Turkojan 3 - part II

Follow up from here: detected by many - submitted to all.

 

Also detected by BOClean.

 

Yes, detected, but unfortunately Turkojan wins in the end.

 

Don,

What's the BOClean error?

On a side note: grabbed by ewido as well

 

Heh. Yet so many, for some obscure reason, think of BOClean as some sort of impenetrable fortress against trojans.

 

Rubbish. There's no such thing as 100% "grabbing all" AT. Heck, it's not that impossible to fool KAV, TrojanHunter, A Squared - you name them. BOClean is no exception to the rule here.

 

Oh, no, really? A signature-based program doesn't catch 100%? I would have never guessed that.

On a side note, if it was detected and BOClean was terminated (or it crashed), like it seems, it's not even a signature problem.

 

...seems like your learning real fast

 

Listen, I don't want to bash BOClean, I don't even know how good it is. But claims like "BOClean users never post HJT logs", like I've seen here, are just funny. Take Kaspersky, very good antivirus, probably the best in detection rate right now; yet in a year or something of "malware hunting" I've collected dozens of different undetected trojans I've sent them. For Ewido, it was hundreds, possibly thousands. And these are two of the best. To claim that an antivirus, anti-trojan, is the ultimate solution for anybody who want to stay clean is absurd, and only means they never actually tested it on real-life scenarios.

 

Jesus, can't believe i forgot to check tha.

Cleaned it off with Kaspersky, i'll try it again a little later and have a look at the error.

 

Don,

The error should be accessible from the Event Viewer.

Blue

 

Actually, I never seen a BOClean user claim that, though some have noted that in all the HJT logs they've seen, there was never a BOClean user listed in their memory. Of course, there probably wasn't a KAV/NOD32/etc. user listed either, and if one did note a case where these or other products did appear, that alone says very little when you get down to it.

The simple statement is that for users who don't want to learn all the nuances of PC operations and configuration for security, an informed installation/configuration of a couple of high quality commercial products will make you as safe as humanly feasible. That's it.

I'm a BOClean user and would say it is one of the products that casual users should consider as an option.

Blue

 

I understand. Eating is the proof of the pudding nevertheless: I do suggest buying a license, give it a go and come up with your verdict after that.

Actually, that part holds merit - I do invite you to provide a HJT log file proving otherwise.

Let's shake hands: same experience over here. Probably many new ones one the loose as we speak right now - trojans that is.

No one stated there's a "one in all" solution. And that isn't the topic of this thread either, is it?

 

Never mind

Much obliged, Don

 

Now, this is perfectly said and I can agree with all of it.

 

This is the error:

On the second try it appeared to both detect and remove, but when scanning with Kaspersky , this was found: C:\WINDOWS\fin32.exe.

 

Maybe one day I will... then again maybe not. There are some programs that have a higher priority on my 'to buy' list, and I'm not one that buys much software in the first place.

It doesn't hold MUCH merit; because BOClean is known and used only by few people ("BOClean" in Google yields 121.000 results, less than "systrace"... and I wonder how many in everyday world know about the latter); only one person I know personally had heard of it, and most of the people I know are in the IT department. And because the ones who know about it and buy it are generally interested in security already, and the chances that they fall for a malware trap are much lower.

EDIT: uh, and by the way, here a HJT log proving otherwise, and here another one.

That said, I want to make it absolutely clear that I do NOT have anything against BOClean; for what I know, it could be a very good product.

 

Don, did you send Kevin an email about your experiences?

 

I looked at both the HJT logs in your links. The first doesn't appear to be infected with anything and the second one complains of an orphan registry entry (WOW). BOClean does not claim to clean up the registry: just the nastiness.

 

Yes, now i have.

 

Strange one indeed ... c0000005 means an attempt to access a memory location that doesn't exist, and 0041779E is a registry check after a process kill. Apparently this is what wasn't there. Checked it repeatedly here since this one is a rather old one and natch, no fender benders on any of the lab rats here. But the error tells me that BOClean was pointed at something that didn't exist at the time it went to get it.

I'm guessing that it got detected as "testvirus" rather than "turkojan" since this particular one was part of a test set a while back and included some other items that weren't part of this. Was that "FIN32" file the one that was actually stopped? Or was it another filename? BOClean will only nail that which runs if it's a variant, and would pick up a secondary copy whenever that one runs since we don't scan files by nature, only what actually runs in memory. My guess is that the "FIN32" was a dropped file and wasn't the one actually running at the time.

Want to follow up with you directly, so will email you once I post this ...

 

A follow up.

I have mailed with Kevin and are sending the things he requested + errorreports, screenshots etc so he can investigate, i have managed to reproduce, so hopefully this will help.

 

http://spywarewarrior.com/viewtopic.php?t=10253&view=previous&sid=c692cd091366f2dc4410d06002c94538

 

Of course, since both posts are of people cleaning up the remains of the mess (oh, and one also has two viruses/trojans, which you missed, btw) and since you don't know whether they got infected and they had BOClean already or they used it to clean up the mess, this says absolutely nothing about BOClean.

 

There is something odd about those BOClean entries in the running processes. It should show the version number. On top of which, there is no 04 entry for BOClean and there should be.