Hehe, I was reading in another thread how BoClean wouldn’t allow leaktest to download or run. Figured I’d give it a try. Here are the results…
Downloaded leaktest, but chose the option to “Run” instead of “Save” in IE’s download prompt.
Boclean said it blocked the leaktest file but then a seperate window opened up and said that the leaktest file was protected with some kind of locks. It said I had to quickly shutdown my system to prevent any damage from the file.
Immediately after that, the Dr Watson window opened up and said that BoCleand has encountered an error and needed to close.
Yeah, I ran the file locally and it didn’t crash BoClean and it did alert me that it wasn’t liking leaktest. However, after clicking “Ok” to delete the file, a messagebox opened that had a window title of “Could not stop file”. The message said that leaktest was protected by system locks and I needed to shut down my computer asap. It wasn’t malicious, of course, and leaktest indeed did not run.
i tried “downloading” GRC’s “leaktest” and selecting “run” instead of “save” and BOC 4.22 killed it and removed it without any problems… i am running win xpsp2… note that i am running BOC 4.22, not BOC 4.23…
Right, I can reproduce what you’re seeing with 4.23.
I clicked on the leaktest URL & said Run, rather than Save. BOC detected & stopped leaktest.exe (found in MSIE cache), said that the source was still present & asked if I wanted to remove it. Silly, I know, trying to remove something on GRCs site (if that was what BOC was talking about), but I said yes anyway… I got the message about the system lock & the urgent need to reboot.
I then got 2 of these…
Faulting application boc423.exe, version 188.8.131.52, faulting module boc423.exe, version 184.108.40.206, fault address 0x0001887a.
..followed by 1 of these..
Faulting application boc423.exe, version 220.127.116.11, faulting module kernel32.dll, version 5.1.2600.2945, fault address 0x0000de9c.
.. and that was the end of BOC. I'd also lost my Internet connection, so I rebooted without any further problems.
I just downloaded, then ran the leaktest, which BOClean killed, and removed (I saw the file vanish) without incident, and then a M$ error box saying “BOC423.exe has encountered an error and needs to close” popped up.
here is the event viewer box thingumy
I’ll try it again, and try and catch the minidump files next time, in the hope that they’'l help…
edit- I downloaded leaktest again, ran it, copied the error report to clipboard, and then stupidly closed down the M$ error box, so I wasn’t able to get a copy of it. (I hate myself sometimes- duh)
Twice since then BOClean has successfully killed, and deleted the file ??? , so more errors, so no more minidumps. ( I suppose I should be pleased?)
BOCleans report says the same thing each time, regardless of whether it crashed, or not
04/25/2007 19:49:12: LEAKTEST 1.2 DEMO VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
D:\QUARANTINE\LEAKTEST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: -edit-
If there’s any more info that may be useful, let me know and I’ll try to dig it up.
Thanks for the feedback. I thought I was the only one this was happening to.
What I’m curious about though is the message about the system locks. Does this have to do with deletion of the file only, or BoClean’s inability to actually stop the code from executing? The message it displays about the need to shut down your box immediately does raise an eybrow but perhaps boclean just needed to reboot in order to delete the file on disk. Hopefully, someone could shed some light on that.
I’m pretty busy with school this week so I’ll try to take a look at the help file this weekend. Maybe there’s something about it in there.
I had the impression that BOC was successful in stopping leaktest, but was unable to remove the source due to a system lock. I don’t think the subsequent crash was caused by GRCs leaktest, it doesn’t do anything other that to send a message to GRCs servers via MSIE.
I agree that leaktest doesn’t do anything other than send a message. But I do recall that Boclean said that leaktest was “protected” by system locks. That’s where my curiosity lies. Usually, (and I could be wrong of course) a file can’t be deleted if it’s in use. However, you should be able to take any file on your disk and delete it if it’s not in use, correct? (Just asking)
In my not-so-bright-mind, I’m thinking that there should have been no problem deleting the file if it was already killed. So, what is this “system lock” protection?
Just looking to gain some knowledge, nothing more. See ya.
I’m sorry, but I don’t know what BOC is referring to by a “system lock”. You may need Kevin to answer that. However, since the leaktest source in question is on a remote system where BOC has no chance of deleting it, I would assume that the issue of a system lock (whatever that might be) in this case would be fairly academic.
I am getting the same thing except the system lock happening here with 4.23 too. Boclean deletes the file then a popup saying that Boclean has to shut down due to a system error. I uninstalled 4.23 and installed 4.22 and tried things out again and didn’t get the shut down.
Much weirdness here. With the BOclean BOC423 running BOclean spotted the leaktest, stopped it and deleted it ok, then I couldn’t access the net through Firefox or IE. I had to sign off AOL and sign back in to access the net.
I’ve had a problem with BOclean’s BOC423 shutting down on it’s own and when it’s down and with only BOcore running, BOclean doesn’t spot or stop the leaktest.
Sounds like you ended up in a similar position to me, but you didn’t get the reboot warning from BOClean? You could also check windows event logs (application), you should be able to find error entries in there relating to those events (leaktest & BOC423 shutdown)… unless you’ve got the eventlog service disabled of course. ;D
That’s the thing…I also ran leaktest locally with the same results. If Kevin comes across this thread and wants to comment on the system locks, then so be it. I’m sure that dude’s got a lot on his plate right now, and I’m not gonna pry him from his work just to satisfy my curiosity.
However, this machine is due for a nuke and repave. I’m considering throwing a few trojans at BoClean to see how it reacts before I reinstall XP. Anyone know where to find a few nasties?