06-24-18 10:40 AM
665 ... 89101112 ...
tools
  1. Observer2's Avatar
    The file you need to run a checksum on is cfp.exe. It should have been created somewhere on the system. (Most of their installer file has to be comprised of that executable packed inside, cfp.exe by itself is around 16MB.)

    According to your Eset logs, the file was located in a temp folder at the following location:

    C:\Users\Bill\AppData\Local\Temp\afolder\cfp.exe

    (Bear in mind that the "AppData" folder has the hidden attribute set - make sure you are using a tool that can see hidden folders, or you have the "hide hidden files" function in Windows Explorer disabled, to navigate to it)

    Or you can do a search for the filename on the C: drive (if that is your OS drive) and you will probably find it.

    Or the developers of this script can just make it easy for us and tell us where they copy it.

    It's possible they delete the file after the script finishes.
    Unfortunately, it appears the script deleted cfp.exe from the drive. Also I enabled Win7 OS to show hidden files, folders and drives. No love being shown here.
    Last edited by Observer2; 03-08-14 at 04:10 PM.
    03-08-14 03:57 PM
  2. Omnitech's Avatar
    Unfortunately, it appears the script deleted cfp.exe from the drive. Also I enabled Win7 OS to show hidden files, folders and drives. No love being shown here.
    Well one way would be to run the tool again, and checksum the file while it is sitting in the temp folder. It probably copies the file prior to launching the actual operation.

    Personally I'm not about to run that thing on one of my 'real' machines at this point, I might setup an isolated VM to test it in or something.
    03-08-14 04:15 PM
  3. Observer2's Avatar
    Well one way would be to run the tool again, and checksum the file while it is sitting in the temp folder. It probably copies the file prior to launching the actual operation.

    Personally I'm not about to run that thing on one of my 'real' machines at this point, I might setup an isolated VM to test it in or something.
    do you have access to the install file that is downloaded? Perhaps you could do the test against the same file(s) I was able to test.
    03-08-14 04:30 PM
  4. Omnitech's Avatar
    do you have access to the install file that is downloaded? Perhaps you could do the test against the same file(s) I was able to test.
    The .exe installer file does not unpack with any of the unpackers I have here at the moment unless it is executed. Tried that already. The only file of interest is the cfp.exe file.

    I'm not about to execute that installer on a 'real' computer quite yet.

    And since I'm going to have some company coming over for the rest of the weekend, experiments on that will have to wait for a bit..
    03-08-14 04:51 PM
  5. deezy87's Avatar
    wizapp?
    This thing...


    SIC Multiwipe BB10, BBOS & PB - clean your device before auto/app loader-wizzapp.png








    SIC Multiwipe BB10, BBOS & PB - clean your device before auto/app loader-afolder.png
    03-08-14 05:53 PM
  6. Omnitech's Avatar
    This thing...

    Aha. Looks like the tool they use to generate the GUI.
    03-08-14 06:09 PM
  7. Foppa_21's Avatar
    If there's something sinister going on, the whole "just disable your antivirus" is pretty low.

    Posted with my Z10 via CB10
    Sator likes this.
    03-08-14 07:20 PM
  8. deezy87's Avatar
    Spoke to Sator, via BBM. Told him what was happening....turns out that my Link was missing some stuff, so I just uninstalled and re-downloaded it again.

    Been roughly an hour and it is on first wipe....this is going to be a while, I'm assuming.

    I didn't delete any 3rd party apps, maybe that is why.
    03-08-14 08:01 PM
  9. Sator's Avatar
    Spoke to Sator, via BBM. Told him what was happening....turns out that my Link was missing some stuff, so I just uninstalled and re-downloaded it again.

    Been roughly an hour and it is on first wipe....this is going to be a while, I'm assuming.

    I didn't delete any 3rd party apps, maybe that is why.
    Just relax and do it Deezy...hahaha. It will take a longer time if you didn't delete your 3rd party apps.

    Sent from my Q10 using Tapatalk
    03-08-14 09:07 PM
  10. clie610's Avatar
    Spoke to Sator, via BBM. Told him what was happening....turns out that my Link was missing some stuff, so I just uninstalled and re-downloaded it again.

    Been roughly an hour and it is on first wipe....this is going to be a while, I'm assuming.

