comodo firewall malware scanner detects hostsman. (Resolved)

i dont know where to post this but i have scanned my computer with the comodo firewall malware scanner and it detected TrojWare.IRC.Exploit.Stdout.261(ID = 0xb36d4) C:\Programfiler\HostsMan\uninstall.exe
this seems like a false positive to me.

Hi blues. Welcome to the forums!

Have you tried CIS 3.5 BETA? Try CIS 3.5 & run the scanner in CIS… Report back if that Directory & Trojan is found again.

Josh

hostsman is still detected by comodo after scanning with cis 3.5 beta, but the name on the malware has changed to
TrojWare.Win32.PSW.OnLineGames.~AR(ID = 0xb36d4) C:\Programfiler\HostsMan\uninstall.exe

i really hope that hostsman isnt infected by some malware.
i have not scanned with comodo antivirus yet because according to the description in the settings it removes malware automatically, but i dont want hostsman to be removed other than if it is infected. as i remember i downloaded hostsman from one of the mirrors on the authors site.

should i keep this cis beta on my computer? or should i go back to comodo firewall again? i have never used betas before so i am a little worried about using the cis beta.

did you check the file with CIMA?

Melih

You can find the CIMA link here:

http://camas.comodo.com/cgi-bin/submit

Upload the file there. Let us know your results.

Josh

i was looking in the hostsman folder on my computer and even without touching a file then comodo antivirus deleted the file. what should i do abot this? i cant submit the file when it is deleted.
if this is the hostsman uninstaller C:\Programfiler\HostsMan\uninstall.exe then i probably cant uninstall hostsman because comodo antivirus deleted it.

Disable Real time Protection in Antivirus>Scanner Settings and moving “Real Time Scanning” Slider from Enabled to Disabled.

Now try again.

Josh

i have disabled it now, but as i said the file was deleted. should i try to uninstall hostsman and install it again?

Yes pls… Then Upload to Virus Total & Let us know the results. Be sure to Enable Virus Protection after.

Josh

here is the results http://www.virustotal.com/analisis/8572fcf53809024c520061a234799152
Panda 9.0.0.4 2008.09.13 Suspicious file

here is the results from cima:

[Verdict]
Not Rated as Suspicious

For next time you can also install a “undelete” tool like Recuva
http://www.recuva.com/

If you have this installed, en something get’s deleted, then the best thing to do is don’t save anything else to disk and start the program let it scan the disk and most of the time you can “undelete” and get it back.

so was this a false positive? if so will it be fixed? i also deleted some system files that comodo found a day here, i thought it was a real worm but as i can see in this forums it was a false positive. i dont have any restore points left either but nothing seemed to happen.

What are the entries in the AV logfile for this week then, there should be a list of files it touched.
And please be aware that this is a BETA release not intended for production systems.

Yes, It’s a FP.

the logfile with the systemfiles that the comodo firewall scanner deleted was lost when uninstalling comodo firewall and installing cis. it seems the other logfiles i had is lost too so i have no logfiles right now.

i dont know how to place a password on zip/rar files, i have tried to do it before with 7-zip but it didnt work. is there another program that can do that?

should i uninstall cis and install just the firewall? i mean since this is a beta. or is it safe to use the beta?

I posted a guide here for 7-Zip:

https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/using_7zip_to_zip_files-t27124.0.html

If you want to use CIS Beta - You can. But make sure other AV is uninstalled! There are no major issues with the beta So Far, No one has reported any blue screen of death. :slight_smile: If you don’t like CIS Beta, Just use CFP 3 with an AV till the final is out.

Pls follow the steps for reporting FP’s:

  1. Please zip up (using a archive tool like winzip,winrar etc) the file that you believe is wrongly detected and password it with password ‘infected’ without the quotes and email it to malwaresubmit at avlab.comodo.com

  2. Please make sure to mention “FALSE POSITIVE” on the subject line of the mail. Also include the the name and ID (for example, BACKDOOR.WIN32.XXXXX.XX (ID = XXXXXX) under which the file in question is getting detected. Attaching a screen shot would be very helpful.

Josh

DL and install AlZip at www.altools.com Curent version 7 beta 1.
If your file is already zipped, just open the file with alzip (not unzipped, just selected), select Tools/Password and add your password to the zipped file.

the file is sent, i hope it worked when i did it.

Thanks! :slight_smile:

Josh