False positive?!

compyzus · June 10, 2008, 8:12pm

I scanned another pc with comodo firewalls scanner and i found this: ApplicUnsafe.Win32.CMDOW.14...what is it? Its a virus or what. I have scanned it also whit clamwin antivirus. About three weeks ago, it was seen as a trojan but now it see`s it like a clean file.
Thanks in advance! (L) (M)

system · June 10, 2008, 8:22pm

Comodo’s scanner is still new. Scan with a reliable scanner like DrWeb Curit. You can upload the file here.

compyzus · June 10, 2008, 8:30pm

I scanned the file:
CAT-QuickHeal 9.50 2008.06.10 RiskTool.HideWindows (Not a Virus)
ClamAV 0.92.1 2008.06.10 -
DrWeb 4.44.0.09170 2008.06.10 -
eSafe 7.0.15.0 2008.06.10 -
eTrust-Vet 31.6.5862 2008.06.10 -
Ewido 4.0 2008.06.10 Downloader.Delf.ain
F-Prot 4.4.4.56 2008.06.10 -
F-Secure 6.70.13260.0 2008.06.10 -
Fortinet 3.14.0.0 2008.06.10 HackerTool/HideWindow
Sophos 4.30.0 2008.06.10 HideWindow
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.10 SecurityRisk.Cmdow
TheHacker 6.2.92.341 2008.06.10 Aplicacion/HideWindows
VBA32 3.12.6.7 2008.06.10 Trojan-Downloader.Win32.Delf.ain
VirusBuster 4.3.26:9 2008.06.10 -
Webwasher-Gateway 6.6.2 2008.06.10 Riskware.HideWindows.I
Some don`t even detect it. So in the end who do i believe? :THNK

Japo · June 10, 2008, 9:14pm

When you get that many positives it must be a virus (or malware or whatever you call it). I’d flag as a virus any file that should get less than half as many positives. It’s normal that many AVs miss it, that’s the downside of AVs and that’s why VirusTotal and similar services are necessary.

PS: You got more results, right? VirusTotal uses a total of 33 scanners. Or maybe you didn’t let it finish. Anyway these results are enough to strongly distrust the file.

compyzus · June 11, 2008, 4:23am

cmdow.exe
Cmdow.exe is is a Win32 commandline utility for NT4/2000/XP/2003 that allows windows to be listed, moved, resized, renamed, hidden/unhidden, disabled/enabled, minimized, maximized, restored, activated/inactivated, closed, killed and more.

I dont get it, it its a utility why is it recognised as a virus? (:NRD)

rhgtyink · June 11, 2008, 7:47am

That’s the problem with these tools, most of the scanners call them Riskware.
What means that if you are using them and installed it yourselfs it’s ok to have.
But if you didn’t install this it could potentialy be used in a “bad way” in this case to hide windows.

Take a look at the path were the file is located and see if you can find why it’s there.

compyzus · June 11, 2008, 8:15am

The file is on windows/system32/cmdow.exe
After some google searching i found this:
http://www.commandline.co.uk/cmdow/index.html
A T T E N T I O N

Some anti-virus software vendors now classify cmdow.exe as a hacking tool because it can hide windows. A hacking tool is NOT a virus.

Thanks very much, it was only a false alarm.

rhgtyink · June 11, 2008, 9:00am

Hello Compyzus,

Keep in mind that this file is not in windows/system32 by default something must have installed it there ?!
And if you don’t use it i would recommend moving it to let’s say c:\temp and rename it to cmdow.exe.disabled for a while. See if something “normal” breaks.

compyzus · June 11, 2008, 12:27pm

Ohh, thanks for the reply. I didnt know that cmdow.exe is not in windows/system32 by default. I dont know what had brought this .exe in system32 folder. I will take you`re advice and see what happens.

Thanks again for the help! (L) (M)