BOClean causes event ID:7000

meman887 · March 20, 2008, 5:36pm

BOClean finds this:
03/20/2008 17:08:47: BUSHBOT MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
E:\GAMES\SKULLTAG\ZDL.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

Then BOClean stops me from loading IE7, then causes the following error below in which when I tried to restart XP it ends up stopping XP from booting, so had to use Last known configuration, to get XP to boot again and had to remove BOClean in safe mode.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 20/03/2008
Time: 17:26:16
User: N/A
Computer: ASUS
Description:
The BOClean Kernel Monitor. service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at Microsoft Support.

Help and Support Centre information:

Details
Product: Windows Operating System
ID: 7000
Source: Service Control Manager
Version: 5.0
Symbolic Name: EVENT_SERVICE_START_FAILED
Message: The %1 service failed to start due to the following error:
%2.

Explanation
Service Control Manager (SCM) could not start the specified service, probably because the service is not configured correctly.

User Action
Do one or all of the following:

Review the error information displayed in the message.
Verify that the service password has not expired.
Verify that the service is in the correct location.
Verify that the service is not infected with a virus.
To display the WIN32_EXIT_CODE error that SCM encountered when trying to start the program, at the command prompt, type
sc query service name
The information displayed can help you troubleshoot possible causes for the error.
If the WIN32_EXIT_CODE is zero, then SCM did not attempt to start the service because the error was detected first.

Version: 5.2
Symbolic Name: EVENT_SERVICE_START_FAILED
Message: The %1 service failed to start due to the following error:
%2

Explanation
Service Control Manager (SCM) could not start the specified service, probably because the service is not configured correctly.

User Action
Do one or all of the following:

Review the error information displayed in the message.
Verify that the service password has not expired.
Verify that the service is in the correct location.
Verify that the service is not infected with a virus.
To display the WIN32_EXIT_CODE error that SCM encountered when trying to start the program, at the command prompt, type
sc query service name
The information displayed can help you troubleshoot possible causes for the error.

If the WIN32_EXIT_CODE is zero, then SCM did not attempt to start the service because the error was detected first.

And I was running the latest version of BOClean as well.

Rednose · March 21, 2008, 7:56pm

Hi meman887

Could you upload the ZLD.EXE file to :

http://www.virustotal.com and http://virusscan.jotti.org

If it comes out negative :

1 ) You can move the file to BOCleans excluder.

And :

2 ) Please email the file to: malwaresubmit [ at ] avlab.comodo.com .
Specify in the subject line “False Positive?”.
Zip and password protect it with “infected” and include that information in the body.

So that they can fix it

Greetz, Red.

meman887 · March 25, 2008, 1:09pm

http://www.virustotal.com/analisis/fedfd0bde29efabbb26793a9b6a4dcd3Virus Total

I’ll try and submit it to the other one later, as it says it’s busy at the moment.

Rednose · March 25, 2008, 3:21pm

Is this the link ???

http://www.virustotal.com/analisis/fedfd0bde29efabbb26793a9b6a4dcd3

File ZDL.exe received on 11.16.2007 15:30:53 (CET) Current status: finished Result: 12/31 (38.71%)
Antivirus Version Last Update Result

AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - W32.Brontok.Q
ClamAV - - PUA.Packed.MEW-1
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - PossibleThreat!025039
F-Prot - - -
F-Secure - - Salga.A@mm
Ikarus - - IM-Worm.Win32.Sumom.C
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - Salga.A@mm
Panda - - Generic Malware
Prevx1 - - -
Rising - - -
Sophos - - Mal/EncPk-BA
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - W32/Behav-Heuristic-066
VBA32 - - -
VirusBuster - - Packed/MEW

Additional information

MD5: 941bfa23ed7586a699386842fc42f5a2
SHA1: 56658316163b199b36a9a3d794b55942d06e0e6e
SHA256: cc440c2d52e55ebe7d64a31b787831ab533cf0e8ba67beecbcbc9592be077041
SHA512: 303ccacdbc5dfe79ea27cb2f73dd38910c2d7d2f6d357510b4866f7d5111a098 8eeff44ad53a63b85c682f985334566d82c8dbd1b4a6618a2c89291400009f52

In this case I would like to see an actual scan of your file by Virustotal and/or Jotti

Greetz, Red.

meman887 · March 26, 2008, 1:34am

well for jotti it showed this, here is screen shots on what it shows for the results and the link for futher information.

Top part of page
Bottom part of page
jotti results

Don’t know if the above information is usful or not, if not let me know and I’ll give you any further information if needed.

Rednose · March 28, 2008, 11:20pm

Hi meman887

I am sorry I didn’t answer you earlier :-[

The problem I have with the scan is that the file is flagged, but not by most major AV companies :-\

So please email the file to: malwaresubmit [ at ] avlab.comodo.com .
Specify in the subject line “False Positive?”.
Zip and password protect it with “infected” and include that information in the body.

