BOClean driving me insane

sandokan · #1 December 14th, 2006, 02:49 PM

After today's def's update BO seems intent on removing a file named cfishljp.dll, which is an integral part of the CFI application ShelltoysXP, which I have been using for years. I have put the file in the excluder area to no avail. Now BO also wants to interfere with smss.exe, which is part of MS OS. It had never showed this behaviour before. I've also tossed smss.exe in the excluder list, but it doesn't work.

Has something gone wrong with the latest def update? Please advise as this is very bothersome to say the least.

Thanks for your time.

BlueZannetti · #2 December 14th, 2006, 03:05 PM

Quote:

Originally Posted by sandokan

Has something gone wrong with the latest def update? Please advise as this is very bothersome to say the least.

Let me ask the obvious, have you contacted PSC support on this as yet?

Blue

FanJ · #3 December 14th, 2006, 04:01 PM

Sandokan,

Do you mean this one:
ShellToys XP
http://www.shelltoysxp.com/

fred128 · #4 December 14th, 2006, 04:42 PM

You might want to download Mcafee Site Advisor and read what they have to say about the shelltoy site. BOCLEAN may be doing it's job.

lodore · #5 December 14th, 2006, 05:02 PM

Quote:

Originally Posted by fred128

You might want to download Mcafee Site Advisor and read what they have to say about the shelltoy site. BOCLEAN may be doing it's job.

kaspersky reports the install file as clean.
lodore

fred128 · #6 December 14th, 2006, 05:25 PM

This is what Mcaffee Site Advisor has to say:

shelltoysxp.com

"When we tested this site we found links to softlandmark.com, which we found to be a distributor of downloads some people consider adware, spyware or other unwanted programs."

In other words, a site related to the main site may in some way be connected to suspicious downloads. I have no idea if shelltoys itself is not safe.

sandokan · #7 December 14th, 2006, 06:05 PM

Hi. Let's go in order.

No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum.

Now, I have scanned the file(s) with KAV and other online scanners and they are absolutely clean. Furthermore I've been using CFI Shelltoys XP for years and it's not only a fantastic piece of commercial software, but I only download their updates from the registered area of their site as well.

Plus, lets put aside those files, how about BOC attempting to modify smss.exe? That is a vital component of the OS, and its timestamp coincides with the OS's installation (which I did from a slipstreamed XP Pro SP2 CD).

Now it seems as the program excluder has finally done its job, as I am not getting any more prompts from BOC in reference to the .dll.

We'll see what happens next.

Thanks for all the replies.

Londonbeat · #8 December 14th, 2006, 06:10 PM

Quote:

Originally Posted by sandokan

No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum.

We'll see what happens next.

sandokan,

The best thing to do is send an email headed 'possible false positive' enclosing the file as an attachment, with a link to this thread, to:
support @ nsclean . com

Londonbeat

Bubba · #9 December 14th, 2006, 06:43 PM

Quote:

Originally Posted by sandokan

No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum

Wonderful results can be got from the BOclean clan that frequents this forum but as others have said....an e-mail to PSC support is always the way to go with a possible FP. Nancy does not let Kevin get out much anymore. He stays busy with all these new rats and such

Bubba

Tommy · #10 December 14th, 2006, 07:40 PM

I have just tried ShelltoysXP. BoClean gives me the same results as you and also tries to shutdown smss.exe. Thanks to SSM this has not happened

sandokan · #11 December 14th, 2006, 07:57 PM

Thanks guys. I'll send an email as soon as I finish posting this.

Quote:

Thanks to SSM this has not happened

ProcessGuard alerted me of BOC's attempts to modify / shutdown smss.exe.

Longboard · #12 December 14th, 2006, 08:33 PM

Quote:

He stays busy with all these new rats and such

HEH: maybe need pest patrol lol

Yes: @sandokan: unleash the Kevin with a mail.
He always responds with vigour and we all learn something new.

