Tons of "viruses" with 5.8 beta! You've got to be kidding me!

I just installed CIS 5.8 beta, and on first scan it came up with 17 “infected” files, most of which I do not believe. Some of them are update files for a program I use frequently (and CIS reported the same files the first time I installed the earlier version), and others are on my recovery partition in the i386 folder, such as p2go.exe, deletebundle.exe, google_pref.exe, wtmod.exe, unhide.exe, etc.

I have a hard time believing that all of these essential Windows files got infected in the last 2 days since my last scheduled scan. Unfortunately, when I restore the update files that I know are not infected and have already been reported as false positives, CIS immediately quarantines them as malicious again! I’ve tried to upload them to be checked, but for some reason I’m not allowed access by Win7, even though I am logged in as the administrator.

The Malware names are really ridiculous:
Malware@1uclox6vxbxa0 (it’s a fun little time-waster called stressrelief.exe, and is completely harmless)

These are all on my recovery partition:
Suspicious@2r6yay4khxbbd (D:\i386\Apps\App01185\google_pref.exe )
Suspicious@3cb2sq6m806sq (D:\i386\Apps\App01635\wtmod.exe )
Suspicious@2bylt3xgo6o61 ( D:\i386\Apps\App00614\p2go.exe )
Suspicious@1jnajwt8pnhlj ( D:\i386\Apps\App04153\zprocess.exe )
Suspicious@2bylt3xgo6o61 ( D:\i386\Apps\App14417\p2go.exe )
Suspicious@17zcaazfuyvn ( D:\i386\Apps\App14476\unhide.exe )
Suspicious@253uzjd4ue7z5 ( D:\i386\Apps\App15241\deletebundle.exe )
Suspicious@3u1pklzolwfz5 ( D:\i386\Apps\App20155\aspnet.exe )
Suspicious@21pzbiwwbmmmr ( D:\i386\Apps\App10019\oobe eula text eng us 3402777.exe )
Suspicious@20ibh190n3j0t (D:\MiniNT\system32\start.exe )

MalwareBytes doesn’t detect anything wrong with them. CIS 5.5 didn’t have a problem with them. How do I get CIS 5.8 to quit trying to quarantine these files???

The final version 5.8 is out now btw.

In settings for any antivirus it is usually the best advice to disable : “auto quarantine”. (comodo access-, manual- and sheduled scanner settings).

To handle false positives with comodo, you would need to put them in the exclusion list of the scanner.
Good that you allready have a second opinion program!

Can you please check those samples with VirusTotal and Valkyrie and report the result.

Apparently CIS updated to the final version, as nothing says “beta” and I have version 5.8.211697.2124, virus database version 10426

Well, ■■■■. The first batch of files that I know are simply updates to a software program I use are all fine. The ones from my Recovery partition, on the other hand are all corrupt according to valkyrie. VirusTotal took over 20minutes to analyze one of them, and it never finished, so I don’t know what it says about them. Why did CIS 5.5 miss these files for months on end (scheduled to run AV scan every Saturday night)?

I just ran MalwareBytes, and it found nothing wrong with my D: drive! Why did MalwareBytes miss these files??

Here is my question, though. Upon looking at these files, they are all from 2005 and 2006 when I had XP on this computer. I now have Win7, so do these files even pertain to my current OS? Would it be safe to quarantine/clean/delete them?

OK, I skipped the google_pref.exe file that was hanging up and scanned the rest in virustotal. google_pref.exe, deletebundle.exe, and p2go.exe take forever to scan, so I don’t know what they say. unhide.exe, zprocess.exe, wtmod.exe, oobe eula… .exe come back with 1/40 (2.5%) as the result. aspnet.exe comes back 4/44 (9.1%). It doesn’t say what this means, though.

I finally got google_pref.exe, deletebundle.exe, and p2go.exe to scan in, and they came back either 1/40 or 4/44. What does this mean, exactly? Are they infected or not? MalwareBytes says no, Valkyrie says yes, Virustotal says…??

Hi roosclan,

Suspicious[at]327ts714xghbq Suspicious[at]2todj7ev41p13 Suspicious[at]37u5ybli8rkvx Suspicious[at]1zipo55ki3yyv Suspicious[at]2a0ei0jaeoomz Suspicious[at]20ng59twjov7f Malware[at]1uclox6vxbxa0

Suspicious[at]2r6yay4khxbbd (D:\i386\Apps\App01185\google_pref.exe )
Suspicious[at]3cb2sq6m806sq (D:\i386\Apps\App01635\wtmod.exe )
Suspicious[at]2bylt3xgo6o61 ( D:\i386\Apps\App00614\p2go.exe )
Suspicious[at]1jnajwt8pnhlj ( D:\i386\Apps\App04153\zprocess.exe )
Suspicious[at]2bylt3xgo6o61 ( D:\i386\Apps\App14417\p2go.exe )
Suspicious[at]17zcaazfuyvn ( D:\i386\Apps\App14476\unhide.exe )
Suspicious[at]253uzjd4ue7z5 ( D:\i386\Apps\App15241\deletebundle.exe )
Suspicious[at]3u1pklzolwfz5 ( D:\i386\Apps\App20155\aspnet.exe )
Suspicious[at]21pzbiwwbmmmr ( D:\i386\Apps\App10019\oobe eula text eng us 3402777.exe )
Suspicious[at]20ibh190n3j0t (D:\MiniNT\system32\start.exe )

The above False Positives have been fixed. You can check with Virus Signature Database version 10437 and confirm.

Best regards,