BOClean driving me insane

Discussion in 'other anti-trojan software' started by sandokan, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. sandokan
    Offline

    sandokan Registered Member

    After today's def's update BO seems intent on removing a file named cfishljp.dll, which is an integral part of the CFI application ShelltoysXP, which I have been using for years. I have put the file in the excluder area to no avail. Now BO also wants to interfere with smss.exe, which is part of MS OS. It had never showed this behaviour before. I've also tossed smss.exe in the excluder list, but it doesn't work.

    Has something gone wrong with the latest def update? Please advise as this is very bothersome to say the least.

    Thanks for your time.
  2. BlueZannetti
    Offline

    BlueZannetti Administrator

    Let me ask the obvious, have you contacted PSC support on this as yet?

    Blue
  3. FanJ
    Offline

    FanJ Updates Team

  4. fred128
    Offline

    fred128 Registered Member

    You might want to download Mcafee Site Advisor and read what they have to say about the shelltoy site. BOCLEAN may be doing it's job.
  5. lodore
    Offline

    lodore Registered Member

    kaspersky reports the install file as clean.
    lodore
  6. fred128
    Offline

    fred128 Registered Member

    This is what Mcaffee Site Advisor has to say:

    shelltoysxp.com


    "When we tested this site we found links to softlandmark.com, which we found to be a distributor of downloads some people consider adware, spyware or other unwanted programs."

    In other words, a site related to the main site may in some way be connected to suspicious downloads. I have no idea if shelltoys itself is not safe.
  7. sandokan
    Offline

    sandokan Registered Member

    Hi. Let's go in order.

    No, I haven't contacted PSC because I was under the impression that better results can be got via this support forum.

    Now, I have scanned the file(s) with KAV and other online scanners and they are absolutely clean. Furthermore I've been using CFI Shelltoys XP for years and it's not only a fantastic piece of commercial software, but I only download their updates from the registered area of their site as well.

    Plus, lets put aside those files, how about BOC attempting to modify smss.exe? That is a vital component of the OS, and its timestamp coincides with the OS's installation (which I did from a slipstreamed XP Pro SP2 CD).

    Now it seems as the program excluder has finally done its job, as I am not getting any more prompts from BOC in reference to the .dll.

    We'll see what happens next.

    Thanks for all the replies.
  8. Londonbeat
    Offline

    Londonbeat Registered Member

    sandokan,

    The best thing to do is send an email headed 'possible false positive' enclosing the file as an attachment, with a link to this thread, to:
    support @ nsclean . com

    Londonbeat
  9. Bubba
    Offline

    Bubba Updates Team

    Wonderful results can be got from the BOclean clan that frequents this forum but as others have said....an e-mail to PSC support is always the way to go with a possible FP. Nancy does not let Kevin get out much anymore. He stays busy with all these new rats and such :eek: :D

    Bubba
  10. Tommy
    Offline

    Tommy Registered Member

    I have just tried ShelltoysXP. BoClean gives me the same results as you and also tries to shutdown smss.exe. Thanks to SSM this has not happened :)
  11. sandokan
    Offline

    sandokan Registered Member

    Thanks guys. I'll send an email as soon as I finish posting this.

    ProcessGuard alerted me of BOC's attempts to modify / shutdown smss.exe.
  12. Longboard
    Offline

    Longboard Registered Member

    HEH: maybe need pest patrol lol

    Yes: @sandokan: unleash the Kevin with a mail.
    He always responds with vigour and we all learn something new.
    :thumb:
  13. BlueZannetti
    Offline

    BlueZannetti Administrator

    sandokan,

    Advice provided here can sometimes be faster than from a vendor, sometimes not, it all depends who's online. In general, it will tend to be a bit more neutral, but it's often anecdotal, which is all that is needed in many cases. But when a fix is required, be it false positive (or confirmation of real malware) or program issue, the vendor is the only one who can provide the fix - so it's always best to touch base there at the same time a general reality check is made here or elsewhere.

    By the way, precisely what is the behavior shown regarding smss.exe? I'm seeing nothing here....

    Blue
  14. fred128
    Offline

    fred128 Registered Member

    As I said, BOCLEAN seems to be doing its job:

    http://www.neuber.com/taskmanager/process/smss.exe.html

    What is smss.exe? Is smss.exe spyware or a virus? Process name: Windows NT Session Manager

    Product: Windows

    Company: Microsoft

    File: smss.exe

    Security Rating:

    This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

    Note: The smss.exe file is located in the folder C:\Windows\System32. In other cases, smss.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

    Virus with same name:
    W32.Dalbug.Worm - Symantec Corporation
    Adware.DreamAd - Symantec Corporation
    W32.Resdoc - Symantec Corporation
    Adware.Advision - Symantec Corporation
    Backdoor.IRC.Flood.F - Symantec Corporation
    Backdoor.IRC.Aladinz.O - Symantec Corporation
  15. fred128
    Offline

    fred128 Registered Member

    http://www.symantec.com/security_response/writeup.jsp?docid=2003-120316-0541-99

    Updated: June 9, 2006 04:02:52 PM ZE9
    Type: Adware
    Risk Impact: High
    File Names: Smss.exe
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

    Behavior
    Contacts a Web site to obtain and display advertising links.
    Symptoms

    * Outgoing connections to advertisingvision.com.
    * Existence of the folder, %Windir%\Configsys.

    Transmission
    Installed as a component by certain software packages.
  16. Nancy_McAleavey
    Offline

    Nancy_McAleavey Expert Member

    Hi everyone,

    This problem was corrected in the current (15-12-06) Update. We could have had it sooner had we received the email sooner. The forums are helpful here in letting people know what any FP problem is, but only we can solve it, making the best first thing to do is email us. Pleaseo_O

    A typical day lately involves handling over 1000 files. o_O That doesn't leave much time to pop around forums looking for threads like these.:blink: FPs happen, and we'd like to get them solved ASAP. Don't be afraid to email us!
  17. sandokan
    Offline

    sandokan Registered Member

    Thank you very much Nancy, I appreciate the promptness and efficiency with which both you and Kevin tackle these problems.

    fred128

    The smss.exe file was not a virus, and it was exactly in the folder(s) where it's supposed to be. I wouldn't have started the thread otherwise.

    Thanks very much to all involved. Another little nuisance gone away.
  18. fred128
    Offline

    fred128 Registered Member

    Hi Sandokan,
    If this file was outside of Windows\System 32, it would have been a big problem.
    I'm glad it was a FP.
  19. MaB69
    Offline

    MaB69 Registered Member

    Many thanks to Nancy and Kevin fixing your great product :thumb:
  20. rxtian
    Offline

    rxtian Registered Member

    just for the heck of it, I just did a search for Smss.exe. I got three returns :
    1). smss.exe in C:\i386
    2). Smss.exe in C:\i386\SYSTEM32
    3). smss.exe in C:\WINDOWS\system32

    does this mean I have a problem?
  21. BlueZannetti
    Offline

    BlueZannetti Administrator

    No.

    Blue
  22. Antarctica
    Offline

    Antarctica Registered Member

    I don't know but in my computer it's only in C:\WINDOWS\system32.:doubt:
  23. sandokan
    Offline

    sandokan Registered Member

    It should also be in all other 3 locations. Perhaps your settings don't allow you to see the file?

    I say other 3 locations because those who installed the Recovery Console as a boot option should see the file also in C:\cmdcons\system32.
  24. rxtian
    Offline

    rxtian Registered Member

    Blue : I appreciate you letting me know that I do not have a problem.
    Happy Holidays (to all)
Thread Status:
Not open for further replies.