malware in advapi32.dll

comodo has just updated and it detected a malware in advapi32.dll, i put this file in quarantine and then windows crashed. didn’t start up… then i booted from windows live cd, deleted this file from quarantine folder and restored it from original windows xp cd and then windows started up normally. but comodo detected a malware again. is it a bug of new virus database of comodo? does anybody have this issue?

comodo internet security 3.5.57173.439
windows xp sp3

We have the same issue on two XP SP3 systems at the office

Yes. I have this Malware@4240985. And OS break. Re-install and think, install COMODO or not.

Welcome to the forums KristopherRobin & UglyEugen.

Firstly, despite what VGPolitoff implies, never allow any Anti-Virus product to quarantine anything that is a system component (this is not just a Comodo thing). If you don’t know or you’re unsure, do not quarantine it. Ask someone that knows. Allowing any security application to quarantine a system component risks you not being able to reboot your system without some form of recovery… mainly because a vital system component suddenly & inexplicably disappeared. See the connection? :slight_smile:

All security applications have some called False Positives (or FPs). This is where an innocent component is identified as being bad & is removed/deleted/quarantined. But, given VGPolitoff comments, maybe this is not a FP. Taking this is the consideration, never panic on an alert. Speed of response is not usually a factor. Do not reboot. Anyway, what you can do is to ask those that can help (like here, like you’ve done), tell whatever security application to ignore whatever it was it detected & run the suspect item (advapi32.dll in this case) via one (or all) of the following…


… your looking for confirmation of the detection. I’m no AV expert myself (you’ll need to wait for one of those), but I didn’t feel the last post really address your current situation properly. :slight_smile:

I try repeat this step and check Malware. If virus bases give info about this, i’am give all new info. And, in my city on local forum write me “re-install OS and lost COMODO”. Locals don’t know about this. Stupids.

File don’t check by Web-scans. Error decript. Again error on OS. This joke from COMODO? (:AGY)

Disabled and exit. No access to file. If i restart OS, OS again break.

advapi32.dll used by other system processes thats why there is no access to file. try to boot from any LiveCD or any other OS, then copy advapi32.dll from windows/system32/ to any folder and then chek it by web-scans :wink:

We also have the same issue on two XP SP3 systems. But Kaspersky AV don’t detect any malware.

What virus signature DB are you using latest is 951.
I have posted screenshots of scan and properties of advapi32.dll

[attachment deleted by admin]

2 KristopherRobin: хрен там!

WinXP SP3 Home Edition Russian

[attachment deleted by admin]

comodo was updated in the morning, then i deleted advapi32.dll from exclusions and comodo didn’t detect any malware, but then i tried to open properties of the advapi32.dll and comodo detected a malware again :slight_smile:
so. i’ll add it to exclusions again and forget about it :slight_smile:

вобщем добавил в исключения, и хрен с ним )

Add to exclusion, not help.

Could you please post a False Positive Report here please.
Also please mention OS version
Thank you

Dennis, based on some users posts this might not be a False Positive. The talk on exclusions is mostly surrounding getting a system workable so that verifications can take place I believe.

Yes it is possible by if you look at the screenshot for the properties of advapi32.dll they look the same as mine I posted the only difference is the Windows version language.
At least if they submit a file we will find out.
Thank you for your comments.

And based on Commodus’ post in another topic, the False Positive on advapi32.dll (Russian) is confirmed?

[i]PS The file properties doesn’t mean much. You really need a CRC check IMHO. :slight_smile:


Yes going by two members who posted in this topic one who posted the screenshots and another I have seen posts often in the Russian forum.
I do not see why language should make a difference too the file though.
Thank you
Edit Thanks for the insight

thank you kail and Dennis2!

Well, I’m not sure either. I do know that advapi32.dll provides advanced services (managing user accounts, the registry, shutdown/restart/abort/etc, stop/start/create Windows Services, etc…) for the Windows API. So, perhaps it needs to be localised. But, if it doesn’t… why are the all the FPs Russian? Shouldn’t there be non-Russian FPs? My concern is that there are some really nasty advapi32.dll infections out there (real ones, not FPs).

edit - You’re very welcome KristopherRobin. :slight_smile: What did we do? ;D