Purchase of Boclean

Discussion in 'other anti-trojan software' started by pepim, Nov 24, 2006.

Thread Status:
Not open for further replies.
  1. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Strangequark, thanks for your eicar experiment, now i know the proceedings of the 'after malware find' ,just in case.
     
    Last edited: Nov 29, 2006
  2. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Thanks for your information Snowbound :thumb: I’m not complaining, but pff ...


    I don’t have this trojan anymore and my pc has been updated as always. The trojan was due to my stupidity but I kept the infected file, so as soon as I can use Boclean, I will test the file offcourse.
     
    Last edited: Nov 29, 2006
  3. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    I tested your bad file and Boclean found the TrojanHorse ' ZLOB78 Malware Variant' and removed it including all threads from memory.

    BTW, where does Boclean saves the copy of the bad boys. I have activated this feature, but i can't find the copy anywhere.
     
  4. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Glad to see Boclean found it, I hope I once will experience the same. Sorry a little bit sarcastic.:doubt:
     
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    @Tommy
    Dontcha just love that BoClean :)
    see attached: for me anyway
     

    Attached Files:

  6. controler

    controler Guest

    Tommy

    I think BoClean renames the file so that is is harmless untill you rename it back to an exe ect.

     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    I have got to pay attention to the exact question :oops:
    ( and remember every one here knows more that me :ouch: )
     
  8. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Hm, I guess it's a joke :D
     
  9. controler

    controler Guest

    pepim

    You were posted where the file is and that is renamed.
    What more do you want?

    con
     
  10. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Did I post something wrong? I haven't installed Boclean yet, still have some problems, but I don't quite understand your posting? I don't want to bother anybody, sorry if I did.:(
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    We will take the position that as of yet no one has posted anything wrong and simply chalk it up to possible language barrier problem. We'll also await your purchase of Boclean and any further comments you might like to share about the product.

    Bubba :ninja:
     
  12. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Ok I will do that Bubba, thanks :)
     
  13. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    :ninja: Always interested in the BOClean threads and postings...I'll watch for it... ;)
     
  14. controler

    controler Guest

    pepim


    Hello

    I did not mean you said something wrong at all.
    I do have BoClean and love it. You can buy one LIC and install it on all your home computers, even if you have 5. What I meant to say is that any scanner is only as good as it's definitions. In BoCleans case, you can still drag a file into it's open GUI but if BoClean does not have a signature for that nasty file, BoClean will not detect it. BoClean will however detect the file with heuristics if you actually click on the file. I am not talking an ICAR test file either. I am talking an unknown nasty.
    One of the reasons BoClean is so good is it works as a memory scanner, which means if the nasty is packed with some program it usually must unpack itself in memory before it can do it's damage.
    I have heard rumor of a nasty that can stay packed in memory and unpack in memory on the fly. I don't know if this is true or not.
    AS far as i have seen, you can't find better support for a security program. BoCleans support is the best as far as I am concerned.

    Have you already submitted your file to Virus Total or Jotties?
    Those two sites have become very popular this past year the scanners on those sites can many times at least show you that something looks fishy.
    Another great idea is that most computers come with some form of restore from disk software these days. Which is better then Microsoft's restore program.
    I think it is a rare day to become infected with something with Process Guard & NOD32 installed as you have. NOD & KAV are two of the finest Av's in the world in my opion. PG isn't really for the home user at this point it still requires some knowledge of the operating system and an understanding on what you are clicking yes or no to. Making a program as simple to use as possible for the home user is what most security vender's try to accomplish these days.
    BoClean was designed this way from day one. Make it simple for any home or office user and still powerful.

    What I meant to say about having security software installed prior to becoming infected was only that some nasties won't be detected by the security software if they were installed first due to taking over the operating system at the kernel level.
    If by chance your infection does turn out to be a rootkit, I am sad to say the only way to make sure you are OK is to reformat your hard drive. I know most do not like to hear it and it sounds worse for a typical non computer savvy home user even though it is not as tough to do as many think, mentioning restore software preinstalled on new HP, Dell ect computers.
    Back in the day there were only two good re image programs, Ghost & Drive Image. Now days there are some very good ones which are very easy to use.
    As the years go by you will see more & more "experts" here using a drive image type program because they now know of all the new drive by nasties
    Built for one purpose, to steal your personal information for profit.
    You just can not trust your patched browser 100 percent now days.
    Any way sorry for rambling. I hope some of what i posted can be useful in some way.

    controler
     
  15. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Hello controller,

    Sorry for misunderstanding you and yes I did submit the file to Virus Total and Jotties.

