After today's def's update BO seems intent on removing a file named cfishljp.dll, which is an integral part of the CFI application ShelltoysXP, which I have been using for years. I have put the file in the excluder area to no avail. Now BO also wants to interfere with smss.exe, which is part of MS OS. It had never showed this behaviour before. I've also tossed smss.exe in the excluder list, but it doesn't work.

Has something gone wrong with the latest def update? Please advise as this is very bothersome to say the least.

Thanks for your time.

-{ Quote: "Has something gone wrong with the latest def update? Please advise as this is very bothersome to say the least." }-Let me ask the obvious, have you contacted PSC support on this as yet?

Blue

Sandokan,

Do you mean this one:
ShellToys XP
http://www.shelltoysxp.com/

You might want to download Mcafee Site Advisor and read what they have to say about the shelltoy site. BOCLEAN may be doing it's job.

-{ Quote: "You might want to download Mcafee Site Advisor and read what they have to say about the shelltoy site. BOCLEAN may be doing it's job." }-

kaspersky reports the install file as clean.
lodore

This is what Mcaffee Site Advisor has to say:

shelltoysxp.com


"When we tested this site we found links to softlandmark.com, which we found to be a distributor of downloads some people consider adware, spyware or other unwanted programs."

In other words, a site related to the main site may in some way be connected to suspicious downloads. I have no idea if shelltoys itself is not safe.

Hi. Let's go in order.

No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum.

Now, I have scanned the file(s) with KAV and other online scanners and they are absolutely clean. Furthermore I've been using CFI Shelltoys XP for years and it's not only a fantastic piece of commercial software, but I only download their updates from the registered area of their site as well.

Plus, lets put aside those files, how about BOC attempting to modify smss.exe? That is a vital component of the OS, and its timestamp coincides with the OS's installation (which I did from a slipstreamed XP Pro SP2 CD).

Now it seems as the program excluder has finally done its job, as I am not getting any more prompts from BOC in reference to the .dll.

We'll see what happens next.

Thanks for all the replies.

-{ Quote: "
No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum.

We'll see what happens next.
" }-

sandokan,

The best thing to do is send an email headed 'possible false positive' enclosing the file as an attachment, with a link to this thread, to:
support @ nsclean . com

Londonbeat

-{ Quote: "No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum" }-Wonderful results can be got from the BOclean clan that frequents this forum but as others have said....an e-mail to PSC support is always the way to go with a possible FP. Nancy does not let Kevin get out much anymore. He stays busy with all these new rats and such :o :D

Bubba

I have just tried ShelltoysXP. BoClean gives me the same results as you and also tries to shutdown smss.exe. Thanks to SSM this has not happened :)

Thanks guys. I'll send an email as soon as I finish posting this.

-{ Quote: "Thanks to SSM this has not happened " }-

ProcessGuard alerted me of BOC's attempts to modify / shutdown smss.exe.

-{ Quote: "He stays busy with all these new rats and such" }-

HEH: maybe need pest patrol lol

Yes: @sandokan: unleash the Kevin with a mail.
He always responds with vigour and we all learn something new.
:thumb:

-{ Quote: "I haven't contacted PSC because I was under the impression that better results can be got via this support forum." }-sandokan,

Advice provided here can sometimes be faster than from a vendor, sometimes not, it all depends who's online. In general, it will tend to be a bit more neutral, but it's often anecdotal, which is all that is needed in many cases. But when a fix is required, be it false positive (or confirmation of real malware) or program issue, the vendor is the only one who can provide the fix - so it's always best to touch base there at the same time a general reality check is made here or elsewhere.

By the way, precisely what is the behavior shown regarding smss.exe? I'm seeing nothing here....

Blue

As I said, BOCLEAN seems to be doing its job:

http://www.neuber.com/taskmanager/process/smss.exe.html

What is smss.exe? Is smss.exe spyware or a virus? Process name: Windows NT Session Manager

Product: Windows

Company: Microsoft

File: smss.exe

Security Rating:

This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Note: The smss.exe file is located in the folder C:\Windows\System32. In other cases, smss.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

Virus with same name:
W32.Dalbug.Worm - Symantec Corporation
Adware.DreamAd - Symantec Corporation
W32.Resdoc - Symantec Corporation
Adware.Advision - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation

http://www.symantec.com/security_response/writeup.jsp?docid=2003-120316-0541-99

Updated: June 9, 2006 04:02:52 PM ZE9
Type: Adware
Risk Impact: High
File Names: Smss.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Behavior
Contacts a Web site to obtain and display advertising links.
Symptoms

* Outgoing connections to advertisingvision.com.
* Existence of the folder, %Windir%\Configsys.

Transmission
Installed as a component by certain software packages.

Hi everyone,

This problem was corrected in the current (15-12-06) Update. We could have had it sooner had we received the email sooner. The forums are helpful here in letting people know what any FP problem is, but only we can solve it, making the best first thing to do is email us. Please???

A typical day lately involves handling over 1000 files. :wacko: That doesn't leave much time to pop around forums looking for threads like these.:blink: FPs happen, and we'd like to get them solved ASAP. Don't be afraid to email us!

Thank you very much Nancy, I appreciate the promptness and efficiency with which both you and Kevin tackle these problems.

fred128

The smss.exe file was not a virus, and it was exactly in the folder(s) where it's supposed to be. I wouldn't have started the thread otherwise.

Thanks very much to all involved. Another little nuisance gone away.

Hi Sandokan,
If this file was outside of Windows\System 32, it would have been a big problem.
I'm glad it was a FP.

Many thanks to Nancy and Kevin fixing your great product :thumb:

-{ Quote: "Hi Sandokan,
If this file was outside of Windows\System 32, it would have been a big problem.
I'm glad it was a FP." }-

just for the heck of it, I just did a search for Smss.exe. I got three returns :
1). smss.exe in C:\i386
2). Smss.exe in C:\i386\SYSTEM32
3). smss.exe in C:\WINDOWS\system32

does this mean I have a problem?

-{ Quote: "does this mean I have a problem?" }-No.

Blue

-{ Quote: "just for the heck of it, I just did a search for Smss.exe. I got three returns :
1). smss.exe in C:\i386
2). Smss.exe in C:\i386\SYSTEM32
3). smss.exe in C:\WINDOWS\system32

does this mean I have a problem?" }-

I don't know but in my computer it's only in C:\WINDOWS\system32.:-\

It should also be in all other 3 locations. Perhaps your settings don't allow you to see the file?

I say other 3 locations because those who installed the Recovery Console as a boot option should see the file also in C:\cmdcons\system32.

Blue : I appreciate you letting me know that I do not have a problem.
Happy Holidays (to all)