Adware Reports malware removal guides and threat research Updated security instructions for Windows users
Home/Malware
Threat report

Should I remove “Win32/BHO.NYJ”?

Published Apr 25, 2024 Malware category 3 min read
Report context

What to verify before removal

This report keeps Should I remove “Win32/BHO.NYJ”? in the active library because the detection has enough technical context to support a careful second-opinion scan and cleanup decision.

Start by comparing the local file name with E770BAB6DCFBB635E86A.mlw, then review the behavior notes for persistence entries, dropped files, unusual processes, and browser or network changes. This helps separate a matching detection from a different file that only shares a similar alert name.

Observed file
E770BAB6DCFBB635E86A.mlw
  • Compare the suspicious file name with E770BAB6DCFBB635E86A.mlw.
  • Confirm the detection name matches Should I remove “Win32/BHO.NYJ”? before removing related files.
  • Review the report for persistence entries, dropped files, unusual processes, and browser or network changes so the cleanup is based on observed behavior, not only the label.
  • Run a full scan, quarantine confirmed detections, and restart before signing back in to sensitive accounts.

The Win32/BHO.NYJ is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Win32/BHO.NYJ virus can do?

  • A file was accessed within the Public folder.
  • Sample contains Overlay data
  • Reads data out of its own binary image
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • Authenticode signature is invalid
  • CAPE detected the embedded win api malware family
  • Yara detections observed in process dumps, payloads or dropped files

How to determine Win32/BHO.NYJ?



File Info:

name: E770BAB6DCFBB635E86A.mlw
path: /opt/CAPEv2/storage/binaries/7ed443ea22dd06833d9ac4967e45bb14b03f07b07fa40bd1ac0ba559571b3237
crc32: D5C284CD
md5: e770bab6dcfbb635e86a6e8f77a1ea90
sha1: 6eb18cb73b0af7b2c3128eaa438a4d72f054b886
sha256: 7ed443ea22dd06833d9ac4967e45bb14b03f07b07fa40bd1ac0ba559571b3237
sha512: f85c5c4232e724edc291dce1ced4a337ee909b5adcd1b464588c23baa95f2e18f75b5a5194dea5a11be460696257d8f24a57e8bdc165a3e64fe2dcf10ca23034
ssdeep: 12288:PmiZ25tazVGo5IraX5mseKl/h8oxshwKulC0NZaweeEHgcVxiqb5CjzG:Pmb5ta7ShseSshw9C0nshnUqb5Cj
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T142E422287D96C305E4412C786DB240C25BBDBDA739D0544FEF38BB1EB6B01AC5A94C7A
sha3_384: 0906051d768e082a7a974d1ef2d90b0647f92074d17896af9c4144fe8eab551bed08e9c29689cafca2dfc2ce76ba7cb2
ep_bytes: 558bec6aff689061400068703b400064
timestamp: 2002-02-06 20:54:53


Version Info:

Comments: This setup code is the property of Indigo Rose Corporation
CompanyName: Indigo Rose Corporation http://www.indigorose.com
FileDescription: Setup Factory 6.0 Setup Launcher
FileVersion: 6.0.0.3
InternalName: setup
LegalCopyright: 版权所有 (c) 2001 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFilename: setup.exe
PrivateBuild: 
ProductName: setup
ProductVersion: 6.0.0.3
SpecialBuild: 
Translation: 0x0409 0x04e4

Win32/BHO.NYJ also known as:

Bkav W32.Common.94E22D74
AVG Win32:Trojan-gen
DrWeb Trojan.MulDrop3.59533
FireEye Generic.mg.e770bab6dcfbb635
Skyhigh BehavesLike.Win32.Dropper.jc
McAfee Artemis!E770BAB6DCFB
Cylance unsafe
Sangfor Dropper.Win32.Agent.Vi5h
K7AntiVirus Trojan ( 004d02e81 )
Alibaba Trojan:Win32/Generic.c039a8d5
K7GW Trojan ( 004d02e81 )
BitDefenderTheta AI:Packer.CD53464220
Symantec Trojan Horse
ESET-NOD32 a variant of Win32/BHO.NYJ
Cynet Malicious (score: 99)
Paloalto generic.ml
ClamAV Win.Trojan.Agent-687932
Kaspersky UDS:DangerousObject.Multi.Generic
NANO-Antivirus Trojan.Win32.VB2.bbttfm
Avast Win32:Trojan-gen
Tencent Win32.Trojan.Generic.Bujl
F-Secure Dropper.DR/Drop.VB.jtm.32
TrendMicro TROJ_FRS.VSN0AG18
Sophos Mal/Generic-S
Webroot W32.Dropper.Dunik
Google Detected
Avira DR/Drop.VB.jtm.32
MAX malware (ai score=100)
Antiy-AVL Trojan[Downloader]/Win32.Whinetroe
Kingsoft Win32.Troj.Unknown.a
Microsoft TrojanDropper:Win32/Dunik!rfn
Xcitium Malware@#11sw016tj3vnh
ViRobot Trojan.Win32.A.WSearch.631429
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Win32.Trojan.Agent.XTORUI
Varist W32/VB.PFAW-4545
AhnLab-V3 Dropper/Win32.VB.C2047307
TACHYON Trojan-Dropper/W32.Agent.669073
VBA32 Trojan.Wacatac
Malwarebytes Generic.Malware/Suspicious
Panda Trj/CI.A
TrendMicro-HouseCall TROJ_FRS.VSN0AG18
Yandex Trojan.DR.VB!/8Q7fLTpvrc
Ikarus Backdoor.Win32.Rbot
MaxSecure Trojan.Malware.15361.susgen
DeepInstinct MALICIOUS
alibabacloud Trojan[dropper]:Win/Generic

How to remove Win32/BHO.NYJ?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.