BOClean driving me insane

Discussion in 'other anti-trojan software' started by sandokan, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. sandokan

    sandokan Registered Member

    Joined:
    May 14, 2004
    Posts:
    112
    After today's def's update BO seems intent on removing a file named cfishljp.dll, which is an integral part of the CFI application ShelltoysXP, which I have been using for years. I have put the file in the excluder area to no avail. Now BO also wants to interfere with smss.exe, which is part of MS OS. It had never showed this behaviour before. I've also tossed smss.exe in the excluder list, but it doesn't work.

    Has something gone wrong with the latest def update? Please advise as this is very bothersome to say the least.

    Thanks for your time.
     
  2. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Let me ask the obvious, have you contacted PSC support on this as yet?

    Blue
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
  4. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    You might want to download Mcafee Site Advisor and read what they have to say about the shelltoy site. BOCLEAN may be doing it's job.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    kaspersky reports the install file as clean.
    lodore
     
  6. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    This is what Mcaffee Site Advisor has to say:

    shelltoysxp.com


    "When we tested this site we found links to softlandmark.com, which we found to be a distributor of downloads some people consider adware, spyware or other unwanted programs."

    In other words, a site related to the main site may in some way be connected to suspicious downloads. I have no idea if shelltoys itself is not safe.
     
  7. sandokan

    sandokan Registered Member

    Joined:
    May 14, 2004
    Posts:
    112
    Hi. Let's go in order.

    No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum.

    Now, I have scanned the file(s) with KAV and other online scanners and they are absolutely clean. Furthermore I've been using CFI Shelltoys XP for years and it's not only a fantastic piece of commercial software, but I only download their updates from the registered area of their site as well.

    Plus, lets put aside those files, how about BOC attempting to modify smss.exe? That is a vital component of the OS, and its timestamp coincides with the OS's installation (which I did from a slipstreamed XP Pro SP2 CD).

    Now it seems as the program excluder has finally done its job, as I am not getting any more prompts from BOC in reference to the .dll.

    We'll see what happens next.

    Thanks for all the replies.
     
  8. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    sandokan,

    The best thing to do is send an email headed 'possible false positive' enclosing the file as an attachment, with a link to this thread, to:
    support @ nsclean . com

    Londonbeat
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Wonderful results can be got from the BOclean clan that frequents this forum but as others have said....an e-mail to PSC support is always the way to go with a possible FP. Nancy does not let Kevin get out much anymore. He stays busy with all these new rats and such :eek: :D

    Bubba
     
  10. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    I have just tried ShelltoysXP. BoClean gives me the same results as you and also tries to shutdown smss.exe. Thanks to SSM this has not happened :)
     
  11. sandokan

    sandokan Registered Member

    Joined:
    May 14, 2004
    Posts:
    112
    Thanks guys. I'll send an email as soon as I finish posting this.

    ProcessGuard alerted me of BOC's attempts to modify / shutdown smss.exe.
     
  12. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    HEH: maybe need pest patrol lol

    Yes: @sandokan: unleash the Kevin with a mail.
    He always responds with vigour and we all learn something new.
    :thumb:
     
  13. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    sandokan,

    Advice provided here can sometimes be faster than from a vendor, sometimes not, it all depends who's online. In general, it will tend to be a bit more neutral, but it's often anecdotal, which is all that is needed in many cases. But when a fix is required, be it false positive (or confirmation of real malware) or program issue, the vendor is the only one who can provide the fix - so it's always best to touch base there at the same time a general reality check is made here or elsewhere.

    By the way, precisely what is the behavior shown regarding smss.exe? I'm seeing nothing here....

    Blue
     
  14. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    As I said, BOCLEAN seems to be doing its job:

    http://www.neuber.com/taskmanager/process/smss.exe.html

    What is smss.exe? Is smss.exe spyware or a virus? Process name: Windows NT Session Manager

    Product: Windows

    Company: Microsoft

    File: smss.exe

    Security Rating:

    This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

    Note: The smss.exe file is located in the folder C:\Windows\System32. In other cases, smss.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

    Virus with same name:
    W32.Dalbug.Worm - Symantec Corporation
    Adware.DreamAd - Symantec Corporation
    W32.Resdoc - Symantec Corporation
    Adware.Advision - Symantec Corporation
    Backdoor.IRC.Flood.F - Symantec Corporation
    Backdoor.IRC.Aladinz.O - Symantec Corporation
     
  15. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-120316-0541-99

    Updated: June 9, 2006 04:02:52 PM ZE9
    Type: Adware
    Risk Impact: High
    File Names: Smss.exe
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

    Behavior
    Contacts a Web site to obtain and display advertising links.
    Symptoms

    * Outgoing connections to advertisingvision.com.
    * Existence of the folder, %Windir%\Configsys.

    Transmission
    Installed as a component by certain software packages.
     
  16. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Hi everyone,

    This problem was corrected in the current (15-12-06) Update. We could have had it sooner had we received the email sooner. The forums are helpful here in letting people know what any FP problem is, but only we can solve it, making the best first thing to do is email us. Pleaseo_O

    A typical day lately involves handling over 1000 files. o_O That doesn't leave much time to pop around forums looking for threads like these.:blink: FPs happen, and we'd like to get them solved ASAP. Don't be afraid to email us!
     
  17. sandokan

    sandokan Registered Member

    Joined:
    May 14, 2004
    Posts:
    112
    Thank you very much Nancy, I appreciate the promptness and efficiency with which both you and Kevin tackle these problems.

    fred128

    The smss.exe file was not a virus, and it was exactly in the folder(s) where it's supposed to be. I wouldn't have started the thread otherwise.

    Thanks very much to all involved. Another little nuisance gone away.
     
  18. fred128

    fred128 Registered Member

    Joined:
    May 21, 2006
    Posts:
    152
    Hi Sandokan,
    If this file was outside of Windows\System 32, it would have been a big problem.
    I'm glad it was a FP.
     
  19. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Many thanks to Nancy and Kevin fixing your great product :thumb:
     
  20. rxtian

    rxtian Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    33
    Location:
    chicago, IL
    just for the heck of it, I just did a search for Smss.exe. I got three returns :
    1). smss.exe in C:\i386
    2). Smss.exe in C:\i386\SYSTEM32
    3). smss.exe in C:\WINDOWS\system32

    does this mean I have a problem?
     
  21. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    No.

    Blue
     
  22. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    I don't know but in my computer it's only in C:\WINDOWS\system32.:doubt:
     
  23. sandokan

    sandokan Registered Member

    Joined:
    May 14, 2004
    Posts:
    112
    It should also be in all other 3 locations. Perhaps your settings don't allow you to see the file?

    I say other 3 locations because those who installed the Recovery Console as a boot option should see the file also in C:\cmdcons\system32.
     
  24. rxtian

    rxtian Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    33
    Location:
    chicago, IL
    Blue : I appreciate you letting me know that I do not have a problem.
    Happy Holidays (to all)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.