Comodo BOClean Saved my day, even though I had an AV installed!!

Was “SETDEFAULT.EXE” the name of the downloaded file?
They’re pushing “K-Meleon1.1RC.exe” out currently.

Actually, BOClean saved me too (yesterday) from something that CAVS missed. It was an exe-file I got from a friend. UNFORTUNATELY I didn’t save the log, thought it might be interesting for Comodo to add that virus (or whatever it was) definition to CAVS. But since BOClean picked it up I guess it’s alright.

I was almost happy to get this virus: Since I get malware so seldom, and I wanted to see how BOClean works, the program now performed detection and removal for me to watch. Well done, Comodo! I can’t remember if I’ve ever seen a program really REMOVE malware before, so after the first “shock” I was just smiling and felt secure… Thanks Comodo!

(R)

Still, you’d have to ask whether this was indeed a correct detection for K-Meleon’s SetDefault.exe … It would be worth while uploading that file to Virustotal in order to get a few second and third opinions: http://www.virustotal.com/en/indexf.html

Cat, I can’t say for sure.

This one could go either way.

Complete scanning result of "SetDefault.exe", received in VirusTotal at 05.07.2007, 21:36:25 (CET).

eSafe 7.0.15.0 05.07.2007 suspicious Trojan/Worm
Fortinet 2.85.0.0 05.07.2007 suspicious
Ikarus T3.1.1.7 05.07.2007 Trojan-Downloader.Win32.Zlob.aiv
Webwasher-Gateway 6.0.1 05.07.2007 Win32.ModifiedUPX.gen!90 (suspicious)

File size: 82667 bytes
MD5: 50309924050783c5af19d9c7b17c9d21
SHA1: 868a0b0c28c8e070e4770ef982b61cfc9836a693
packers: UPX
packers: UPX, BINARYRES
packers: UPX


I’ve submitted it to Kevin and crew for ananlysis.

By the looks of it it’s mostly generic detection, probably because of the presence of certain packers. Very likely a FP, I’d say…

Softpedia maybe safer but they charge you for downloads. If its just a few MP3s you want then bearshare or whatever is good enough because its free. Just make sure you use good security software to check the files.

Hi FJR1300, I have downloaded a few small freeware programs from Softpedia for free (no charge). Some of their programs you have to pay for. I do agree with you about scanning all downloaded programs. I use no less than 3 scanners on all downloads, even known security programs. :slight_smile:

Cheers, innerpeace

I don’t download anything via download.com. Made the mistake once, several years ago of 1 game and Spybot saved my tail then removing 40 some files. Not fair perhaps as Download.com doesn’t write the software and other possible maneuvers may by- pass what checking they do/ have done. They have posted that they take no responsibility for quality or content of downloaded items.

In principle I prefer to download ONLY from an Authors site if at all possible. Next from mirrors listed on his/her site. Must admit I brought down a few from Mjr.G without problems 'tho sometimes the program may be a late beta (gotta watch out for that). JMHO. :THNK

(B) (S)
Comodo BO CLEAN also saved my life.
I downloaded a weather report tool from the internet along with some bonus downloads and came out with the following report from BO-CLEAN. Comodo Anti-virus didn’t detect it, nor did spybot search and destroy 1.4, or Ad-aware.


05/12/2007 21:48:36: SAVENOW3 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\DOCUME~1\WALLAC~1\LOCALS~1\TEMP\IS-8GSC2.TMP\VVSNINST.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Wallace Shaw


05/12/2007 21:48:50: WHENU/WSNI MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\DOCUME~1\WALLAC~1\LOCALS~1\TEMP\IS-8GSC2.TMP\VVSNINST.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Wallace Shaw

COMODO BO-CLEAN ROCKS!
Wally Shaw

It is indeed a correct detection :slight_smile: :

http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453079971

I found hundreds of those so called “codecs” and tested a few variants.

First with online sources (jotti’s, virustotal etc.) and finally run the trojan.

If my AV did not detect the trojan (as suggested by Jotti and Virustotal) BOClean would have saved my ■■■ ;D

Results with a lot screens and info;

http://members.home.nl/ctrlaltdelete/dnschanger/index1.html

Heh, you can change the file number on the “playcontact” download link and come up with a new “variant” (repacked with different hash) for each number on those.
I was up to 1290 last night (IIRC) before I quit.
Detection separates real detectors from the hype products.
Nice write up!

1290! You need to get another life ~cat~!

Great write up ctrlaltdelete

Ewen :slight_smile:

Not a total of 1290, the file number prior to the extension was 1290. ;D
CBO catches them no matter how many different combinations they create so it’s not necessary to check every one.
Looks like play-mega was in the mix as well.
There were over 20 comment spammed links on another forum I’m involved with all pointing to play-megaxxxx.exe’s.
Same story with as many downloads as made up numbers. They must have a generator that mass produces the exe’s.

Looks like the “others” are catching on…, a day late for some. :frowning:

[attachment deleted by admin]

Bingo! This is something that just happended to me when BOClean falsely disabled IE7 on one of my family’s computers. Read about my issue here: https://forums.comodo.com/comodo_boclean_antimalware/boclean_423_destroys_ie7-t11365.0.html

This, just a few moments ago…

11/10/2007 06:14:43: BKDR-KONIK VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
D:\CONTENTS\DOWNLOADS\IMAGING & MEDIA\MUSIC & SOUND\HAMMERHEAD RHYTHM STATION\HAMMERHEAD RHYTHM STATION V1.0_INSTALL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Operator

(:CLP)

Well done and many thanks, Comodo!

Succat

Congratulations to anyone (real or otherwise) that fin d value in these products. These are poor products taking up too much CPU and causing system crashes. I wouldn’t have bothered posting this if at least somebody at Comodo earned their money developing a working uninstall program. Please get the uninstall feature right before dumping these products on the masses. Thanks.

and you represent which AV company If i may?

(:WAV)

Melih

LOL, touché!

LA