False positive?!

I scanned another pc with comodo firewalls scanner and i found this: ApplicUnsafe.Win32.CMDOW.14...what is it? Its a virus or what. I have scanned it also whit clamwin antivirus. About three weeks ago, it was seen as a trojan but now it see`s it like a clean file.
Thanks in advance! (L) (M)

Comodo’s scanner is still new. Scan with a reliable scanner like DrWeb Curit. You can upload the file here.


I scanned the file:
CAT-QuickHeal 9.50 2008.06.10 RiskTool.HideWindows (Not a Virus)
ClamAV 0.92.1 2008.06.10 -
DrWeb 2008.06.10 -
eSafe 2008.06.10 -
eTrust-Vet 31.6.5862 2008.06.10 -
Ewido 4.0 2008.06.10 Downloader.Delf.ain
F-Prot 2008.06.10 -
F-Secure 6.70.13260.0 2008.06.10 -
Fortinet 2008.06.10 HackerTool/HideWindow
Sophos 4.30.0 2008.06.10 HideWindow
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.10 SecurityRisk.Cmdow
TheHacker 2008.06.10 Aplicacion/HideWindows
VBA32 2008.06.10 Trojan-Downloader.Win32.Delf.ain
VirusBuster 4.3.26:9 2008.06.10 -
Webwasher-Gateway 6.6.2 2008.06.10 Riskware.HideWindows.I
Some don`t even detect it. So in the end who do i believe? :THNK

When you get that many positives it must be a virus (or malware or whatever you call it). I’d flag as a virus any file that should get less than half as many positives. It’s normal that many AVs miss it, that’s the downside of AVs and that’s why VirusTotal and similar services are necessary.

PS: You got more results, right? VirusTotal uses a total of 33 scanners. Or maybe you didn’t let it finish. Anyway these results are enough to strongly distrust the file.

Cmdow.exe is is a Win32 commandline utility for NT4/2000/XP/2003 that allows windows to be listed, moved, resized, renamed, hidden/unhidden, disabled/enabled, minimized, maximized, restored, activated/inactivated, closed, killed and more.

I dont get it, it its a utility why is it recognised as a virus? (:NRD)

That’s the problem with these tools, most of the scanners call them Riskware.
What means that if you are using them and installed it yourselfs it’s ok to have.
But if you didn’t install this it could potentialy be used in a “bad way” in this case to hide windows.

Take a look at the path were the file is located and see if you can find why it’s there.

The file is on windows/system32/cmdow.exe
After some google searching i found this:

Some anti-virus software vendors now classify cmdow.exe as a hacking tool because it can hide windows. A hacking tool is NOT a virus.

Thanks very much, it was only a false alarm.

Hello Compyzus,

Keep in mind that this file is not in windows/system32 by default something must have installed it there ?!
And if you don’t use it i would recommend moving it to let’s say c:\temp and rename it to cmdow.exe.disabled for a while. See if something “normal” breaks.

Ohh, thanks for the reply. I didnt know that cmdow.exe is not in windows/system32 by default. I dont know what had brought this .exe in system32 folder. I will take you`re advice and see what happens.

Thanks again for the help! (L) (M)