PC De-Crapifier Worm

groomsy · April 30, 2008, 8:47pm

hello i just downloaded PC De-Crapifier 1.91 from majorgeeks

and when i try to open in 4.26 BOClean pops up and says it has stopped it from running and asks me to delete it

it says IWIRM-SOHANAD.SAB

i was just wondering if this is a false positve, because i use to run the older versions and never got this before

groomsy

EricCryptid · May 1, 2008, 5:55am

As far as I know it’s a false positive. I don’t know a great deal about De-Crapifier but I suggest running a full malware scan to check your system for any installed malware. BoClean is definately not Malware.

Eric

groomsy · May 1, 2008, 6:17am

i love comodo and was just curious. CFP, CAVS, CBOCLEAN and CMG. Comodo is all i use besides Spywareblaster, Spywareguard and Spybot

psych1610 · May 1, 2008, 7:43am

Could you upload that file to Virus Total www.virustotal.com and let us know what it comes back with?

sliverman · May 1, 2008, 11:14am

The worm is also detected in JKDefragGUI.exe and here is the report from VirusTotal.com

File JkDefragGUI.exe received on 05.01.2008 13:18:11 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 3/31 (9.68%)
Loading server information…
Your file is queued in position: 1.
Estimated start time is between 36 and 52 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.5.1.0 2008.05.01 -
AntiVir 7.8.0.11 2008.04.30 -
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 -
BitDefender 7.2 2008.05.01 -
CAT-QuickHeal 9.50 2008.04.30 -
ClamAV 0.92.1 2008.05.01 -
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5750 2008.05.01 -
Ewido 4.0 2008.05.01 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.05.01 -
Fortinet 3.14.0.0 2008.05.01 -
Ikarus T3.1.1.26 2008.05.01 -
Kaspersky 7.0.0.125 2008.05.01 -
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3068 2008.05.01 archive damaged
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1097.0 2008.05.01 -
Symantec 10 2008.05.01 -
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.05.01 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0
Additional information
File size: 3726575 bytes
MD5…: c17d637e1290bc8941271deba37f5edb
SHA1…: 8bdd8fb5dd795c33f81d1a34f26731df66a33b5f
SHA256: 13bf55771d30f8e57a597334c05d927f96692fda1e375fa1f9252df39da4cfff
SHA512: c790009573dc1109c21932f6159696734dcc0311b886d504ed256fb86d070b48
c8d4a4c778b0e22c5d14d63a74049d417ba0d6733e4bdc36f60b1fad5af1e8c8
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4e4b80
timedatestamp…: 0x47493eaa (Sun Nov 25 09:21:46 2007)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xad000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xae000 0x37000 0x36e00 7.92 75e4d955f458ee57a02f170de0782978
.rsrc 0xe5000 0x51000 0x50600 6.75 5f0642a7aef1f1285c74f5701376cfed

( 13 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll: RegCloseKey
COMCTL32.dll: ImageList_Remove
comdlg32.dll: GetSaveFileNameW
GDI32.dll: LineTo
MPR.dll: WNetUseConnectionW
ole32.dll: CoInitialize
OLEAUT32.dll: -
SHELL32.dll: DragFinish
USER32.dll: GetDC
VERSION.dll: VerQueryValueW
WINMM.dll: timeGetTime
WSOCK32.dll: -

( 0 exports )
packers: UPX
packers: PE_Patch.UPX, UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX

psych1610 · May 1, 2008, 2:53pm

It seems like it might be a false positive, only a few of the others are recognizing it as anything. Perhaps it has malware like tendencies?

If you can zip the file and submit it to malwaresubmit [at] comodo.com with the subject

“Possible False Positive” or something similar to that with a link to this thread so that he/she may look back at it that should get the ball rolling on figuring this out for good.

Dave

sliverman · May 1, 2008, 7:18pm

The latest update has solved it now.