Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Freeware Forum > Freeware Installation & Usage

Reply
 
Thread Tools Display Modes
Old 01. Oct 2010, 11:47 PM   #1 (permalink)
Member
 
Join Date: Oct 2010
Posts: 2
Default KRenameSetup

The other day I downloaded KRenameSetup and when
I tried to install it my Malwarebytes Anti-Malware pops up and says the file
has a trojan in it called TrojanDropper.PGen. I was wondering whether or not
anyone else is having a similar problem.
strydr is offline   Reply With Quote
Old 02. Oct 2010, 08:30 AM   #2 (permalink)
Senior Member
 
Ritho's Avatar
 
Join Date: Apr 2008
Location: Planet Earth
Posts: 1,379
Default

It may well be infected. I downloaded the file from the developers site and ran it through VirusTotal. Below is the link to the results.

http://www.virustotal.com/file-scan/...b18-1284291557

It could still be a false positive that is occurring because of some code that has similarities to existing malware, but when you have this many detections I would be very careful.
__________________
The smallest good deed is better than the greatest intention.
Ritho is offline   Reply With Quote
Old 02. Oct 2010, 08:50 AM   #3 (permalink)
Senior Member
 
Ritho's Avatar
 
Join Date: Apr 2008
Location: Planet Earth
Posts: 1,379
Default

Here are the results from Norman Sandbox, I don't see anything suspicious going on in the install. I am waiting for results from other online malware analyzers

Quote:
KRenameSetup.exe : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Filename: C:\analyzer\scan\KRenameSetup.exe_\noname.nsis.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: N/A.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 1015957 bytes.
* MD5 hash: 98eacb23f9ab7fb1cf3c2e3a143d7fc9.
* SHA1 hash: 9f0f4c8fa4d779be58e0c8cfa0908d5125f45dce.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\.
* Creates file C:\WINDOWS\TEMP\nsb3624.tmp.
* Deletes file C:\WINDOWS\TEMP\nsb3624.tmp.
* Creates file C:\WINDOWS\TEMP\nsv4817.tmp.
* Deletes file C:\WINDOWS\TEMP\nsv4817.tmp.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\nsv4817.tmp.
* Creates file C:\WINDOWS\TEMP\nsv4817.tmp\LangDLL.dll.
* Deletes file C:\WINDOWS\TEMP\nsv4817.tmp\LANGDLL.DLL.
* Creates file C:\WINDOWS\wininit.ini.
* Deletes directory C:\WINDOWS\TEMP\nsv4817.tmp\.

[ Changes to registry ]
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\KRename.exe".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersio n".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Un install\Ken Rename".

[ Process/window information ]
* Creates a window with caption and classname #32770.
* Creates dialog control (static) with id 1030 and caption .
* Creates dialog control (static) with id -1 and caption .
* Creates dialog control (static) with id 76 and caption Please wait while Setup is loading....
* Creates a window with caption Dialog and classname #32770.
* Creates dialog control (combobox) with id 1002 and caption .
* Creates dialog control (button) with id 1 and caption OK.
* Creates dialog control (button) with id 2 and caption Cancel.
* Creates dialog control (static) with id 1007 and caption .
* Creates dialog control (static) with id 1008 and caption .
* Pressing button with id 1.

[ Signature Scanning ]
* C:\WINDOWS\TEMP\nsv4817.tmp\LANGDLL.DLL (5632 bytes) : no signature detection.
* C:\WINDOWS\wininit.ini (55 bytes) : no signature detection.
__________________
The smallest good deed is better than the greatest intention.
Ritho is offline   Reply With Quote
Old 02. Oct 2010, 09:13 AM   #4 (permalink)
Senior Member
 
Ritho's Avatar
 
Join Date: Apr 2008
Location: Planet Earth
Posts: 1,379
Default

Here are Joebox results. They were too big to post, or to attach so they are available to download from drop.io Joebox shows everything that a program does, and takes a long time to read through. I skimmed down to the most important sections, and did not see any major virus activity, but I am no expert in reading these things either.

results.html http://drop.io/bvkprle
__________________
The smallest good deed is better than the greatest intention.
Ritho is offline   Reply With Quote
Old 02. Oct 2010, 05:15 PM   #5 (permalink)
Member
 
Join Date: Oct 2010
Posts: 2
Default

Quote:
Originally Posted by Ritho View Post
Here are Joebox results. They were too big to post, or to attach so they are available to download from drop.io Joebox shows everything that a program does, and takes a long time to read through. I skimmed down to the most important sections, and did not see any major virus activity, but I am no expert in reading these things either.

results.html http://drop.io/bvkprle
Thanks Ritho for your help in looking through that file for me. My feelings are it is probably a FP but why take chances as you say. I'll just have to check out other renaming software.
strydr is offline   Reply With Quote
Old 02. Oct 2010, 05:21 PM   #6 (permalink)
Senior Member
 
Ritho's Avatar
 
Join Date: Apr 2008
Location: Planet Earth
Posts: 1,379
Default

Your welcome. It wouldn't hurt to contact the developer and let him know your findings.
__________________
The smallest good deed is better than the greatest intention.
Ritho is offline   Reply With Quote
Old 07. Oct 2010, 06:25 AM   #7 (permalink)
Senior Member
 
bodis's Avatar
 
Join Date: Jul 2010
Location: UK
Posts: 173
Default

I have reviewed the software and will look into this myself.

bodis
bodis is offline   Reply With Quote
Old 07. Oct 2010, 06:30 AM   #8 (permalink)
Senior Member
 
bodis's Avatar
 
Join Date: Jul 2010
Location: UK
Posts: 173
Default

This is interesting, Softpedia has KenRename as well but the zipped version and it returns only 2/41 from virus total.

http://www.virustotal.com/file-scan/...2e8-1277305696

Edit: I have just noticed that developers page has turned Orange in WOT ratings, I will be removing Ken Rename from my reviews today.
bodis is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 09:16 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.