[FIXED] calc.exe detected as trojware.win32.Rozena.~dy001[at]123334315

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
#1

Hi, i’m not sure if it’s a real infected or a false positive, i rely on you for that

AV as detected a threat on my PC listed as :
C:\WINDOWS\system32\calc.exe → detected as trojware.win32.rozena~dy001[at]123334315

so i asked CAV to deal with it and to delete it → sad i lost my calc !
=> In replacement i downloaded the MS calc plus at microsoft website: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=32b0d059-b53a-4dc9-8265-da47f157c091

and installed it in replacement for my lost calc. This one install itself in C:\Program Files\Microsoft Calculatrice Plus\CalcPlus.exe

but i can’t use it because CAV detect this newly installed file as the same threat !!

be aware the files are not in the same location.
The first detection was the official windows XP calc (system32)
The 2nd is the Calc Plus one. (program files)

What do you think of it ? can someone test the calc+ exe ?

Thank you in advance for any help

Edit: topic state set to fixed

#2

I’ve attached my copy of calc.exe from WinXP Pro SP3. I get no alert from CAV for this file.

[attachment deleted by admin]

#3

Hi rip_pit,

Please upload the detected file at Comodo Antivirus Database | Submit Files for Malware Analysis and we will verify it.

Regards,
Ionel

#4

argh! my browser crashed and lost all my reply text ! >:( Sorry guys the rage!

Thank you guys for your replies

Concerning calc.exe and trojan.rozena :
Today again all MScalc related files files on my system are detected.
\program files.…\calcplus.exe as well as \system32\calc.exe

Plus a full scan bringed C:\WINDOWS\i386\CALC.EX_|calc.exe to be infected too.

here’s the report for this last file analysis : http://www.virustotal.com/file-scan/report.html?id=86f32bdf8245f737e2afd4cc715b51866f34d89c19535109889f0c749d61024b-1285169836
2/42 results are positive
Comodo : TrojWare.Win32.Rozena.~dy001
PCTools : Trojan.Vaklik!ct

Seems i’m infected ^^ and i’ll find a way to clean the infection.

I submitted all the files to Ionel link.
I’ll download your calc.exe and see what happens.

I’m on it, thank you again for your help

#5

Hello rip_pit,

These False Positives have been fixed. You can check with Virus Signature Database version 6166 and confirm it.

Best regards,
FlorinG

#6

Hey!

so it was a false/positive not a trojan :slight_smile: i’m fully reassured :smiley:

My current AV definiton is 6174 and all seems fine with calc.exe and calcPlus.exe.

thank you for all the support guys

@ L.A.R. Grizzly : thank you m8 i’ve placed your file in my system32 and it works fine
funny thing my calc is now in english instead of french ;D no worry, i can handle it D

I’ll change the topic title to fixed

#7

Sorry about that! My system is EN-US. Maybe someone else with a French version would be nice enough to upload you a copy. Maybe a friend of yours with the French version could email you a copy?

#8

don’t worry, i could use the calcplus.exe (french) renaming it calc.exe and replace it.
It’s the exact same app (using the basic option) but integrated extended option and GUI. so in few words it’s better than orig calc and works fine + in my language D
EDIT:
Other than that i could restore it from my XP CDROM