BOClean Failed to Stop/Reverse Browser Hijacker.....

redirect. Failed to detect or remove Adware downloader Comet. Despite configured to NOTIFY on findings, BOC made not a peep nor pop-up! Additionally, still NO text report.

System specs:Intel P4 3.0 GHtz /80G HD/512Mg RAM/XP Pro SP1 +++chosen patches/CDRW/DVD read only Player/Toshiba Cable Modem/D-link Router w 2 active plugins (occasional laptop on it) duplexed/Intel Pro set &graphics/…Sun Java 1.4.2_15/ exclusive used browser:Sea Monkey1.1.2/ Avg Free AV/AVG AS (scanner only) Spybot1.4 w/Tea Timer-SD/ AdawareSE 1.06/CCleaner/BOC4.25/ All REMOTE functions disabled (net bios/printer sharing etc.).

Situation: 2nd user, using her desktop visited several sites looking for cheat tips for her Mario (Nintendo DS) game since she couldn’t find one levels’ hidden door after 1 month of trying. I have BOC set to start w/boot-up on her desktop (updated daily). Because of this, to avoid conflicts, Spybot Tea Timer is NOT active at boot-up there.

She looked, didn’t find, & left net (all normal), ran CCleaner and shutdown.

2 Hours later, I booted-up machine to MY desktop. I have Tea Timer set to RUN at boot-up. BOClean is NOT set to start w/ boot-up on my desktop (conflicts again).

Immediately upon launching desktop, Spybot Tea Timer asked permission for a registry change:

" AM Denied value “SearchAssistant” (new data: “hXXp (Changed to protect innocent)://as.starware.com/dp/search?product=ssearch&src_id=407&client_id=9EDDBF3001C7F24B0004F9BE&version=4.5.4.0&it=1189274822&loc=Boston%2C%20MA&qry=&url=http%3A%2F%2Fmy%2Estarware%2Ecom%2Fdp%2Fstartpage%3Fsrc%5Fid%3D407”) changed in Browser page.". I duly DENIED this change and went in search of the monster! (:NRD)

Next thing I did was to run full system scan w/ AVG Free Anti-Malware (formerly EWIDO). Result:

C:\Documents and Settings\Mary\My Documents\Games\games.exe → Adware.Comet : Cleaned.
C:\Program Files\Starware407\Starware407Uninstall.exe → Adware.Comet : Cleaned.
Note: NO mention of System Restore files.

After “deleting” both of above, ran CCleaner with “Only clean Win Temp files older than 48 hours” disabled to get ALL in temps.

I then rebooted machine and ran AVG Free A/S again and found the devil >:( in System volume/restore so dumped the lot. Rebooted & finally clean!! Just found EICAR Test Virus &
Trojan Simulator.exe (both safe: ignored) which I keep on machine to check protectors are not corrupted &/or non-functional.
Ran a SFC to correct any other SF changes. Total Time lost from this: Approx 6 Hours!

Can someone tell me why BOClean failed in Notifying/catching/removing/reversing the changes made by the beast?? (:AGY)

If it hadn’t been for Spybot, I wouldn’t have known about this until additional problems were downloaded and really became apparent via performance changes (since Hijack would only have appeared while browsing from HER desktop ,I assume). :THNK Sandy

BOClean checks malware when it runs, not before. So if the trojan didn’t try to run until the next boot (as it appears), when you didn’t have BOC running, it would be understandable.

Forgive my saying so but that has to be one of the most bassackwards configurations I’ve seen. :slight_smile:
As stated, CBO catches malware at boot… if it’s not running how in the world do you expect it to work?
I’m not sure what “conflicts” you have but if it comes down to CBO running at boot or Teatimer I’d suggest dumping Teatimer. :wink:

Other antispyware programs don’t conflict with BOClean (hint avatar hint) :wink:

Reply for Japo: Thanks for your input!!
I may have been a bit unclear in description…When Mary booted up, Comodo did start and was in effect before, during, and after she left net with the beast downloaded & it had possibly tried to change registry by that time . This is when I would have expected BOC to have stopped it & reversed any changes. Possible it did create reg change but TT reversed change when I booted up with TT active.

