Threat in Comodo folder

Hi Guys

I am a user of Kaspersky Anti Virus, no offense to anyone, from the past many many years. I never installed Comodo. But about a week or so my anti virus detected a trojan file last.exe located in C:\Documents and Settings\Computer\Local Settings\Application Data\Xenocode\Sandbox\COMODO \4.00.000\2010.11.27T19.25\Virtual\STUBEXE[at]APPDA TA[at] I am not able to delete this file manually or by the AV. Malwarbytes scanned it as a backdoor poison and it said that it had removed this file but upon restarting the file was still present.

Now two questions, since i never installed any Comodo product, how did the Comodo folder get there?

How to delete this threat?


Please upload the file in question to VirusTotal and post a link to the results.

Also, did you install a software called Xenocode? I’m not familiar with it, but it appears that the file in question is inside its folder.

Are you using Xenocode:

Spoon (formerly Xenocode[1]) is a set of software products and services developed by the Code Systems Corporation for application virtualization, portable application creation, and digital distribution. It includes Spoon Studio, Spoon Server, and These tools can be used to package conventional software applications for Microsoft Windows in a portable application format that can be delivered via a single executable or streamed over the web.

I have seen a file getting reported as malicious that was sandboxed with a similar tool which was not malicious. The sandbox or packed environment may sometimes lead security programs astray… Hence why Chiron asked to upload it to Virus Total.

The folder structure seems to suggest the packed version of a Comodo product (with version number 4?) made at November 27 2010 was put on your system. May be you have a friend who does maintenance may have added it to your system?

Thank you Chiron and EricJH for replying. Here’s the link of virustotal

No, I never installed any software named Xenocode. I install very few softwares and that too from trusted companies. Since the wikipedia link says …These tools can be used to package conventional software applications for Microsoft Windows… “maybe” it was installed with some updates or something IDK.

No, Eric no one else uses this PC but me. One more thing this last.exe sometimes shows up in the task manager and i have to close it manually. My KAV detected it as a trojan and Malwarbytes as a backdoor poison but both were not able to remove it.

The VirusTotal results seem to show that this is in fact a dangerous.

At the moment I’m concerned that perhaps your computer is infected. Please follow the advice I give in this article and let me know what you find.


I'm willing to bet that its from a portable software. >:-D I have a couple of different portable software where comodo will flag it as poision. Usually its a small size called explorer.exe there all the same size The example that I have that I'm referring to is a portable version of jv16

It depends on what the creater used to create the portable software. certain methods can get flagged by a lot of Av companys. The ones created by portableapps creator software used to create a portable version don’t generally get flagged

If it’s a portable software, would you mind uploading the portable software to or some other place and PM me a link to it.

Thank you Chiron and Jay for replying.

That is a very good article. But as per the virustotal link my computer is definitely infected.

Jay what portable software are you referring to? I am sorry i did not get your post.

I booted via HBCD then selected mini windows option and then i tried to delete the whole Xenocode folder from my computer but it kept on saying cannot find path of comodo folder or something. I then tried deleting the folders inside Xenocode folder but it gave the same result. Now when I start the computer that last.exe is still there in the task manager and I have to close it manually. What should I do now?

use cce

change heuristics to high, update database and do full scan. It’ll delete all the infected files on reboot

Jay CCE was not able to find any threat. I did exactly what you said. Can you please tell me where did it save the 138mb of updates? Do you think booting from linux cd can help delete them,as HBCD wasn’t able to do so?

138md of updates
Open "CCE" open "scanner" folder It's called "bases.cav

Will it work, I don’t know

Lets try this

I uploaded take ownership for windows 7 and one for take ownership 8. Depending on the which windows you have. Install it

C:\Documents and Settings\Computer\Local Settings\Application Data\Xenocode
Because "Application Data" is a hidden file. You'll have to go to windows explorer and change settings to show hidden folder If you don't know how follow this (It'll have pictures to make it easy) ;) or if you have windows 8

So now you can see hidden files and have take ownership capability
go to
C:\Documents and Settings\Computer\Local Settings\Application Data\Xenocode
Right click on “Xenocode”
Click on “takeownership”
CLick on “delete”
problem gone

If that fails, open killswitch in CCE. Find offending file then click delete

If that fails you can always try the rescue disk, as always it may or may not work

Thank you for replying Jay. Well i am using windows XP and hidden files or folders are already set to be shown in my computer. I am sorry but I did not get your ownership capability point. What is that? The other recommendation didn’t work either.

Sometimes you don’t have the proper rights to open, read, delete… files or folders. You need to take ownership of the files or folders first. This Microsoft KB article describes the procedure for XP.

Jaytech posted solutions for Win 7 and Win8 which are not applicable for your situation.

Well i am using windows XP
All good ;)

Add Take Ownership to right-click menu in Windows XP
download this

Download the ZIP file and extract the contents to your desktop. Then copy the files TakeOwnFile.cmd and TakeOwnDir.cmd to C:\ folder. And double-click on the add_take_ownership_xp.reg. Choose Yes when asked.

Too Easy :■■■■