And add a link to this topic in your email

Greetz, Red.

Kevin_McAleavey · April 1, 2008, 9:57am

I can tell ya now, I will advise against removing “BUSHBOT” from our database. The problem here is MEW, and the BUSHBOT trojan of several years ago was merely the first appearance of MEW. It’s a definition I insist on maintaining, and here’s why … MEW is not just a packer. By its nature, it’s an obscurer whose sole purpose was to defeat unpacking. Its author is a well known virus writer with ties to some rather unsavory characters and MEW by its mere presence is a very well established tool used by malware authors. Were we to have stopped detecting it “back in the day” a large number of “unknown malware” would have never been detected at all, thus the presence of this particular packer/obscurer on its face was a certain sign of malicious software. When you have a situation of 80,000 nasties using it and maybe one or two “questionable but legit” proggies use it, I’ve always been of the opinion that it’s better to nail it anyway. The author who chose to use this “packer” made a bad choice.

That all said, my own attitude towards this detect is that if the OP really believes that this game is safe to run and is certain that there’s no “evil intent” … BOClean provides an excluder to which this file can be sent to inform BOClean to ignore it. However, I’ll tell my own lab guys NOT to remove the detection from BOClean as this is one of those few definitions that I will absolutely defend as “needed.”

So solution here is to exclude that file, I don’t want our people to remove the definition.

Kevin_McAleavey · April 1, 2008, 10:25am

Wanted to post this separately, feel free to share it.

There’s been a good deal of grousing over BOClean since it went to COMODO over “false positives” replete with people posting results from VT and Jotti and other sites to “prove” that BOClean has been full of FP’s ever since it became part of COMODO. And during the period of time spent on training our lab folks on how to “spot the nasty the BOCLEAN way” there have indeed been some mistakes. Sadly, analysis of malware isn’t as simple as it may seem and a number of folks in the lab required more supervision to come up to speed than time allowed here and there.

As an unfortunate result, BOClean started to earn a reputation as being “full of FP’s” when in fact the problem is that simple “signature-based” detection could indeed result in FP’s, particularly if the signature was taken from a bad spot in programmes that was likely to turn up in other “legitimate” ones. For those errors, MY apologies. However, after a lot of training and retraining, and QC methods put into place to minimise our former problems, COMODO has taken great pains to resolve those shortcomings.

I’ve been way too busy lately to come out here and discuss several of these in recent history, and am still a bit overloaded but felt it was necessary to explain some of these situations as to why they might occur as was the case with this “BUSHBOT” detect. Any anti-whatever can grab a “signature” and detect that which has been sampled and is now “known.” However, the BOClean “philosophy” extends beyond that (and always has) into spotting unique “behaviors” as the entire point of writing up a detect is obviously to cure a “known” malware identity. But it also extends beyond that in knowing that once malware is detected, then the purveyors are going to write something new and put that out as the success of their latest corrodes.

Therefore, not only do we do “fixed signatures” of the known, we also make an effort to zero in on other aspects of malcode which we can expect to see again in the future with “unknowns” … anyone who’s been with BOClean over the long run knows this has always been our way of doing things. And they can also indicate that I personally never looked at “FP’s” the same way as many others do - that’s the reason for the excluder in BOClean in the first place. In the past, we’ve found MIRC, VNC, and can’t remember the author at the moment, but they made a whole bunch of “remote access tools” and there was a big stink about that as well. Each and every one of these has been used in “hidden mode” as what I used to refer to as “pseudo-rootkits.” Fact is, “legitimate” or not, you want them detected, and the whole purpose was to “find the unknowns.”

So when something like this happens, if you’re SURE that whatever is being alarmed on is actually “trustworthy” then exclude it, and BOClean will ignore it upon your request. But I’d be greatly concerned if we didn’t detect these because more often than not, BOClean firing off is a legitimate warning.

I’ve gotten our folks to carefully examine for quite a while now, we’re not detecting Windows as a virus any longer. Heh. I won’t even go saying that it might be safer to just delete the entire hard disk since Windows itself seems to be malware.

But many of these “FP complaints” lately have turned out to be BOClean spotting clear usage of malware libraries by authors of software that would be better off learning how to code, write their OWN code and not use code they found from malware authors because they couldn’t write their own. Sorry, just needed to be said.

meman887 · April 3, 2008, 1:38am

Rednose:
I have submitted the file in question to the email address supplied.

Kevin McAleavey:
I can see your point of view, I’m not trying to dis Comodo or it’s products, cause after all I do like using the firewall, as it’s the best one I have seen to date, and have seen it improved quiet quickly too

Yeah I know the application is still in early stages as of yet, as every app goes though trail and error and takes time before it matures so I’ll wait for now and try BOClean again in the near furture.

Rednose · April 3, 2008, 1:58am

Hi meman887

I think you should follow Kevins advise here

Greetz, Red.