Turkojan 3 - part II

Discussion in 'malware problems & news' started by Wolfe, Apr 21, 2006.

Thread Status:
Not open for further replies.
  1. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    Follow up from here: detected by many - submitted to all.
     

    Attached Files:

  2. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    Also detected by BOClean.
     
  3. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Yes, detected, but unfortunately Turkojan wins in the end.:blink:
     

    Attached Files:

    • 888.png
      888.png
      File size:
      7.2 KB
      Views:
      722
  4. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    Don,

    What's the BOClean error?

    On a side note: grabbed by ewido as well ;)
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Heh. Yet so many, for some obscure reason, think of BOClean as some sort of impenetrable fortress against trojans. :cautious:
     
  6. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    Rubbish. There's no such thing as 100% "grabbing all" AT. Heck, it's not that impossible to fool KAV, TrojanHunter, A Squared - you name them. BOClean is no exception to the rule here.
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Oh, no, really? :rolleyes: A signature-based program doesn't catch 100%? I would have never guessed that.

    On a side note, if it was detected and BOClean was terminated (or it crashed), like it seems, it's not even a signature problem.
     
    Last edited: Apr 21, 2006
  8. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    ...seems like your learning real fast ;)
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Listen, I don't want to bash BOClean, I don't even know how good it is. But claims like "BOClean users never post HJT logs", like I've seen here, are just funny. Take Kaspersky, very good antivirus, probably the best in detection rate right now; yet in a year or something of "malware hunting" I've collected dozens of different undetected trojans I've sent them. For Ewido, it was hundreds, possibly thousands. And these are two of the best. To claim that an antivirus, anti-trojan, is the ultimate solution for anybody who want to stay clean is absurd, and only means they never actually tested it on real-life scenarios.
     
  10. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Jesus, can't believe i forgot to check tha.:eek:

    Cleaned it off with Kaspersky, i'll try it again a little later and have a look at the error.:)
     
  11. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Don,

    The error should be accessible from the Event Viewer.

    Blue
     
  12. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Actually, I never seen a BOClean user claim that, though some have noted that in all the HJT logs they've seen, there was never a BOClean user listed in their memory. Of course, there probably wasn't a KAV/NOD32/etc. user listed either, and if one did note a case where these or other products did appear, that alone says very little when you get down to it.

    The simple statement is that for users who don't want to learn all the nuances of PC operations and configuration for security, an informed installation/configuration of a couple of high quality commercial products will make you as safe as humanly feasible. That's it.

    I'm a BOClean user and would say it is one of the products that casual users should consider as an option.

    Blue
     
  13. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    I understand. Eating is the proof of the pudding nevertheless: I do suggest buying a license, give it a go and come up with your verdict after that.

    Actually, that part holds merit - I do invite you to provide a HJT log file proving otherwise.

    Let's shake hands: same experience over here. Probably many new ones one the loose as we speak right now - trojans that is.

    No one stated there's a "one in all" solution. And that isn't the topic of this thread either, is it? ;)
     
  14. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    Never mind ;)

    Much obliged, Don ;)
     
  15. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Now, this is perfectly said and I can agree with all of it. ;)
     
  16. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    This is the error:
    On the second try it appeared to both detect and remove, but when scanning with Kaspersky , this was found: C:\WINDOWS\fin32.exe.
     
  17. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Maybe one day I will... then again maybe not. There are some programs that have a higher priority on my 'to buy' list, and I'm not one that buys much software in the first place.
    It doesn't hold MUCH merit; because BOClean is known and used only by few people ("BOClean" in Google yields 121.000 results, less than "systrace"... and I wonder how many in everyday world know about the latter); only one person I know personally had heard of it, and most of the people I know are in the IT department. And because the ones who know about it and buy it are generally interested in security already, and the chances that they fall for a malware trap are much lower.

    EDIT: uh, and by the way, here a HJT log proving otherwise, and here another one. :p

    That said, I want to make it absolutely clear that I do NOT have anything against BOClean; for what I know, it could be a very good product.
     
    Last edited: Apr 21, 2006
  18. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Don, did you send Kevin an email about your experiences? :)
     
  19. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    I looked at both the HJT logs in your links. The first doesn't appear to be infected with anything and the second one complains of an orphan registry entry (WOW). BOClean does not claim to clean up the registry: just the nastiness.
     
  20. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Yes, now i have.:oops: :)
     
  21. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Strange one indeed ... c0000005 means an attempt to access a memory location that doesn't exist, and 0041779E is a registry check after a process kill. Apparently this is what wasn't there. Checked it repeatedly here since this one is a rather old one and natch, no fender benders on any of the lab rats here. But the error tells me that BOClean was pointed at something that didn't exist at the time it went to get it.

    I'm guessing that it got detected as "testvirus" rather than "turkojan" since this particular one was part of a test set a while back and included some other items that weren't part of this. Was that "FIN32" file the one that was actually stopped? Or was it another filename? BOClean will only nail that which runs if it's a variant, and would pick up a secondary copy whenever that one runs since we don't scan files by nature, only what actually runs in memory. My guess is that the "FIN32" was a dropped file and wasn't the one actually running at the time.

    Want to follow up with you directly, so will email you once I post this ...
     
  22. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    A follow up.

    I have mailed with Kevin and are sending the things he requested + errorreports, screenshots etc so he can investigate, i have managed to reproduce, so hopefully this will help.:)
     
  23. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Of course, since both posts are of people cleaning up the remains of the mess (oh, and one also has two viruses/trojans, which you missed, btw) and since you don't know whether they got infected and they had BOClean already or they used it to clean up the mess, this says absolutely nothing about BOClean. :rolleyes:
     
  25. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
Thread Status:
Not open for further replies.