False positive in signature update? 11th of September [CLOSED]

CFP on XP SP3 X86

Anyone else who has found this?


Yes, I found this. I have a clean build of Windows XP SP3, installed only this morning. First thing I did was installed latest version of Comodo and it found this four times:

Worm.IRC.DelTree.3.AAV(ID = 0xb2fc1) C:\WINDOWS$hf_mig$\KB951072-v2\SP3QFE\tzchange.exe
Worm.IRC.DelTree.3.AAV(ID = 0xb2fc1) C:\WINDOWS\SoftwareDistribution\Download\42bdf2dd6f3cb2280ad31b41b6c04cff\sp3qfe\tzchange.exe
Worm.IRC.DelTree.3.AAV(ID = 0xb2fc1) C:\WINDOWS\SoftwareDistribution\Download\42bdf2dd6f3cb2280ad31b41b6c04cff\sp3gdr\tzchange.exe
Worm.IRC.DelTree.3.AAV(ID = 0xb2fc1) C:\WINDOWS\system32\tzchange.exe


I have the newest version of the Comodo firewall Pro and WinXP SP3, and it has found the same worm. It is found 2 times.

BTW: I am new on the forum. :slight_smile: I hope that you can read this post.


Thank you guys for confirming and welcome to the forum! (CWY)


I can confirm this too: two false positives on tzchange.exe in new install of Comodo on XP SP3. System has been running for a while using other firewall/av software, but I’m quite confident it is not infected.

(And, almost surely, three additional false positives of Zap.A in old MS-DOS executables from 1986.)


I can confirm as well.

XP Home SP2. CIS 3.5


I have the same thing on a computer that has never been used before. What is causing this?

This is common when it comes to updates. Sometimes every vendor releases signatures that incorrectly addresses malware.


ps. welcome to the forum :slight_smile:

Hey, I just did the scan and also got alerted of two tzchange.exe files marked as a worm.

I’m glad that it is a false positive, however, after completing the scan, Comodo has alerted me that it has quarantined these files. Since from my understanding these files are crucial (OK, maybe not crucial, but important) Windows files, then I wonder how can I remove them from the Quarantine?

thanks in advance!

EDIT: the Defense+ > “my quarantined files” folder seems empty

4 false positives
4 copies of tzchange.exe in the KB update folders

So is anyone from Comodo aware of/doing anything about this problem?

I got the same four false positives. If you stop the scan before it completes, you can opt out of removing the “offenders”, however.

I got the same thing here

I found the same thing

Worm.IRC.DelTree.3.AAV(ID = 0xb2fc1) C:\WINDOWS$hf_mig$\KB951072-v2\SP3QFE\tzchange.exe
Worm.IRC.DelTree.3.AAV(ID = 0xb2fc1) C:\WINDOWS\system32\tzchange.exe

Also I have a tzchange.exe file version 5.1.2600.5640 in the C:\windows\system32\ which is not even listed anywhere on the internet that I can find. Anybody else have this file version? Possible it is a real trojan virus ?

Highly doubt it. I haven’t been infected for such a long time. And the fact that so many have reported the same thing 88)

Tzchange.exe file version 5.1.2600.5640 concerns me as I can not find this anywhere. What is strange is that I found it on another machine. It has to be because of XP service pack 3, is the only thing that I can think of.

Anybody on this board that can give me some info on this file version, I would appreciate it.

I think you’re fine on the version.

See http://mssg.rutgers.edu/documentation/DST2007/

File name: Tzchange.exe | Version: 5.1.2600.3037 [b]or later[/b]

You just have a recent version of the file.

Thanks for your reply. You are probably right about the file version 5.1.2600.5640 being the latest update. I thought it was just unusual that there is no mention of it anywhere on the internet, at least using Google.

I have version 5.1.2600.5640 as well. I can’t see any possibility being infected, especially on C: - the way I see it it’s impossible!


OK, during a repeated scan 10 hours later, it still alerts me of the virus so I assume the attempt to put these files into quarantine wasn’t succesfull.

But I really remember that after the first scan yesterday, after completing the full scan, I was informed that these files have been automatically put in quarantine… hm… Did anyone experience the same?

I also got trojan warning from CFP scan while instaling new beta version 3.5.50676.393.

I got the same path to files but it detected different trojan ( backdoor.win32.bifrose ). Probably false positive, but I removed those files just in case since it seems not to be critical system process anyway. So far no problems without those files :).

BTW, virustotal.com said it’s clean file, but since this kind of services can be used to perfect viruses againt anti-virus definitions I removed suspected files.