup, my friend did a deep scan and clean with nod32, in safe mode (no remote access for me, I know could be activated but was a crisis situation) but the error is the same, I mean the dll is hooked by operation system.
I tried to stop all processes that I didn't know and tried to unregister and remove the registers. Denied.
There is a possibility for human error from my friend side when was in safe mode but personally I know what I did when I had the remote access. May you let me know, please, what software to use for keeping clean that system?
Thanks!

Emil

 

And another question:
Which is the best security combo software for XP professional sp2? I mean, excepting NOD32 that is already bought, my expenses to be resumed at 50USD?
Thank you for advices!

Emil

 

Download UnDll - the DLL removal utility from:
http://www.nod32.it/tools/undll.zip

It is great ESET Italy tool to unregister and remove dlls. Extract the file into new folder .

Run the exe file and follow the instructions (a.k.a. point the program to the infected dll , in your case C:\WINDOWS\SYSTEM32\blackbo.dll )

Follow the instructions , you may also need to reboot at the end


Re-enable System Restore!

 

Bad news..
Nothing is working..
That dll seems to be stuck with cianacrylate adhesive. No method is reliable.
Ah! Yes! To reinstall XP! Good idea, because my friend doesn't has the patience to download a linux with ntfs support to delete that dll. And he is veeeeery disappointed. Me too.. How do you suggest to feel myself after I promote to him so intensive the NOD32 antivirus and voila!

 

Download and install ESET Antivirus v3.0.621
http://www.eset.com/download/registered_software.php

You can either install over the top of your v2 product or perform clean install .

Version 3 has improved cleaning , so it may help you. Perform full scan from Computer scan -> Standart scan

It is not difficult to clean that trojan , there are many tools available , however I am not allowed to suggest them because of the fact Wilders doesn't provide malware cleaning services.

Should cleaning with v3 fails , contact ESET Romania for help:
http://www.eset.ro/support/index.php

 

Thanks Hitech!

It's pretty weird that this solution wasn't proposed from first time. It's possible to be too late to do this but, if my friend didn't reinstall XP, I let you know that, in fact, suggestions are not services; I'll don't ask anybody from wilderssecurity to clean remotely that computer. A forum's vocation is, among others, for giving free advices. If you know the solution for my problem, share it, please. Is not only for me. Or this forum is only for advertising?!

 

@ Emil

Emil , try installing ESET AV v.3 first and report back the results of what happened after you perform full scan with it + followed by a reboot . We'll see then

 

HT, is there any difference yet in cleaning ability with the default setting and the high setting. I only ask because if there is, Emil way want to do that. Thanks. Hang in there Emil, HT will get you through it.

 

Is cleaning in v3 that much different than in v2?

 

No . The default option and the strict cleaning is just a way EAV/ESS will perform the action (auto or sometimes manually) . The malware cleaning ability is something dependant on the engine , not on the user settings

 

Thanks to everybody for this effort!

Sorry, Paul, for my words and thanks for your sudden intervention. I know your dedication. Many times I thought I can you resist for so many years.


results:
I've installed the version 3.0 on that station which DIDN'T detect that malware, contrary to the previous version. I even can open it but can't rename or modify. I supposed that the memory was cleaned at reboot. BUT I couldn't delete it. I did reboot after some successive scans with full engagement of the engine skills and after I've programmed hijackthis to delete (again and again) the file on reboot. NOTHING. How do I know? I've tried to copy the file through hamachi and uvnc to my computer and my NOD (old version 2.7- I was lucky that I kept it) has popped up and couldn't do anything to the file but quarantined it. I did a submission..

Seriously, I begin to think at another antivirus program, even after my obsessive loyalty for nod32. There is no any blackmail. Just I'm pursuing the perfection of the security in my private network and seems that NOD32 can't help for now. May you have ANY OTHER suggestion that could save NOD's reputation and my friend's computer??

 

ComboFix can remove blackbo.dll (don't use ComboFix w/out an expert's supervision). You can also delete blackbo.dll thru the use of a boot floppy. Scanning with SAS and Prevx in safe mode wouldn't hurt as well.

thanatos

 

@Emil , try this


1. Download a program called The Avenger

2. Download this file and save it somewhere (e.g. on Desktop)

(in order to download and save trojd.txt on your hard drive , you may need to right click the link -> Save target as...)

3. Run the program avenger.exe

4. Choose "Load Script From File"

5. Press on the traffic light icon.Confirm

The computer will then reboot.After restart the malware files should be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated.Using copy/paste , please put the log file into your next reply.


After this , if only the malware have eliminated Winsock (not sure but some does it) , you may need to repair Winsock

Repair Winsock
Windows XP SP2 and Windows Vista

Goto Start –> Run
type cmd and click OK.
Type netsh winsock reset
Press ENTER . Restart immediately !

