How to remove Win32/BHO.NCA trojan?

Discussion in 'NOD32 version 2 Forum' started by Emil, Feb 18, 2008.

Thread Status:
Not open for further replies.
  1. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    C:\WINDOWS\system32\blackbo.dll is infected with
    Win32/BHO.NCA trojan.
    This is an e-mail that alerts me for 10 days, from a friend station that some time I remote administering it. Two months before the infection, immediately after the os installation, there was installed: NOD32 last version-last update (daily update), Lavasoft, spybotsd, Hijackthis, spywareblaster. Despite of this, there is a Win32/BHO.NCA trojan, resident in the memory and infecting a dll, blackbo.dll.

    I deactivated the system backup, my friend did a deep scan and clean with nod32, in safe mode (no remote access for me, I know could be activated but was a crisis situation) but the error is the same, I mean the dll is hooked by operation system.
    I tried to stop all processes that I didn't know and tried to unregister and remove the registers. Denied.
    There is a possibility for human error from my friend side when was in safe mode but personally I know what I did when I had the remote access. May you let me know, please, what software to use for keeping clean that system?
    Thanks!

    Emil
     
  2. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    And another question:
    Which is the best security combo software for XP professional sp2? I mean, excepting NOD32 that is already bought, my expenses to be resumed at 50USD?
    Thank you for advices!

    Emil
     
  3. ASpace

    ASpace Guest


    Download UnDll - the DLL removal utility from:
    http://www.nod32.it/tools/undll.zip

    It is great ESET Italy tool to unregister and remove dlls. Extract the file into new folder .

    Run the exe file and follow the instructions (a.k.a. point the program to the infected dll , in your case C:\WINDOWS\SYSTEM32\blackbo.dll )

    Follow the instructions , you may also need to reboot at the end


    Re-enable System Restore!
     
  4. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    Bad news..
    Nothing is working.. :(
    That dll seems to be stuck with cianacrylate adhesive. No method is reliable.
    Ah! Yes! To reinstall XP! Good idea, because my friend doesn't has the patience to download a linux with ntfs support to delete that dll. And he is veeeeery disappointed. Me too.. How do you suggest to feel myself after I promote to him so intensive the NOD32 antivirus and voila!
     
  5. ASpace

    ASpace Guest

    Download and install ESET Antivirus v3.0.621
    http://www.eset.com/download/registered_software.php

    You can either install over the top of your v2 product or perform clean install .

    Version 3 has improved cleaning , so it may help you. Perform full scan from Computer scan -> Standart scan

    It is not difficult to clean that trojan , there are many tools available , however I am not allowed to suggest them because of the fact Wilders doesn't provide malware cleaning services.

    Should cleaning with v3 fails , contact ESET Romania for help:
    http://www.eset.ro/support/index.php
     
  6. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    Thanks Hitech!

    It's pretty weird that this solution wasn't proposed from first time. It's possible to be too late to do this but, if my friend didn't reinstall XP, I let you know that, in fact, suggestions are not services; I'll don't ask anybody from wilderssecurity to clean remotely that computer. A forum's vocation is, among others, for giving free advices. If you know the solution for my problem, share it, please. Is not only for me. Or this forum is only for advertising?!
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    As an exception to the rule, you are allowed to suggest those tools, provided you will take care of handling the issue at hand.

    Emil,

    Please refrain from even suggesting this. Have a look around and notice support is provided.

    regards,

    paul
     
  8. ASpace

    ASpace Guest

    @ Emil

    Emil , try installing ESET AV v.3 first and report back the results of what happened after you perform full scan with it + followed by a reboot . We'll see then
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    HT, is there any difference yet in cleaning ability with the default setting and the high setting. I only ask because if there is, Emil way want to do that. Thanks. Hang in there Emil, HT will get you through it.
     
  10. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Is cleaning in v3 that much different than in v2?
     
  11. ASpace

    ASpace Guest

    No . The default option and the strict cleaning is just a way EAV/ESS will perform the action (auto or sometimes manually) . The malware cleaning ability is something dependant on the engine , not on the user settings
     
  12. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    Thanks to everybody for this effort!

    Sorry, Paul, for my words and thanks for your sudden intervention. I know your dedication. Many times I thought I can you resist for so many years.


    results:
    I've installed the version 3.0 on that station which DIDN'T detect that malware, contrary to the previous version. I even can open it but can't rename or modify. I supposed that the memory was cleaned at reboot. BUT I couldn't delete it. I did reboot after some successive scans with full engagement of the engine skills and after I've programmed hijackthis to delete (again and again) the file on reboot. NOTHING. How do I know? I've tried to copy the file through hamachi and uvnc to my computer and my NOD (old version 2.7- I was lucky that I kept it) has popped up and couldn't do anything to the file but quarantined it. I did a submission..

    Seriously, I begin to think at another antivirus program, even after my obsessive loyalty for nod32. There is no any blackmail. Just I'm pursuing the perfection of the security in my private network and seems that NOD32 can't help for now. May you have ANY OTHER suggestion that could save NOD's reputation and my friend's computer??
     
  13. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
  14. ASpace

    ASpace Guest

    @Emil , try this


    1. Download a program called The Avenger

    2. Download this file and save it somewhere (e.g. on Desktop)

    (in order to download and save trojd.txt on your hard drive , you may need to right click the link -> Save target as...)

    3. Run the program avenger.exe

    4. Choose "Load Script From File"

    5. Press on the traffic light icon.Confirm

    The computer will then reboot.After restart the malware files should be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated.Using copy/paste , please put the log file into your next reply.