    You really mean actually click on it? What happens when you do so?

    As for PG I can explain, I always disable PG when I want to install something and at that moment I had it disabled. (I thought the file was ok because a friend sent it to me) Nod32 noticed it after my pc was infected and the files were sent to Eset.
    I followed the instructions of Blackspeare’s topic for the settings of Nod32, so that should be ok.

    It was a trojan and my Hijackthis log appeared to be clean, so I don't think I have to reformat my hard drive.

    Yes it has, thanks. :)

    I tested the infected file by dragging it into the Boclean window (as poirot suggested), Boclean reacted immediately, I was very pleased to see that. :)
    I didn’t dare actually click on the file, should I do so?
     
    Last edited: Dec 2, 2006
  16. controler

    controler Guest

    I would not advise anyone to actualy click on the file since there are many
    nasties not detected buy security products everyday. The rule of thumb is that by the time most software detects a nasty, it has been undetected for a few days prior.
    Just googling ZLOB give a lot of results. here is an interesting site for removing ZLOB, SPysherrif ect.

    http://www.zlob-removal.com.removal-instructions.com/

    I am guessing the Virus Total NOD-32 missed it because they are not using advanced features of the scanner, same with Mcafee.
    Before I would turn off Process Guard to install software, I would set it to learn. I personaly like to see what drivers are trying to install because you can always accept or deny them.

    controler
     
  17. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Thanks for the link.

    With Jotti the same, Nod missed it too.

    ~removed un-necessary jotti scan~

    Ok thanks for the tip, I will do that next time.
     
    Last edited by a moderator: Dec 2, 2006
  18. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Yes, I agree with controler do not click on it. Let BOClean do its work and don't take such a risk. ;)
     
  19. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Uhm or can I click on it, looking at your wink? Russian roulette?:ninja:
    I did click on it actually and BOclean was there again!:)
     
    Last edited: Dec 2, 2006
  20. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    BOClean detects 622 variants of Zlob, as of yesterday's update!
     
  21. pepim

    pepim Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    75
    Location:
    the Netherlands
    Still have some problems. (I did get contamineted before purchasing Boclean, let that be clear!)

    Strange things occur, I suddenly have an infected file in a map, that I have probably one year or so?
    So I scanned it online with http://virusscan.jotti.org/
    http://www.virustotal.com/en/indexf.html and I get very different results. Kapersky thinks it's ok with Jotti, but in Virustotal it gives a trojan.small.BOE.

    What should I do? I'm worried. :doubt:
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Ny question is, with some of the AV products detecting over 99 percent of trojans, based on IBKs test results, why do you need this added protection. Sounds like extra money spent by the consumer, for just another unneeded product of protection. Of course, I could be wrong so please enlighten me.
     
  23. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Where is the infected file located?

    If there is suspicious behaviour occurring on your system u could post a Hijackthis log over at this site,

    http://gladiator-antivirus.com/forum/index.php?showtopic=10517

    for analysis by the malware experts there.



    snowbound
     
    Last edited: Dec 4, 2006
  24. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    It really depends on how any protective measures that you've already implemented function.

    BOClean is a process memory scanner. Malware executables can be repacked and/or encrypted so that the daughter file bears little resemblence to the original parent (which had presumably been used to develop a detection signature). This is a very facile way to avoid signature detection of the file and basically extend the effective lifetime of a piece of malware. However, the underlying program has not changed and it will be converted in that parent form when loaded into memory to run. As a convenient reference point, think of a standard program vs an archive version of this program, for example a zip file. The two files look distinct, but are the same, particularly when viewed from the running executable in RAM. BOClean focuses on this piece of the puzzle.

    That's it in a rough nutshell.

    Blue
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Thanks Blue.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.