    I didn't delete any 3rd party apps, maybe that is why.
    If you deleted every apps that can be uninstalled usually it will take less than an hour for secwipe
    03-09-14 01:08 AM
  11. Observer2's Avatar
    Omnitech, here is some more information on cfp.exe........................................

    and here is mine...
    C:\>fciv.exe "c:\sic multiwipe v1.0 setup.exe" /sha1
    // File Checksum Integrity Verifier version 2.05.
    fbbced7d4340832338d40b2f14f82e24 c:\sic multiwipe v1.0 setup.exe

    c:\>fciv.exe "c:\sic multiwipe v1.0.exe" /sha1
    bfc15ddc367e58cc75efd06d4ea907cb c:\sic multiwipe v1.0.exe

    It appears to be different. However, I do not see a file called cfp.exe?
    I used your advice and now have the information for the file cfp.exe................
    c:\>"fciv.exe" "c:\sic testing\cfp.exe" /sha1
    // File Checksum Integrity Verifier version 2.05.
    83e5cb767fed5b1d9cd35389eddac776 c:\sic testing\cfp.exe

    Yours (Omnitech)..................
    Here's my SHA1 checksum:
    e07989709d28ee88fef47c0a6cc5bf888975bd29

    It appears there is a difference between the cfp.exe files..............

    Also, this is from a partial Eset scan...............
    C:\Program Files (x86)\SIC Multiwipe v1.0\SIC Multiwipe v1.0.exe BDARGOBAT2EXE cfp.exe - Win32/Slugin.A virus

    Tried doing again changing the way I used the switch.........................
    c:\>"fciv.exe" "c:\sic testing\cfp.exe" -sha1
    // File Checksum Integrity Verifier version 2.05.
    e07989709d28ee88fef47c0a6cc5bf888975bd29 c:\sic testing\cfp.exe

    now we are seeing the same result for SHA1 comparison........................

    so, given what eset is reporting, what do you think?

    btw, there is no way I would ever disable AV for anything coming from the Internet. I have just recently had to reconstruct my PC system due to hardware failure and all is well with eset protecting.

    NOTE: If I run cfp.exe alone, Eset is not triggered.
    Last edited by Observer2; 03-09-14 at 08:12 AM.
    03-09-14 07:50 AM
  12. deezy87's Avatar
    If you deleted every apps that can be uninstalled usually it will take less than an hour for secwipe
    Okay after I had posted it completed shortly after.

    I have noticed my PIM services is 'normal' not at 75% or around there.

    This is the second day, so I'll report back during the week.

    Posted via CB10
    Sator likes this.
    03-09-14 05:19 PM
  13. deezy87's Avatar
    Well, in all honesty I think the wipe utility did help. Been running roughly 7 close to 8 hours strong and currently at 59%.

    Here is a screen shot, 1 day battery life remaining!




    SIC Multiwipe BB10, BBOS & PB - clean your device before auto/app loader-img_20140309_195402.png


    Also PIM has been behaving quite nice as well.




    SIC Multiwipe BB10, BBOS & PB - clean your device before auto/app loader-img_20140309_195620.png

    Posted via CB10
    Sator likes this.
    03-09-14 06:56 PM
  14. deezy87's Avatar
    Well, in all honesty I think the wipe utility did help. Been running roughly 7 close to 8 hours strong and currently at 59%.

    Here is a screen shot, 1 day battery life remaining!




    Click image for larger version. 

Name:	IMG_20140309_195402.png 
Views:	879 
Size:	54.9 KB 
ID:	253880


    Also PIM has been behaving quite nice as well.




    Click image for larger version. 

Name:	IMG_20140309_195620.png 
Views:	883 
Size:	66.9 KB 
ID:	253882

    Posted via CB10


    Edit!

    This is DAY 2 (TWO) after a fresh install yesterday and no restore at all, clean slate.

    Posted via CB10
    03-09-14 06:57 PM
  15. Sator's Avatar
    Well, in all honesty I think the wipe utility did help. Been running roughly 7 close to 8 hours strong and currently at 59%.

    Here is a screen shot, 1 day battery life remaining!




    Click image for larger version. 

Name:	IMG_20140309_195402.png 
Views:	879 
Size:	54.9 KB 
ID:	253880


    Also PIM has been behaving quite nice as well.




    Click image for larger version. 

Name:	IMG_20140309_195620.png 
Views:	883 
Size:	66.9 KB 
ID:	253882

    Posted via CB10
    Deezy, thanks for sharing your results.

    Sent from my Q10 using Tapatalk
    deezy87 likes this.
    03-09-14 08:07 PM
  16. Omnitech's Avatar
    Omnitech, here is some more information on cfp.exe........................................



