Comodo BOClean Saved my day, even though I had an AV installed!!

BOClean saved my **** today!

I Downloaded a Program from www.download.com which is usually really reliable. It was a program called EasyCash which I wanted for keeping track of my finances. I downloaded it with no detection from anything not CPF Nor Antivir PE Preimium nor Spyware Terminator and then click to install the program still no detection from the above and and then the installer didn’t fully install / stopped and closed in the middle of copying files. I looked at my BOClean log to find!!!

04/27/2007 12:55:45: IFSKEYLOG17 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\IFINST27.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: ******

OMG! Not even my Antivirus or anti-spyware caught that one! It stopped it and removed it before it had a chance to do anything!

I LOVE BOCLEAN!!!

[i]
EDITED


topic splitted and Subject line modified to reflect the post…[/i]

Very interesting. I’m curious as to what IFinst27.exe is and why BOClean identifies it as malware. I Google IFSKEYLOG17 and come up with nothing. I Google IFinst27.exe and find the same “virus removal” thread on several support web sites, but no explanation of what IFinst27.exe is, no proof that IFinst27.exe was the problem, or that it is in fact malware.

The other applications didn’t flag it because there seems to be no record of it. Evidently no harm done in removing it, just wondering what it actually is… ???

I only found one link that seemed useful:

http://www.castlecops.com/t171457-navil_toolbar.html

This seems to say that IFINST27.EXE is something to do with W32/Downloader.AOLK

:SMLR

Thanks Anderow, good catch. Looks like a browser hijack.
Good work BOClean! (V)

Now you know what we mean by saying:
You should have Comodo BOClean in addition to your AV products (:KWL)

Its a tool that every PC should have no matter what AV they use!!!

Melih

uhm when BOClean detects something, should it not then come with an alert.?

because it sounds like you didnt get an alrt and that the only way you did find out BOClean did find the trojan was because you looked in the BOClean log.

Or do you have “permanently hide traybar icon and alerts” on

Hi,

There is an option in Boclean for ‘unattended cleanup and removal’. With this enabled BOClean will noy display alerts. If this is not enabled, you will be given an alert and an option for what you want to do.

Mike

ok :■■■■

Now I am confused :-\ When you guys talk about the BOClean log, do you talk about the report you get when clicking " Examine report ", or about something else ???

Greetz, Red.

I am talking about the “Examine report” because i think thats the one he is talking about (:NRD)

Yeah, that is what I thought too :slight_smile:

Greetz, Red.

No problem. :wink: :■■■■

Just downloaded the easy cash program from download.com…and it came out totally clean. Not only that…but there is no such file on my hard drive as described on my hard drive after installlation.

So where the heck did you get it from…lol. Either that or I downloaded the wrong program…

This one?
Easy Cash Manager 3.0.1
http://www.download.com/Easy-Cash-Manager/3000-2057_4-10642669.html

I saw that program too. It has a bunch of downloads. The OP also mentioned a program called BestCash in another post. I think there is a little confusion with the name.

https://forums.comodo.com/index.php/topic,8348.msg60676.html#msg60676
I was going to download it an submit it to Jotti or VirusTotal to see if they found anything. Maybe the OP can do that and let us know what the filename is and the results.

Download dot com is not the best place to find software. Softpedia and MajorGeeks are much better and safer. :wink:

Okay, I found “Best CashBook 3.3.3” there, not looking good…
Virus Total shows it as containing a Trojan/Worm (eSafe) and suspicious (Fortinet).

Complete scanning result of “BestCash333.exe”, received in VirusTotal at 04.29.2007, 06:25:46 (CET).
File size: 3886592 bytes
MD5: 965d0b7ab870d2c40c4cca1699899705
SHA1: 95088ef7d73568eacd55afc903b6ed48b133ec47
packers: UPX
packers: UPX
packers: UPX

BOClean doesn’t like it.

It drops IFNST27.exe into the Windows\prefetch

Drops IFinst27.exe keys at:
HKEY_USERS\S-1-5-21-823518204-651377827-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

[attachment deleted by admin]

Thanks for posting a BOClean alert. Now I know what they look like. I installed boc and uninstalled because I’m trying other software and troubleshooting my cd/dvd burner :-.

There are a lot of links about the exe, but the few I checked didn’t give a definitive answer as whether is was truly bad or not. Seems a lot of people don’t like it though. I believe I would avoid it. ;D

http://fileinfo.prevx.com/QQ701d19146308-IFIN46439/IFINST27.EXE.html

http://www.castlecops.com/t171457-navil_toolbar.html

Whoops! I forgot to follow up on this…
Kevin confirmed this to be a bad boy yesterday.

Yup, it certainly is:

http://www.castlecops.com/tk30823-NavilToolbar_dll.html

Well, Comodo BOClean saved the day for me. I downloaded a Zlob from MajorGeeks EU France.

05/06/2007 03:18:29: ZLOB256 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\PROGRAM FILES\K-MELEON\SETDEFAULT.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: xxxxxxxx

CBOC jumped in as soon as it tried to execute. My Avira PE Premium spotted nothing so I’m very thankful that I had CBOC on the box. Sure there’s an annoying update error message that pops up from time to time but I’m not complaining; the protection is top class. Who cares if there’s an a harmless bug in the system when the application performs so well. It sure did what it’s designed to do.

BTW, this particular trojan tried to thrash my internet connection (wireless); I’ve had no trouble since CBOC disposed of it. Looks like the automatic cleanup of my winsock worked as well.

Take a bow CBOC.