BoClean isn't able to run

Discontinued Products Comodo BOClean Anti-Malware
1

Hello,

installed Comodo Firewall, Antivirus und also BoClean.
Restarted my Computer and then BoCLean just ran for a short time when the M$ window popped up: COMODO-BOCLean Anti Malware caused a problem and is shut down.

Problemsignatur: AppName: boc423.exe AppVer: 4.2.3.1 ModName: boc423.exe
ModVer: 4.2.3.1 Offset: 00001275

What can i do now to solve the problem and get BoClean to run?
The window pops up after each restart and also if i try to start BOClean manually.

Installed BOClean because had a trojan on the system before, but Comodo AV quarantined the trojan-file while BOClean was installing itself … maybe this caused some problems?

Will be happy for any help.

Greetings.
Pflaume

2

At this point I’d suggest an uninstall and re-install of BOC.
For future reference you may want to install only one security application at a time with a reboot in between.

3

Hello,

thanks a lot, this easy step fixed it.

I got another question now, the Trojan i got is called Trojan.Win32.Agent.Xu, but i’m not able to find it in the Trojan-list of BOCleaner … i wanted BOCleaner to remove anything related to that Backdoor trojan, but i guess BOCleaner isn’t able to (AV only quarantines the infected file but i’ve read those trojan doesn’t need the file anymore to work properly).

Am i right or am i just doing something wrong?
To let BOCleaner catch the Trojan, i Restored the infected file and disabled the ON-Access Scanner of Comodo AV.
But BOCleaner didn’t catch anything :(.

Will be happy for any help.

Pflaume

4

Hey Pflaume,
I don’t know if I understand you correctly. So forgive me if I don’t!

The trojan’s name is: Trojan.Win32.Agent.Xu. That’s the name it goes by with Kaspersky AV (did you have that one installed before you decided to use CAVS and BOClean?)
I don’t know whether this is the name BOClean uses ??? (Does it???)
EDIT: Dr.Web calls the same trojan SpamBot (which is a name that can also be found in the BOC-list (maybe that’s it ???)

BOClean does NOT provide file scanning!!! It jumps to action whenever a malware is started.

Since BOClean is NOT a "file scanner," it will not notice nasties UNLESS they actually try to RUN
from the BOClean manual: http://www.comodo.com/boclean/supboc.html

However, if the malware was already present before you installed BOClean this might be a problem (though I’m not sure)

BOClean also performs a "recalibration" every ten seconds which examines registry and system components to ensure that nothing has changed since its last calibration cycle in order to prevent against injections into already running programs.
As I understand it, if the trojan had already been started BEFORE you installed BOClean, BOC might have difficulties in catching it as it was already running when BOC first calibrated. Or, if you're lucky, the trojan may not have started yet.

Anyways, I strongly advise you to enable cavs on-access scanning againand maybe to post a HijackThis file.
I’m not an expert when it comes to malware removal, however I know that some people in the forums are (e.g. Rotty).

Do you remember where the trojan was found???
You could do an online scan of the file(s) at:
http://virusscan.jotti.org/

or a complete online scan of your HD at:

(you’ll need IE with activeX enabled - do not forget to disable axtivex after the scan is completed)
You may want to post the results here, too.

Cheers,
grampa.

If you want more information on that trojan:
http://www.avira.com/en/threats/section/fulldetails/id_vir/2541/tr_agent.xu.21.html (very detailed).

5

Hi :slight_smile:

I want to add :

BOClean does NOT provide file scanning!!! It jumps to action whenever a malware is started.

True, as far that BOClean can’t do a system scan like Anti Virus programs, but you can scan files if you drag and drop them to the BOClean screen.

However, if the malware was already present before you installed BOClean this might be a problem (though I'm not sure)

Someone ( I don’t know who it was ) explained earlier here on the forum that you can use BOClean as a Malware fighter on an already infected system.

Greetz, Red.

6

Hey Red (:WAV)

Here’s a thread where Kevin explains that function and it’s “history”.
https://forums.comodo.com/index.php/topic,7808.0.html

It might have been ~cat~:

Yes, cleaning an already infected system generally takes at the most a reboot to grab the last infectors. When BOC quits giving you prompts it's through. The first thing I do when working on a system is install BOC to watch my back.
https://forums.comodo.com/index.php/topic,8480.msg61470.html#msg61470

Cheers,
grampa.

7

Hi grampa :■■■■

Yes, it was ~cat~ (:CLP)

Greetz, Red.

8

Hello,

first, thanks a lot for all your help (:WAV).

Never used Kapersky AV, used McAfee before Comodo but it never detected this Trojan.
ClamWinAV found it first and Comodo found it also. The results on the AV-scanner sites are very different, any AV-Company uses different names for the same trojans and some marked the file uninfected.

I will post a result at the end of this post.