    I used your advice and now have the information for the file cfp.exe................
    c:\>"fciv.exe" "c:\sic testing\cfp.exe" /sha1
    // File Checksum Integrity Verifier version 2.05.
    83e5cb767fed5b1d9cd35389eddac776 c:\sic testing\cfp.exe

    Yours (Omnitech)..................
    Here's my SHA1 checksum:
    e07989709d28ee88fef47c0a6cc5bf888975bd29

    It appears there is a difference between the cfp.exe files..............

    Also, this is from a partial Eset scan...............
    C:\Program Files (x86)\SIC Multiwipe v1.0\SIC Multiwipe v1.0.exe BDARGOBAT2EXE cfp.exe - Win32/Slugin.A virus

    Tried doing again changing the way I used the switch.........................
    c:\>"fciv.exe" "c:\sic testing\cfp.exe" -sha1
    // File Checksum Integrity Verifier version 2.05.
    e07989709d28ee88fef47c0a6cc5bf888975bd29 c:\sic testing\cfp.exe

    now we are seeing the same result for SHA1 comparison........................

    so, given what eset is reporting, what do you think?

    btw, there is no way I would ever disable AV for anything coming from the Internet. I have just recently had to reconstruct my PC system due to hardware failure and all is well with eset protecting.

    NOTE: If I run cfp.exe alone, Eset is not triggered.



    Well it looks like the second test matches, which is good.

    Seems that fciv uses the MD5 hash by default, and the command argument syntax is "-", not "/". So that would explain why the one using the "/" syntax got a different result - it was computing an MD5 hash rather than an SHA1 hash.

    So that's what we want to see.

    There are 2 common reasons which could explain why it flagged it initially:


    1. There was a transient error in a pattern detection file Eset was using for a short period of time which had a false detection for that malware variant, or
    2. The detection is based on heuristics or some sort of "behaviour-based detection" which is flagging the process as suspicious.


    Some antivirus tools will tell you in the log if it was using heuristic or "behaviour-based" detection when it detects something suspicious.

    It's possible that when it sees the tool is attempting to erase/re-write flash memory on something over USB (not sure how exactly they would detect this), it thinks that is suspicious activity. Or some other type of memory/file behaviour. I used to get false positives on Adobe Reader sometimes at a certain site if a certain plugin was used, most likely how the data is passed from one process to another when a certain type of PDF document was opened and passed to the plugin.
    03-10-14 05:15 AM
  17. Omnitech's Avatar
    Also, this is from a partial Eset scan...............
    C:\Program Files (x86)\SIC Multiwipe v1.0\SIC Multiwipe v1.0.exe BDARGOBAT2EXE cfp.exe - Win32/Slugin.A virus

    BDARGOBAT2EXE is a Windows batch file to .EXE compiler.

    Batch File Compiler Professional Edition - compile & convert batch files to EXE executables

    Not sure exactly what that line means - Looks like it is either decompiling the executable or just following the process tree when it launches. If it means that it only didn't like something about cfp.exe, we've more or less eliminated that, or perhaps there is possibly something else packed into the "SIC Multiwipe v1.0.exe" that it doesn't like.
    03-10-14 05:31 AM
  18. clie610's Avatar
    BDARGOBAT2EXE is a Windows batch file to .EXE compiler.

    Batch File Compiler Professional Edition - compile & convert batch files to EXE executables

    Not sure exactly what that line means - Looks like it is either decompiling the executable or just following the process tree when it launches. If it means that it only didn't like something about cfp.exe, we've more or less eliminated that, or perhaps there is possibly something else packed into the "SIC Multiwipe v1.0.exe" that it doesn't like.
    As a preliminary response, why don't you try to create a batch file with any script that you know is safe or even blank one. After that, you can compile it with cfp.exe with any bat to exe compiler. Once done, see how your antivirus will treat it .

    You can google an application called bat2exe to compile them

    EDITED: @omnitech, looking forward to hear your own test, not by asking others to do it for you
    Posted via CB10
    Last edited by clie610; 03-10-14 at 12:44 PM.
    intprd04 likes this.
    03-10-14 06:31 AM
  19. KTeditorjeff's Avatar
    I've had a Z10 since May of last year. I've installed several leaks since. With each install, I've noticed more issues with performance. With the last update, I occasionally was kicked off WiFi and received four notifications for account authorization each day. It was annoying.

    Saturday I used SIC Multiwipe then reinstalled the latest OS. I used Fire Chest Backup to reinstall my contacts and calendar items. The result has been more than I expected.

