Unclassified Malware@4243066

kuanhong92 · February 3, 2009, 7:07am

Hi. Comodo Internet Security had detected a malware on my computer: C:\WINDOWS\system32\shutdown.exe with the name “Unclassified Malware@4243066”
Could this be a false positive?

Bad_Frogger · February 3, 2009, 7:22am

Hi,

Yes it could be a FP.

What OS and CIS version and AV database number do you have?

kuanhong92 · February 3, 2009, 8:38am

Hi. I am using Windows XP Pro SP2. CIS Vr.3.5.57173.439 with database vr.959.
Thanks a lot (:HUG)

Bad_Frogger · February 3, 2009, 12:45pm

Simple test attached in zip folder is clean copy of same file from XP Pro.

When extracted if av goes off then FP.

MD5 signature 3fb410f5f7009e5eed0432c0b695afcf shutdown.zip

Please if FP submit to Comodo for analysis.
If no reaction to clean copy then please advise.

[attachment deleted by admin]

kuanhong92 · February 4, 2009, 6:21am

Hi. I extracted the file you have uploaded but it did not set of the AV.
The version that I had quarantined is 144kb big. When it quarantined, Windows seemed to have replaced it with a 20kb (edit: 19kb) version.

Bad_Frogger · February 4, 2009, 8:07am

Hi
Interesting results.
So after you quarantined the over sized copy windows automatically replaced it with one identical to the clean one I upped?
And no further alerts at all?
Could you submit the quarantined file to Comodo for analysis. Even though I suspect the file was possibly just corrupted somehow, obvious with size diff.
For peace of mind personally I would do a few “second opinion scans” . Any or all of the first three applications as recommended in this post by eXPerience. Showing “clean” status would restore confidence.
https://forums.comodo.com/virusmalware_removal_assistance/what_to_do_if_youre_infected_experience_rev2-t32467.0.html;msg231504#msg231504
If they Indicate more issues then please proceed with the cleanings and follow up actions also as per eXPerience’s suggestions.

OK?

kuanhong92 · February 4, 2009, 10:06am

Hi. I just found out that the file is part of Sysinternals - www.sysinternals.com

File Version : 2.32.0.0
Description : Shutdown, logoff and power manage local and remote systems
Copyright : Copyright (C) 1999-2004 Mark Russinovich

Will do the submitting and scans. Thanks (:HUG)

system · February 4, 2009, 10:36am

Yep. Send the file to the labs as an FP and it will be fixed.

Cheers,
Josh

Ramanan · February 4, 2009, 10:58am

Hi,

Thanks for reporting the FP. It will be fixed in the next base release.

Thanks,
Ramanan

kuanhong92 · February 5, 2009, 4:11am

Hi. Thanks for the help :ilovecomodo:

sureshk · February 7, 2009, 7:27am

Hi kuanhong92,

FalsePositive has been fixed in the DB ver ‘966’.You can verify with our Latest Update.

Thanks for reporting,

Regards,
Suresh