N.B. ! There is a space between the commands , example netshSPACEwinsockSPACEreset
N.B. ! If you use Windows Vista , you must first run cmd as Administrator .


Hopefully that helps! Be patient , killing malware is not an easy task , as you can see

 

Detection for W32/BHO.NCA is added in sig updates 2851 and 2856 . V3 didn't detect the threat most likely because it coudn't update and it still uses 2740 - the updates that come with the installer of 3.0.621

Update!

 

Thanks HT!

I updated NOD32, you right, the detection has taken place.

Do you know the taste of humiliation? Maybe.. To push the button "leave" is one of the most humiliating things when I praised NOD32 to so many people and after I've installed it in the company where I worked and even a security company followed my advice and bought it for e-mail scanning..

So Kaspersky is my second antivirus that I'll bought. I know is offtopic but somebody have to know my bitterness..

I usually am very churlish with IT stuff, with only one exception: the attacks, no matter which kind. The attack represent a danger from a third party, not from my less skilled work. The attack must be stopped immediately! The consequences of late to stop an attack is known by everybody.
That's why I've chosen NOD32. Because I'm not patient with such kind of things. It helped me instantly! In 2004..

So, my dears, I very appreciate your effort. I don't say goodbye. Isn't so simple- I'll contact my NOD32 supplier and I have to do many changes in my mind and many experiments, but for sure my thoughts is switching to this competitor. This trojan has appeared almost 4 months ago!!


Consider bellowed postfactum logs for a further bettering of the NOD32

The log of the avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\efcyeodq

*******************

Script file located at: \??\C:\WINDOWS\system32\yeiwgnkj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\Windows\system32\blackbo.dll for deletion
Deletion of file C:\Windows\system32\blackbo.dll failed!

Could not process line:
C:\Windows\system32\blackbo.dll
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.

=================

the log of nod32:
<?xml version="1.0" encoding="utf-8" ?>
- <ESET>
- <LOG>
- <RECORD>
- <COLUMN NAME="Time">
<DATE>19.02.2008</DATE>
<TIME>14:45:19</TIME>
</COLUMN>
<COLUMN NAME="Scanner">Startup scanner</COLUMN>
<COLUMN NAME="Object">file</COLUMN>
<COLUMN NAME="Name">C:\WINDOWS\system32\blackbo.dll</COLUMN>
<COLUMN NAME="Threat">Win32/BHO.NCA trojan</COLUMN>
<COLUMN NAME="Action">error while</COLUMN>
<COLUMN NAME="User" />
<COLUMN NAME="Information" />
</RECORD>
</LOG>
</ESET>

 

Hi!

1) Download UPM 4 => http://down.secit.sk/ftp/programs/upm_4_0_0.zip

2) Extract archive to some folder

3) Run file _MAKE_LOG_EN.bat, which is located between extracted files

4) In the dialog window choose required items, choose folder, where the logfile will be saved and click OK

5) Text from log copy to message and send me to lukas[at]secit[dot]sk

 

Emil ,

Download Microsoft AutoRuns
http://download.sysinternals.com/Files/Autoruns.zip

Unzip AutoRuns in its own folder and start the exe file called autoruns.exe

1. Choose Options -> Hide Microsoft Entries
2. Choose File -> Refresh
3. Choose File -> Save as

Save the log file somewhere , then find it , open it , select it all and using Copy/Paste , place it here


Can you also perform complete scan with ESET Antivirus v3.0 (from Computer scan -> Standart scan) and ensure that EAV detects the threat and perform action against it . Reboot . I am asking because in your last post you say that detection have taken place but you don't mention anything about removing , scan , etc ...

 

Eset has a new tool that is an improvement on autoruns. It creates a report which you can email the report to Eset, It is called Eset SysInspector.


http://www.eset.com/esibeta/

 

Yes , it is really useful but it can only log , it cannot remove start-up entries , etc ...

 

HT,
Please read again my NOD32 report. Anyway I'll paste it again.

<?xml version="1.0" encoding="utf-8" ?>
- <ESET>
- <LOG>
- <RECORD>
- <COLUMN NAME="Time">
<DATE>19.02.2008</DATE>
<TIME>14:45:19</TIME>
</COLUMN>
<COLUMN NAME="Scanner">Startup scanner</COLUMN>
<COLUMN NAME="Object">file</COLUMN>
<COLUMN NAME="Name">C:\WINDOWS\system32\blackbo.dll</COLUMN>
<COLUMN NAME="Threat">Win32/BHO.NCA trojan</COLUMN>
<COLUMN NAME="Action">error while</COLUMN>
<COLUMN NAME="User" />
<COLUMN NAME="Information" />
</RECORD>
</LOG>
</ESET>

There is no taken action but Leave.

Thank you all of you for the conjugated effort. Unfortunately, it seems that my friend couldn't be online anymore. Maybe later I'll back with some information.

Emil