The Trojan seems to be kinda silent-active, i have all the registry entries mentioned on the Avira-Trojan-description (smss.exe, svchost.exe, nvsvcd.exe - checked via regedit).
Also got the file smss.exe and nvsvcd.exe in the system32 folder.

Restored the file again to be able to access it, shut down on-access scanner and drag/drop it in the BOClean Screen, but nothing happened.
Restarted my PC, cause i thought maybe BOCleaner will remove it automatically then … but nothing happened again.

I guess even if CAV quarantines the nvsvcd.exe, the trojan is still active via the smss.exe, so he gonna trick anything, that’s how i understood the trojan description :D.

Any ideas for the removal? I gonna have a bad feeling knowing i got a ‘sleeper-horse’ on my HD :P.

For more information, here’s the Hijackthis.log [attached text file].

Have a nice day and hopefully we can get this ■■■■ thing away, let’s smash it.

Greetings

Pflaume

Forgot: I don’t know where i got this horsie from, maybe i have it for quite some time yet cause the McAfee never detected it and Agent.Xu is also the name of the Trojan by Comodo AV.

~Mod replaced HJT log with text file to reduce lengthy post~

[attachment deleted by admin]

9

Hi Pflaume :slight_smile:

Your HijackThis log is clean, only these 2 leftovers you can fix safely :

O2 - BHO: (no name) - {140E5BEC-12E1-BD9F-69F0-AA7EE0D9FF18} - (no file)
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)

But I am not a malware expert, so I won’t take the risk to help you any further. I hope you understand that :-\ What you could do is ask TonyKlein to help you. He is active here on the forum too, and one of the best malware experts :slight_smile:

Greetz, Red.

( Edit : Sorry Soya, I don’t know what happened :-[ )

10

Hey Pflaume,
your HijackThis file seems okay (to me - we should wait for the experts).
smss.exe etc. are afaik only dangerous when they are NOT in system32! Since they are they seem to be legitimate files.

However, as nvsvcd.exe is (almost) definitely a trojan, the only solution I can come up with is: it hasn’t been started yet, thus, CBO hasn’t yet “killed” it.

Unfortunately I don’t know how you can safely delete it. Sorry.

Maybe you should pm Rotty or another mod, explain your problem and provide a link to this topic.

As far as I can see there’s an evil nasty still asleep on your machine (although this might be nonsense, so don’t panic!!! - but you seem very relaxed ;)).

Sorry I can’t be of more help.
Cheers,
grampa.

Hey Red,
sorry to repeat what you’ve just said.
It took me quite a bit to reply as I was looking through the file in one tab and had already opened the “reply window”.
…somehow it’s not my day today :wink:
Cheers mate,
grampa. :■■■■

11

Members:
Although it’s not in the forum policy (yet), please note that it would be better that HJT logs be uploaded as text files rather than long posts. It’s better this way for everyone to read (:KWL).

12

Hey Soya,
that’s a very reasonable rule. I promise never ever to encourage people to post entire logfiles ;).
No, honestly, that makes sense.
I’ll respect that (not yet) rule from now on.
(V)
Cheers,
grampa.

13

Yeah, you are a real pain in the ■■■ today (:TNG) Cheers m8 :■■■■

Greetz, Red.

14

You can also run through the MRP at the CastleCops wiki. The instructions/procedures can usually get a lot of the nasties.
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

Or if you choose not to do that, have you tried running any of your scans in safe-mode?

15

Hey Pflaume,
there are two things about HJT I forgot to mention:

  1. As HJT has been around for some time, some baddies have found a way not to be recognised by HJT. Therefore you should rename Hijackthis.exe into e.g. HJT1991.exe !!!
  2. HJT should be run in an own folder (C:\Programs[b]Hijackthis[/b]\HJT1991.exe) to make sure it can create backups.

!!!
If you decide to post a new HJT file DON’T FORGET to upload it as a text file.

Cheers,
grampa.

16

G’day,

If you’ve still got Trojan.Win32.Agent.xu you need to make sure you have removed the following in SAFE mode;

c:\windows\system\smss.exe
DO NOT DELETE C:\WINDOWS\SYSTEM32\SMSS.EXE
c:\windows\system\nvsvcd.exe
or
c:\windows\system32\nvscd.exe

The following registry keys need to be removed;

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc=(system or system32)\smss.exe /w

HKLM\SYSTEM\CurrentControlSet\Services\Windows Log
DisplayName=Windows Log
ErrorControl=1
ImagePath=(system or system32)\nvsvcd.exe
ObjectName=LocalSystem
Start=2
Type=0x10

The following hosts need to be blocked in the firewall;

reg.raxoper*
sir.carekor*
pid.faretun*
rc.rizalof.com

Alternatively, these host names can be added to the \windows\system32\drivers\etc\hosts. file with an address of 127.0.0.1

Hope this helps,
Ewen :slight_smile: