results from bit defender online scan??

[Guest]

[soulman]

Hello to you.

Please could someone tell me any info on these results from bit defender


C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)=>(Embedded EXE g)
   

Infected with: Trojan.Peed.Gen

C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)=>(Embedded EXE g)
   

Disinfection failed

C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)=>(Embedded EXE g)
   

Deleted

C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)

MANY THANKS.

[Ragwing]

Greetings,

It's most likely a false positive. I can't find that file in the same directory tho, mine's empty, but I use CPF 3 and not CPF 2.4.
Too bad you deleted it, else you could've uploaded it on VrusTotal and see if it was a false positive or some virus hiding in the Comodo folder.


Ragwing

[soulman]

Good morning to you, and thanks for your help Ragwing.

I have just checked and the CPF5.tmp file is still there? Do you think its worth sending to virus total.

MANY thanks,

Soulman.

[aladinonl]

sure u should send it to virus total!
and post da result.
If only Bitdefender reports it as mal-ware, its sure a false positive and we need to inform BD abt dis.

[andyman35]

Having Googled it,that does appear to be genuine malware,rather than a false positive,since it's listed by a few vendors. It appears to be a nasty malware that's able to resurrect itself if it isn't completely removed.
My suggestion would be to install Bitdefender AV free edition,which is an on demand scanner and won't interfere with your existing AV.It also happens to be an excellent product and is great for a second opinion on suspect files.

http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html

[Info-Sec]

COMODO firewall is not a piece of malware.

So there is several possibilities.

1) False posititve
2) A virus infected a file in the CPF directory

[andyman35]

I wasn't suggesting for a minute that Comodo Firewall is malware!

The location of the suspect file,a Temp folder,would appear to correspond with it being a drive by download malware rather than an authorised download.The information is that it exploits security flaws in IE or MSN messenger etc. in order to infect a system.

Having infected a system it acts as  a mass mailer on a botnet,this communication will be logged by Comodo firewall.

It might be a false positive,but since it's listed by multiple vendors,under various names, it is probably a genuine malware.

http://www.iss.net/threats/W32.Worm.Nuwar.Gen.html

[N.T.T.W.]

I suspect it is a false positive, I have a file with the same name (CPF5.tmp) in that folder and have scanned it with multiple online scanners (including VirusTotal) and all came back negative. Bit defender has been reported in some reviews as giving a lot of false positives.

 

[andyman35]

It isn't just reported by Bitdefender though,it appears under various names with products such as NOD32 and Kaspersky and others.

Perhaps someone could find out off Melih what exactly CPF5.tmp is,then we'd know better.Is it some form of repository for downloaded files perhaps? It isn't the CPF5.tmp itself that's the malware since it is obviously generated by Comodo Firewall,it is the content within it that's suspect.

[N.T.T.W.]

It isn't just reported by Bitdefender though,it appears under various names with products such as NOD32 and Kaspersky and others.

It isn't the CPF5.tmp itself that's the malware since it is obviously generated by Comodo Firewall,it is the content within it that's suspect.

As you have said  "Trojan.Peed.Gen" is reported by these other products, not CPF5.tmp.

I have looked at two computers with CFP on them, one just has a file called "CPF8D.tmp" and the other has the same file plus CPF5.tmp, CPF11.tmp and CPF14.tmp. I have scanned all of these files on virustotal and all came back negative.  Perhaps yours is infected but I think it more likely a false positive - perhaps you could submit the file to Bitdefender for them to check.
I am sure someone from Comodo will tell us what the temp files are for but I suspect they are pretty busy with various Betas so response may not be immediate. I will ask and see if someone will post some comments about these files.

  

[andyman35]

As you have said  "Trojan.Peed.Gen" is reported by these other products, not CPF5.tmp.

I have looked at two computers with CFP on them, one just has a file called "CPF8D.tmp" and the other has the same file plus CPF5.tmp, CPF11.tmp and CPF14.tmp. I have scanned all of these files on virustotal and all came back negative.  Perhaps yours is infected but I think it more likely a false positive - perhaps you could submit the file to Bitdefender for them to check.
I am sure someone from Comodo will tell us what the temp files are for but I suspect they are pretty busy with various Betas so response may not be immediate. I will ask and see if someone will post some comments about these files.

  

I don't have any of those files on my system but that's probably due to the fact that I use Returnil.I hope this does turn out to be a false alarm for the sake of Soulman,but from what I can work out this trojan could be related to the Storm malware.I can't think of what these temp files might be used for unless it's as some sort of  'holding area' before analysis.Of course this may mean that any malware has been isolated by Comodo,which has anti-trojan protocols built in,hopefully this is the case.Plus it would explain why the file couldn't be removed by Bitdefender if it's been quarantined.

Rumour has it that Melih works 23 hours a day so hopefully he can spare a minute or two 

[aladinonl]

I have scanned all of these files on virustotal and all came back negative.

within da same area w same scanners, NTTW scan for nothing but andy found nasty then surely andy's comp is infected: not a false positiv.

But

I don't have any of those files on my system but that's probably due to the fact that I use Returnil.

u use returnil so everytime u reboot da file is reinfected by dat nasty (unless u disabled returnil wen BD quarantined it) but no suspicious activity is reported. so i guess dat botnet is not so activ.

i suggest u disconnect internet, disable returnil,quarantine da botnet and activate returnil again.

[andyman35]

within da same area w same scanners, NTTW scan for nothing but andy found nasty then surely andy's comp is infected: not a false positiv.

Butu use returnil so everytime u reboot da file is reinfected by dat nasty (unless u disabled returnil wen BD quarantined it) but no suspicious activity is reported. so i guess dat botnet is not so activ.

i suggest u disconnect internet, disable returnil,quarantine da botnet and activate returnil again.

Sorry there has been some confusion it isn't my system that's infected with that file,it is Soulman,thanks anyway 

Good point on Returnil though,it should only ever be run on a clean system since any 'real' malware 'removed' from within the cloned system would reappear on reboot if protection was enabled.

[soulman]

Sorry i have not replied, i have had no email to say someone has got back to me?

When i try to send the file to virus total all i get is this :-
0 bytes size received / Se ha recibido un archivo vacio

Am i doing something wrong? This is the path to the file that i am trying to send :-
C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)=>(Embedded EXE g)

I have just scanned again using the bitdefender online scan and here are the results:-

BitDefender Online Scanner
   

 
   

 

Scan report generated at: Tue, Nov 06, 2007 - 02:58:30

 
   

 
   

 

Scan path: C:\:\;F:\;G:\;H:\;
   

 
   

 

 
   

 
   

 

Statistics

Time
   

01:22:03

Files
   

343405

Folders
   

8331

Boot Sectors
   

3

Archives
   

9236

Packed Files
   

18382
   

 
   

 

Results

Identified Viruses
   

1

Infected Files
   

1

Suspect Files
   

0

Warnings
   

0

Disinfected
   

0

Deleted Files
   

1
   

 
   

 

Engines Info

Virus Definitions
   

860306

Engine build
   

AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
   

14

Archive plugins
   

38

Unpack plugins
   

7

E-mail plugins
   

6

System plugins
   

1
   

 
   

 

Scan Settings

First Action
   

Disinfect

Second Action
   

Delete

Heuristics
   

Yes

Enable Warnings
   

Yes

Scanned Extensions
   

*;

Exclude Extensions
   

 

Scan Emails
   

Yes

Scan Archives
   

Yes

Scan Packed
   

Yes

Scan Files
   

Yes

Scan Boot
   

Yes
   

 
   

 
 

Scanned File
   

 Status

C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)=>(Embedded EXE g)
   

Infected with: Trojan.Peed.Gen

C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)=>(Embedded EXE g)
   

Disinfection failed

C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)=>(Embedded EXE g)
   

Deleted

C:\Documents and Settings\shaun wade\Local Settings\Application Data\Comodo\Comodo Firewall\Temp\CPF5.tmp=>(gzip)
   

Update failed



Thanks for all the help here, and i will check in after work and not rely on email notification.

Ps... i have scanned this file with my AVG free, and it found nothing

Cheers, Soulman.

[andyman35]

According to the results you posted there the file has been deleted by the Bitdefender online scanner.Since I don't speak Spanish I'm only guessing that "0 bytes size received / Se ha recibido un archivo vacio" refers to an empty archive? Perhaps you should just manually delete anything left in that particular folder.

[Tags:]