Heur.Corrupt.PE mfc45.dll Virus or false positive?


I’ve quarantined and submited to comodo for analysis the mfc45.dll on my machine. I’ve uploaded to Virus Total and 6 out of the 43 engines detected a virus.

Here’s a link to to my scan on virus total: http://www.virustotal.com/file-scan/report.html?id=0762deb17faf8726fba79f80de785dca5a6a2d1e37b6302dfb2c740ac5d2b82f-1299608585

Best Wishes,

Hello kwp,

Please submit the detected file on the following link as False Positive so we can check it:

Thank you!

Best regards,

I too have found this in my weekly scans have checked it in VirusTotal.com
Here were the results from the site on this matter.
----------------------------------------------- Virus Total ------------------------------------------------------------------

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: mfc45.dll
Submission date: 2011-05-26 06:14:50 (UTC)
Current status: finished
Result: 6/ 42 (14.3%)
VT Community

not reviewed
Safety score: -
Antivirus Version Last Update Result

Commtouch 2011.05.26 W32/Damaged_File.gen!Eldorado
Comodo 8838 2011.05.26 Heur.Corrupt.PE
F-Prot 2011.05.26 W32/Damaged_File.gen!Eldorado
McAfee 5.400.0.1158 2011.05.26 Corrupt-AG!82984695683A
Rising 2011.05.25 Suspicious
TheHacker 2011.05.25 W32/Behav-Heuristic-CorruptFile-EP

Additional informationShow all
MD5 : 82984695683a63f5fbe75524b0e89518
SHA1 : 456943b0a371e281d0d234a3a7c3ee9a26276598
SHA256: baa33a8191227c908534e38e91787c7ad7074ede7a78335396cd9780cde02071
ssdeep: 1536:BdPPq5Qa7xIg2qzm1TaaUVhodNOtewtO8MSMOky822u:BdPiSaSVTazGNzwz3kya
File size : 74703 bytes
First seen: 2011-05-26 06:14:50
Last seen : 2011-05-26 06:14:50
Win16/32 Executable Delphi generic (34.0%)
Generic Win/DOS Executable (32.9%)
DOS Executable Generic (32.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
publisher…: n/a
copyright…: n/a
product…: n/a
description…: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1EE001
timedatestamp…: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

[[ 10 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
CODE, 0x1000, 0x17C000, 0x8B000, 7.84, e1a00808fb987eb34403e1088665ceae
DATA, 0x17D000, 0xF000, 0x7200, 0.00, d41d8cd98f00b204e9800998ecf8427e
BSS, 0x18C000, 0x5000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.idata, 0x191000, 0x4000, 0x1600, 0.00, d41d8cd98f00b204e9800998ecf8427e
.tls, 0x195000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.rdata, 0x196000, 0x1000, 0x200, 0.00, d41d8cd98f00b204e9800998ecf8427e
.reloc, 0x197000, 0x19000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.rsrc, 0x1B0000, 0x3E000, 0x11400, 0.00, d41d8cd98f00b204e9800998ecf8427e
.aspack, 0x1EE000, 0xA000, 0xA000, 0.00, d41d8cd98f00b204e9800998ecf8427e
.adata, 0x1F8000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
file metadata
CodeSize: 1554432
EntryPoint: 0x1ee001
FileSize: 73 kB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 431104
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 0
Warning: Error processing PE data dictionary
Symantec reputation:Suspicious.Insight

--------------------------------------------- End of Detections -------------------------------------------------

There are many more av’s that did not pickup this as a virus but the full report I have received is in the submission to comodo.

Hello jmholt,

Thank you for reporting this. We’ll check it and get back to you soon.

Best regards,


This is to inform you that false-positive with
(SHA1: <456943b0a371e281d0d234a3a7c3ee9a26276598>)
has been fixed.
You can update to AV database Version <8851> of Comodo Internet Security Version<5.0.181415.1237> and confirm it.

Best regards