You could be right, it’s not uncommon for a Trojan to NOT activate 'til next boot-up and since that was mine, BOC was not active then therefore understandable.

It was actually Kevin who suggested turning off Spybot TT might clear conflict in this post:
https://forums.comodo.com/comodo_boclean_antimalware/bug_cant_disable_lan_connection_w_boc-t11491.0.html

Caught Hint, Thanks!! :■■■■ Sandy

Reply for ~cat~…

The reason for strange config on my desktop (TT Yes/ BOC No) is that I spend most of my online time reading & posting on forums & boards such as this one. This usually involves much text typing.
I’ve found that w/ BOC active at such times, I get erroneous placement of pasted parts as described in this post: https://forums.comodo.com/comodo_boclean_antimalware/mislocated_copy_paste_of_text_on_web_forums-t12205.0.html

Although that is annoying & time consuming, minor compared to this conflict w/ Spybot described in these posts starting w/ V.424 : https://forums.comodo.com/comodo_boclean_antimalware/comp_locksup_leaving_lan_w_boc424_active-t11099.0.html

& continuing with V.425 : https://forums.comodo.com/comodo_boclean_antimalware/bug_cant_disable_lan_connection_w_boc-t11491.0.html

The upshot is ,when I’m on basically trusted sites (w/lots of posting), I run ONLY AVG & TT.
For general surfing needs on the Wild Wild Web, I run with BOC active & TT OFF to avoid hangs & crashes.

On other desktop (Mary’s, who is not security conscious ) where almost no forum/board postings take place, I have her protected by BOC without TT. She wouldn’t know what to do if hang or crash occurred locking out all input.

Unfortunately with No reports being produced by my BOC, it is impossible to know what, if anything, BOC has caught or corrected. Post: https://forums.comodo.com/comodo_boclean_antimalware/viewing_report_always_blank_despite-t11969.0.html

There is new version of Spybot (V.1.5) which I have saved & expect to install tonight. Perhaps Wink TT & BOC will get along . I have also suggested Patrick &/or team contact you guys to see if a bug fix or work around can be gained thru a confab of like minds. Don’t know if they will contact, but have made the suggestion.

Thanks for you thoughts & time. Always good to know you’re following & replying to all these questions we users come up with!! :■■■■ Sandy

sandybeach,
As you pointed out Kevin has previously stated:

Your reply seemed to indicate that TT was the issue…

You may want to try it again with TT uninstalled and BOC running at boot see if any of these problems clear up.
If not, you should probably submit a ticket to support on your issues.
It may boil down to which program works best for you and your needs.
Personally, getting hit by a “Browser Hijacker” while running TT and not BOC would suggest a change was needed.
Been there, done that… :wink:

I haven’t experienced any problems with cursor placement with BOC running. That sounds like an issue of the browser (or a conflict with it?).

Hi again ~Cat~…

Yes disabling Tea Timer when using BOC did stop the hang/crashes.That’s why Mary surfs with only BOC active. I note that Spybot forums have a notation suggesting NOT activating TT if using BOC.
I can see where TT would be a problem if BOC wanted to reverse some settings or reg key as TT would prevent it unless/until user approved change. This would at least delay BOC’s desired activity. I suspect same would apply w/ other background guard programs (say AVG AS full pay version). I believe AVG AS (full) incorporates a settings protective feature anyway.

The browser hijacker & the Comet adware came in thru Sea Monkey WHILE BOC was booted & protecting during that one session online. There was no further internet activity between that session shut down & my booting up. Beast was there and waiting when my desktop arrived with TT. The machine was NOT net connected nor was any browser active at that point. It had gone thru BOC and this was TT first exposure to the changes previous or currently attempted by the beast from last session.

I keep SM Cookie Mgr. set to ask/prompt for cookie permission at 1st visit to each site and remember & apply that same decision upon each return visit.
I find it IS possible that Mary, during her session visiting these sites w/ Sea Monkey, may have OK’d the Cookie Managers request to allow a “Session” cookie rather than always DENY cookies as a first response & only OK session cookies if required & really she thinks site worth the risk.
This would NOT be the first time I have seen cookies presented as session only when they were NOT! I saw one "expires at end of session " cookie that remained & when examined it had expiry date of 2037!! It had misrepresented/fooled cookie mgr.
Would this have “allowed” it to bypass BOC perhaps as a user allowed change?