    Quicker performance. No account notifications. No WiFi issues. And Device Monitor on the OS shows several hundred fewer megabytes in both system and app usage.

    SIC Multiwipe will become a ritual when installing a new OS. I encourage all forum readers to give it a try.
    03-10-14 10:41 AM
  20. clie610's Avatar
    We would love to see constructive inputs, and we know we are not as knowledgeable as some of the crackberryans here.

    Really appreciate comments based on your experience or findings of the tool that we developed, not just giving only negative driven assumption using others.

    We all still learning, if it good for us then we will share it with everybody. If turns out it's not as expected then we will try to find out together how to make it works

    Thanks for anyone who have tried our tool and sharing their difficulties in using it or satisfied with the result.
    Last edited by clie610; 03-10-14 at 02:09 PM.
    03-10-14 01:09 PM
  21. Omnitech's Avatar
    EDITED: @omnitech, looking forward to hear your own test, not by asking others to do it for you

    When the time comes that I'm either willing to take the potential risk of installing malware on an active machine, or feel like going to the effort of setting up an isolated VM to test on, then that may be a reality. But since I cannot easily extract cfp.exe from the installer, and don't feel like executing the installer on the machine as stated, I will have to rely on others to do that testing.
    03-10-14 02:35 PM
  22. clie610's Avatar
    When the time comes that I'm either willing to take the potential risk of installing malware on an active machine, or feel like going to the effort of setting up an isolated VM to test on, then that may be a reality. But since I cannot easily extract cfp.exe from the installer, and don't feel like executing the installer on the machine as stated, I will have to rely on others to do that testing.
    Thank you for your answer, we will then let others test it and give their comments afterwards if you are not willing to do it.

    Just to make it clear, what I ask was for you to use the compiler that proven save by any antivirus (you are free to choose it yourself), to create an exe file for the cfp.exe compiled with a batch file that you make it yourself and see how it will then be seen by your own antivirus. I don't ask you to test the SIC Multiwipe tool.
    HarryDragon likes this.
    03-10-14 02:44 PM
  23. HarryDragon's Avatar
    Crack it open and see what's inside
    There ain't such thing as malware inside....

    Posted via CB10
    03-11-14 05:23 AM
  24. deezy87's Avatar
    Okay...this is working better than I had initially expected.

    7:03:30 AM now on the way to the office, put in a fresh battery at around 11:30 last night (Leafs spanked the ducks) and I'm sitting at 83%. The PIM, unfortunately shot up to 32%, don't know what's going on with that, or for how long it has been sitting that high.

    Crazy day for work today, I'll put this little guy to work, straight blazing trails, and try to monitor the PIM if I can remember lol.




    SIC Multiwipe BB10, BBOS & PB - clean your device before auto/app loader-img_20140311_070440.png

    Posted via CB10
    03-11-14 06:08 AM
  25. Sator's Avatar
    Okay...this is working better than I had initially expected.

    7:03:30 AM now on the way to the office, put in a fresh battery at around 11:30 last night (Leafs spanked the ducks) and I'm sitting at 83%. The PIM, unfortunately shot up to 32%, don't know what's going on with that, or for how long it has been sitting that high.

    Crazy day for work today, I'll put this little guy to work, straight blazing trails, and try to monitor the PIM if I can remember lol.




    Click image for larger version. 

Name:	IMG_20140311_070440.png 
Views:	1697 
Size:	73.0 KB 
ID:	254177

    Posted via CB10
    Deezy, please check your email settings (sync intervals or push)

    Sent from my Q10 using Tapatalk
    03-11-14 06:47 AM
665 ... 89101112 ...

Similar Threads

  1. I Wish I Had a Friend With BB10
    By Edwin Gonzalez5 in forum BlackBerry Q10
    Replies: 8
    Last Post: 03-05-14, 11:17 AM
  2. Change of Password Between Mail Account & Phone Maildroid App
    By LillianBehj in forum Android Apps (Amazon Store & APK Files)
    Replies: 3
    Last Post: 03-01-14, 09:14 AM
  3. Need a good native news app !
    By Pierjean Pariollaud in forum BlackBerry World
    Replies: 2
    Last Post: 03-01-14, 03:57 AM
  4. Replies: 2
    Last Post: 02-28-14, 09:20 PM
  5. Dropbox's new arbitration clause takes away your right to sue so take it back!
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 0
    Last Post: 02-28-14, 05:20 PM
LINK TO POST COPIED TO CLIPBOARD