I just updated ‘Vista Start Menu’ to v.2.25(a program that mimics the Vista Start Menu for XP users)
BoClean immediately stopped the "TROJ0DELF.A"from running. (:CLP)
Location of Startup: File > C:\ Program~1\Vista~1\Vista~1.DLL
Any one else come across this issue and/or any futher advice/direction from Kevin??
Appreciate any and all input.
Thanks. (:KWL)
MODIFIED>Recent Communication
Sent: April 23, 2007 12:47 PM
Subject: Re: Vista Start Menu 2.25ce
Hi ,
This is false detection. I use this library for integration in start
menu. This library use Hooks as any other Trojans, this is only way
integrate to the windows start menu.
Please give me link to your anti-spyware program I try contact with
developers.
WS>
WS>
WS> Freeware
WS> OS Version=WindowsXP
WS>
WS> Hello:
WS>
WS> I have just recently updated to version 2.25 and have encountered an issue.
WS>
WS> Comodo BoClean has stopped the Trojan> TROJ-DELF.A< from running
WS> within the “Vista Start Menu” install.
WS>
WS> Location of Startup: File
WS>
WS> C:\Program~1\Vista~1\Vista~1.DLL
WS>
WS> Any direction?
WS>
WS> Thank you.
WS>
WS>
WS> Thank You: A Security Stamp has confirmed the Safe arrival of
WS> this Email and I have been Notified.
WS>
WS>
Hmm, I’m sure (based on Kevin’s comments about how/why it detects malware) that if it’s detecting this, there’s a reason (more than just behavior).
I’ll be interested to see the “official” response. Is there any other info in CBO’s log about the incident? Have you done a search on the filename it gave for the trojan?
Lastly, you always have the option to tell CBO to “■■■■■■ off” by Excluding the application (simply open the Exlude module from the menu, and drag n drop the file into that window).
Same thing for me. BOClean found a suspect DLL in, I assume, an older version of VistaStart. The DLL was called mainhook.dll in that version, perhaps it is something to do with the way StartVista establishes the hook that is unsettling BOClean.
If did a Google search for that DLL & VistaStart in conjunction with a trojan & found nothing relevant (just BB posts of HiJackThis logs where StartVista was present).
I did a search on ‘all’ that was searchable and came up with nothing. Ive included info in BoClean log below, and nothing showed up with other scans from relevent security software.
Also, I did delete the file that BoClean asked about in the nbtification message that the trojan was running from.
Just a note: I have the “save trojan for evidence” box checked in BoClean but am unable to find?? Where is the evidence location???
Thanks again LM for your input and any further response. (:KWL)
04/23/2007 07:47:37: C:\PROGRA~1\VISTAS~1\VISTAS~1.DLL
Trojan horse was found in above file
TROJ-DELF.A MALWARE STOPPED by BOCLEAN!
Logged in user: Wilpower
Active trojan horse was shut down. System now safe.
Above file copied to evidence location for examination
04/23/2007 07:50:37: C:\PROGRA~1\VISTAS~1\VISTAS~1.DLL
Trojan horse was found in above file
TROJ-DELF.A MALWARE STOPPED by BOCLEAN!
Logged in user: Wilpower
Active trojan horse was shut down. System now safe.
Above file copied to evidence location for examination
Trojan horse was removed, registry cleaned.
04/23/2007 07:54:49: C:\PROGRA~1\VISTAS~1\VISTAS~1.DLL
Trojan horse was found in above file
TROJ-DELF.A MALWARE STOPPED by BOCLEAN!
Logged in user: Wilpower
Active trojan horse was shut down. System now safe.
Above file copied to evidence location for examination
Trojan horse was removed, registry cleaned.
04/23/2007 09:46:53: C:\PROGRA~1\VISTAS~1\VISTAS~1.DLL
Trojan horse was found in above file
TROJ-DELF.A MALWARE STOPPED by BOCLEAN!
Logged in user: Wilpower
Active trojan horse was shut down. System now safe.
Above file copied to evidence location for examination
Trojan horse was removed, registry cleaned.
I, too, had BOClean stop VistaStartMenu.dll, claiming it contained the Troj-Delf.A trojan. But I submitted VistaStartMenu.dll to VirusTotal, and its 30 or so scanning engines all gave it a clean bill of health. Could this be a false positive in BOClean?
This may be a scenario such as Kevin explains about regarding NirSoft stuff. It’s in the forums here; even tho it’s not technically malware, apparently the creators used to be associated with such, so he keeps the definitions in there regardless. I don’t know that such is the case, but it may be.
At any rate, as I mentioned b4, you may Exclude the file by dragging into the appropriate window from the gui.
Question regarding LM’s statement, “Lastly, you always have the option to tell CBO to “■■■■■■ off” by Excluding the application (simply open the Exlude module from the menu, and drag n drop the file into that window)”:
I’ve done that, and CBO still flags the .dll as a trojan (although it doesn’t shut down the main program). Any further input on how to get CBO to, as you put it, “■■■■■■ off” would be appreciated. Thanks.
I simply let CB delete the file the tojan was ‘apparantly’ starting from.
Location of Startup: File > C:\ Program~1\Vista~1\Vista~1.DLL
The only issue arising from this delete is I now must access Vista Start Menu from it’s own desktop icon…The program will no longer start from existing Windows “Start” icon. ???
That works for me (:WIN)
I also tried reinstalling Vista Start Menu, this changed nothing. Got the same identification and simply deleted Startup File> C:\ Program~1\Vista~1\Vista~1.DLL
Maybe Kevin can effect a change from his end… The developer of Vista Start Menu says its a “false Positive”.
“This is false detection. I use this library for integration in start
menu. This library use Hooks as any other Trojans, this is only way
integrate to the windows start menu”.
Hello Baskar: Thanks for the info. You are absolutely correct. I have just updated CB and just like you said “it has been fixex” (:CLP)
That was fast!!! Great work on the updates!!! (R)
Thanks all for the input and I will considered this thread “Resolved”.