BlueZannetti · #13 December 14th, 2006, 09:15 PM

Quote:

Originally Posted by sandokan

I haven't contacted PSC because I was under the impression that better results can be got via this support forum.

sandokan,

Advice provided here can sometimes be faster than from a vendor, sometimes not, it all depends who's online. In general, it will tend to be a bit more neutral, but it's often anecdotal, which is all that is needed in many cases. But when a fix is required, be it false positive (or confirmation of real malware) or program issue, the vendor is the only one who can provide the fix - so it's always best to touch base there at the same time a general reality check is made here or elsewhere.

By the way, precisely what is the behavior shown regarding smss.exe? I'm seeing nothing here....

Blue

fred128 · #14 December 14th, 2006, 11:23 PM

As I said, BOCLEAN seems to be doing its job:

http://www.neuber.com/taskmanager/process/smss.exe.html

What is smss.exe? Is smss.exe spyware or a virus? Process name: Windows NT Session Manager

Product: Windows

Company: Microsoft

File: smss.exe

Security Rating:

This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Note: The smss.exe file is located in the folder C:\Windows\System32. In other cases, smss.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

Virus with same name:
W32.Dalbug.Worm - Symantec Corporation
Adware.DreamAd - Symantec Corporation
W32.Resdoc - Symantec Corporation
Adware.Advision - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation

fred128 · #15 December 15th, 2006, 12:16 AM

http://www.symantec.com/security_res...120316-0541-99

Updated: June 9, 2006 04:02:52 PM ZE9
Type: Adware
Risk Impact: High
File Names: Smss.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Behavior
Contacts a Web site to obtain and display advertising links.
Symptoms

* Outgoing connections to advertisingvision.com.
* Existence of the folder, %Windir%\Configsys.

Transmission
Installed as a component by certain software packages.

Nancy_McAleavey · #16 December 15th, 2006, 02:52 PM

Hi everyone,

This problem was corrected in the current (15-12-06) Update. We could have had it sooner had we received the email sooner. The forums are helpful here in letting people know what any FP problem is, but only we can solve it, making the best first thing to do is email us. Please

A typical day lately involves handling over 1000 files.

That doesn't leave much time to pop around forums looking for threads like these.

FPs happen, and we'd like to get them solved ASAP. Don't be afraid to email us!

sandokan · #17 December 15th, 2006, 03:19 PM

Thank you very much Nancy, I appreciate the promptness and efficiency with which both you and Kevin tackle these problems.

fred128

The smss.exe file was not a virus, and it was exactly in the folder(s) where it's supposed to be. I wouldn't have started the thread otherwise.

Thanks very much to all involved. Another little nuisance gone away.

fred128 · #18 December 15th, 2006, 05:46 PM

Hi Sandokan,
If this file was outside of Windows\System 32, it would have been a big problem.
I'm glad it was a FP.

MaB69 · #19 December 15th, 2006, 06:13 PM

Many thanks to Nancy and Kevin fixing your great product

rxtian · #20 December 16th, 2006, 01:32 AM

Quote:

Hi Sandokan,
If this file was outside of Windows\System 32, it would have been a big problem.
I'm glad it was a FP.

just for the heck of it, I just did a search for Smss.exe. I got three returns :
1). smss.exe in C:\i386
2). Smss.exe in C:\i386\SYSTEM32
3). smss.exe in C:\WINDOWS\system32

does this mean I have a problem?

BlueZannetti · #21 December 16th, 2006, 06:15 AM

Quote:

Originally Posted by rxtian

does this mean I have a problem?

No.

Blue

Antarctica · #22 December 16th, 2006, 06:18 AM

Quote:

Originally Posted by rxtian

just for the heck of it, I just did a search for Smss.exe. I got three returns :
1). smss.exe in C:\i386
2). Smss.exe in C:\i386\SYSTEM32
3). smss.exe in C:\WINDOWS\system32

does this mean I have a problem?

I don't know but in my computer it's only in C:\WINDOWS\system32.

sandokan · #23 December 16th, 2006, 09:02 PM

It should also be in all other 3 locations. Perhaps your settings don't allow you to see the file?

I say other 3 locations because those who installed the Recovery Console as a boot option should see the file also in C:\cmdcons\system32.

rxtian · #24 December 17th, 2006, 01:16 AM

Blue : I appreciate you letting me know that I do not have a problem.
Happy Holidays (to all)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search