I actually toyed with using BOC’s settings lock down but the ACUTE warning info that this was permanent and not easily turned off/reversed without contacting BOC support for method, made me decide against trying it. With TT, user may reverse an erroneous choice/decision made relatively easily & locally.
I realize that this option is intended for sys admins to prevent setting changes by multiple users
(school or office/business) but a consumer usable version of this might be a good suggestion.
Often I have local games (older) that have to temporarily change display setting to render correctly and auto return to normal upon closing. TT seems to recognize these as locally approved from resident programs and allows to progress without pop-up request/block. Would be good if BOC did same.

If I ever get BOC to create & show reports, I’ll have a better grip on what is/has happened in future.
For now I’ll keep BOC as it DID catch my Test Trojan (without report confirming but did pop-up notice). I actually expected it would turn out this particular beast wasn’t included in items scanned for. Thanks, Sandy.

Hi again, Japo…

Indeed it would sound like some kind of conflict between BOC & Sea Monkey as SM doesn’t display this behavior without BOC. For some time I wondered if it was my Java, but works elsewhere so java must be (& does test) OK. Surprising perhaps because most of SM is same/similar to Firefox. FF requires SP2 & later Java 5/6 where SM does not( but can use them if installed).Thanks for the thought!! (:WAV)
Sandy.

Okay, only for the record then, there are no issues with Opera over here, or IE which I use at work, and I don’t think there are problems with FF either since a lot of people in the forums use it. :slight_smile:

Oh by the way, BOClean works somewhat differently from other security programs. It doesn’t play cat and mouse around your hard drive with malware, it limits itself to monitoring programs when they’re going to run. So since your malware didn’t try to run while BOC was active, it’s not that it got through BOC, it’s that BOC hadn’t even tried yet. And yet since no malware can cause harm without accessing memory and running, it’s got to pass BOC’s scrutiny sooner or later, and at that time BOC will kill anything identified as malware. Plus polymorphic malware can be easily masked to cheat antimalware programs while in the hard disk, but most times the code injected into memory is still the same and that’s what BOC will be looking for.

So maybe BOClean wouldn’t be the first to detect a piece of malware, but that doesn’t mean its protection isn’t effective, nothing matching its signatures will get run as long as BOC is running. :slight_smile:

Seems to me you should be mad at AVG more than BOC since the AV should have scanned “in real time” any data being written to your HDD.

I’d say it’s time to get a better AV… NOD, KAV, or maybe even CAV. :o
:wink:

Well AVG like other AVs doesn’t target Adware, as was the case --only viruses, worms and (some?) trojans. So it’s understandable that the AV didn’t detect this threat since it falls out of its field.

I wonder how will CAVS be when fully developed. Is BOClean just going to be bundled with it, so that viruses and similar will still be monitored the traditional AV way, while other malware will only be looked for in memory like BOClean standalone? Or more likely will the BOClean signatures be included into CAVS but all signatures will be hunted the same way in the fashion of an AV, regardless of their kind (virus, worm, trojan, spyware, adaware)? Or will both be monitored, the hard drive and the memory? Hmm I reckon CAVS is due to turn into a premium protection tool. :slight_smile:

Anyway I’d say that Sandy’s security suite worked all right, the system wasn’t trespassed. But I’d uneducatedly bet that BOC would have stopped the nasty as well as TT or better yet, certainly so if the adware at hand is in BOC’s signatures database. It would have deleted any malware even before it would get to run. If you consider it, TT didn’t do anything to actually prevent the malware from running nor identified it by its signature or otherwise, the nasty ran all right and TT only prevented it from changing the registry (thankfully it was enough). Running Windows as limited user would have protected the registry in the same way without need of any resident protection.

If you do visited some dubious website’s…“Sandboxie” :THNK

LIZBETTA: I have moved your post to:

https://forums.comodo.com/help/emule_rules_for_cfp-t12618.0.html;msg88958#msg88958

:SMLR