    After this , if only the malware have eliminated Winsock (not sure but some does it) , you may need to repair Winsock

    Repair Winsock
    Windows XP SP2 and Windows Vista

    Goto Start –> Run
    type cmd and click OK.
    Type netsh winsock reset
    Press ENTER . Restart immediately !

    N.B. ! There is a space between the commands , example netshSPACEwinsockSPACEreset
    N.B. ! If you use Windows Vista , you must first run cmd as Administrator .



    Hopefully that helps! Be patient , killing malware is not an easy task , as you can see :thumb:
     
  15. ASpace

    ASpace Guest


    Detection for W32/BHO.NCA is added in sig updates 2851 and 2856 . V3 didn't detect the threat most likely because it coudn't update and it still uses 2740 - the updates that come with the installer of 3.0.621

    Update!
     
  16. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    Thanks HT!

    I updated NOD32, you right, the detection has taken place.

    Do you know the taste of humiliation? Maybe.. To push the button "leave" is one of the most humiliating things when I praised NOD32 to so many people and after I've installed it in the company where I worked and even a security company followed my advice and bought it for e-mail scanning..

    So Kaspersky is my second antivirus that I'll bought. I know is offtopic but somebody have to know my bitterness..

    I usually am very churlish with IT stuff, with only one exception: the attacks, no matter which kind. The attack represent a danger from a third party, not from my less skilled work. The attack must be stopped immediately! The consequences of late to stop an attack is known by everybody.
    That's why I've chosen NOD32. Because I'm not patient with such kind of things. It helped me instantly! In 2004..

    So, my dears, I very appreciate your effort. I don't say goodbye. Isn't so simple- I'll contact my NOD32 supplier and I have to do many changes in my mind and many experiments, but for sure my thoughts is switching to this competitor. This trojan has appeared almost 4 months ago!!


    Consider bellowed postfactum logs for a further bettering of the NOD32

    The log of the avenger:
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\efcyeodq

    *******************

    Script file located at: \??\C:\WINDOWS\system32\yeiwgnkj.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:



    Could not open file C:\Windows\system32\blackbo.dll for deletion
    Deletion of file C:\Windows\system32\blackbo.dll failed!

    Could not process line:
    C:\Windows\system32\blackbo.dll
    Status: 0xc0000022


    Completed script processing.

    *******************

    Finished! Terminate.

    =================

    the log of nod32:
    <?xml version="1.0" encoding="utf-8" ?>
    - <ESET>
    - <LOG>
    - <RECORD>
    - <COLUMN NAME="Time">
    <DATE>19.02.2008</DATE>
    <TIME>14:45:19</TIME>
    </COLUMN>
    <COLUMN NAME="Scanner">Startup scanner</COLUMN>
    <COLUMN NAME="Object">file</COLUMN>
    <COLUMN NAME="Name">C:\WINDOWS\system32\blackbo.dll</COLUMN>
    <COLUMN NAME="Threat">Win32/BHO.NCA trojan</COLUMN>
    <COLUMN NAME="Action">error while</COLUMN>
    <COLUMN NAME="User" />
    <COLUMN NAME="Information" />
    </RECORD>
    </LOG>
    </ESET>
     
  17. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi!

    1) Download UPM 4 => http://down.secit.sk/ftp/programs/upm_4_0_0.zip

    2) Extract archive to some folder

    3) Run file _MAKE_LOG_EN.bat, which is located between extracted files

    4) In the dialog window choose required items, choose folder, where the logfile will be saved and click OK

    5) Text from log copy to message and send me to lukas[at]secit[dot]sk

    :thumb:
     
  18. ASpace

    ASpace Guest

    Emil ,

    Download Microsoft AutoRuns
    http://download.sysinternals.com/Files/Autoruns.zip

    Unzip AutoRuns in its own folder and start the exe file called autoruns.exe

    1. Choose Options -> Hide Microsoft Entries
    2. Choose File -> Refresh
    3. Choose File -> Save as

    Save the log file somewhere , then find it , open it , select it all and using Copy/Paste , place it here


    Can you also perform complete scan with ESET Antivirus v3.0 (from Computer scan -> Standart scan) and ensure that EAV detects the threat and perform action against it . Reboot . I am asking because in your last post you say that detection have taken place but you don't mention anything about removing , scan , etc ...
     
    Last edited by a moderator: Feb 19, 2008
  19. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Eset has a new tool that is an improvement on autoruns. It creates a report which you can email the report to Eset, It is called Eset SysInspector.


    http://www.eset.com/esibeta/
     
  20. ASpace

    ASpace Guest


    Yes , it is really useful but it can only log , it cannot remove start-up entries , etc ...
     
  21. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    HT,
    Please read again my NOD32 report. Anyway I'll paste it again.

    <?xml version="1.0" encoding="utf-8" ?>
    - <ESET>
    - <LOG>
    - <RECORD>
    - <COLUMN NAME="Time">
    <DATE>19.02.2008</DATE>
    <TIME>14:45:19</TIME>
    </COLUMN>
    <COLUMN NAME="Scanner">Startup scanner</COLUMN>
    <COLUMN NAME="Object">file</COLUMN>
    <COLUMN NAME="Name">C:\WINDOWS\system32\blackbo.dll</COLUMN>
    <COLUMN NAME="Threat">Win32/BHO.NCA trojan</COLUMN>
    <COLUMN NAME="Action">error while</COLUMN>
    <COLUMN NAME="User" />
    <COLUMN NAME="Information" />
    </RECORD>
    </LOG>
    </ESET>

    There is no taken action but Leave.

    Thank you all of you for the conjugated effort. Unfortunately, it seems that my friend couldn't be online anymore. Maybe later I'll back with some information.

    Emil
     
Thread Status:
Not open for further replies.