Comodo BOClean Saved my day, even though I had an AV installed!!

[Guest]

[~cat~]

Okay, I found "Best CashBook 3.3.3" there, not looking good...
Virus Total shows it as containing a Trojan/Worm (eSafe) and suspicious (Fortinet).

Complete scanning result of "BestCash333.exe", received in VirusTotal at 04.29.2007, 06:25:46 (CET).
File size: 3886592 bytes
MD5: 965d0b7ab870d2c40c4cca1699899705
SHA1: 95088ef7d73568eacd55afc903b6ed48b133ec47
packers: UPX
packers: UPX
packers: UPX

BOClean doesn't like it.

It drops IFNST27.exe into the Windows\prefetch

Drops IFinst27.exe keys at:
HKEY_USERS\S-1-5-21-823518204-651377827-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

[innerpeace]

Thanks for posting a BOClean alert. Now I know what they look like. I installed boc and uninstalled because I'm trying other software and troubleshooting my cd/dvd burner  .

There are a lot of links about the exe, but the few I checked didn't give a definitive answer as whether is was truly bad or not. Seems a lot of people don't like it though. I believe I would avoid it.

http://fileinfo.prevx.com/QQ701d19146308-IFIN46439/IFINST27.EXE.html

http://www.castlecops.com/t171457-navil_toolbar.html

[~cat~]

Whoops! I forgot to follow up on this...
Kevin confirmed this to be a bad boy yesterday.

[TonyKlein]

Kevin confirmed this to be a bad boy yesterday.

Yup,  it certainly is:

http://www.castlecops.com/tk30823-NavilToolbar_dll.html

[Glendaloch]

Well, Comodo BOClean saved the day for me.  I downloaded a Zlob from MajorGeeks EU France.


05/06/2007 03:18:29: ZLOB256 MALWARE STOPPED by BOCLEAN!   
Trojan horse was found in memory.
C:\PROGRAM FILES\K-MELEON\SETDEFAULT.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: xxxxxxxx


CBOC jumped in as soon as it tried to execute.  My Avira PE Premium spotted nothing so I'm very thankful that I had CBOC on the box.  Sure there's an annoying update error message that pops up from time to time but I'm not complaining; the protection is top class.  Who cares if there's an a harmless bug in the system when the application performs so well.  It sure did what it's designed to do.

BTW, this particular trojan tried to thrash my internet connection (wireless); I've had no trouble since  CBOC disposed of it.  Looks like the automatic cleanup of my winsock worked as well.

Take a bow CBOC.   

[~cat~]

Was "SETDEFAULT.EXE" the name of the downloaded file?
They're pushing "K-Meleon1.1RC.exe" out currently.

[LeoniAquila]

Actually, BOClean saved me too (yesterday) from something that CAVS missed. It was an exe-file I got from a friend. UNFORTUNATELY I didn't save the log, thought it might be interesting for Comodo to add that virus (or whatever it was) definition to CAVS. But since BOClean picked it up I guess it's alright.

I was almost happy to get this virus: Since I get malware so seldom, and I wanted to see how BOClean works, the program now performed detection and removal for me to watch. Well done, Comodo! I can't remember if I've ever seen a program really REMOVE malware before, so after the first "shock" I was just smiling and felt secure... Thanks Comodo!

 

[TonyKlein]

05/06/2007 03:18:29: ZLOB256 MALWARE STOPPED by BOCLEAN!   
Trojan horse was found in memory.
C:\PROGRAM FILES\K-MELEON\SETDEFAULT.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

Still,  you'd have to ask whether this was indeed a correct detection for K-Meleon's SetDefault.exe ...  It would be worth while uploading that file to Virustotal in order to get a few second and third opinions:  http://www.virustotal.com/en/indexf.html

[Glendaloch]

Was "SETDEFAULT.EXE" the name of the downloaded file?
They're pushing "K-Meleon1.1RC.exe" out currently.

Cat, I can't say for sure.

[~cat~]

This one could go either way.

Complete scanning result of "SetDefault.exe", received in VirusTotal at 05.07.2007, 21:36:25 (CET).

eSafe   7.0.15.0   05.07.2007   suspicious Trojan/Worm
Fortinet   2.85.0.0   05.07.2007   suspicious
Ikarus   T3.1.1.7   05.07.2007   Trojan-Downloader.Win32.Zlob.aiv
Webwasher-Gateway   6.0.1   05.07.2007   Win32.ModifiedUPX.gen!90 (suspicious)

File size: 82667 bytes
MD5: 50309924050783c5af19d9c7b17c9d21
SHA1: 868a0b0c28c8e070e4770ef982b61cfc9836a693
packers: UPX
packers: UPX, BINARYRES
packers: UPX

I've submitted it to Kevin and crew for ananlysis.

[TonyKlein]

By the looks of it it's mostly generic detection,  probably because of the presence of certain packers.  Very likely a FP,  I'd say...

[FJR1300]

I saw that program too. It has a bunch of downloads. The OP also mentioned a program called BestCash in another post. I think there is a little confusion with the name.

http://forums.comodo.com/index.php/topic,8348.msg60676.html#msg60676
I was going to download it an submit it to Jotti or VirusTotal to see if they found anything. Maybe the OP can do that and let us know what the filename is and the results.

Download dot com is not the best place to find software. Softpedia and MajorGeeks are much better and safer. 

Softpedia maybe safer but they charge you for downloads. If its just a few MP3s you want then bearshare or whatever is good enough because its free. Just make sure you use good security software to check the files.

[innerpeace]

Hi FJR1300, I have downloaded a few small freeware programs from Softpedia for free (no charge). Some of their programs you have to pay for. I do agree with you about scanning all downloaded programs. I use no less than 3 scanners on all downloads, even known security programs. 

Cheers, innerpeace

[sandybeach]

I don't download anything via download.com. Made the mistake once, several years ago of 1 game and Spybot saved my tail then removing 40 some files.  Not fair perhaps as Download.com doesn't write the software and other possible maneuvers may by- pass what checking they do/ have done. They have posted that they take no responsibility for quality or content of downloaded items.

In principle I prefer to download ONLY from an Authors site if at all possible. Next from mirrors listed on his/her site. Must admit I  brought down a few from Mjr.G without problems 'tho sometimes the program may be a late beta (gotta watch out for that).   JMHO.   

[wshaw]

 
Comodo BO CLEAN also saved my life.
I downloaded a weather report tool from the internet along with some bonus downloads and came out with the following report from BO-CLEAN. Comodo Anti-virus didn't detect it, nor did spybot search and destroy 1.4, or Ad-aware.

------------------------------
05/12/2007 21:48:36: SAVENOW3 MALWARE STOPPED by BOCLEAN!   
Trojan horse was found in memory.
C:\DOCUME~1\WALLAC~1\LOCALS~1\TEMP\IS-8GSC2.TMP\VVSNINST.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Wallace Shaw

------------------------------
05/12/2007 21:48:50: WHENU/WSNI MALWARE STOPPED by BOCLEAN!   
Trojan horse was found in memory.
C:\DOCUME~1\WALLAC~1\LOCALS~1\TEMP\IS-8GSC2.TMP\VVSNINST.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Wallace Shaw

COMODO BO-CLEAN ROCKS!
Wally Shaw

[Tags:]