XP Antivirus 2012

We encountered this problem today. One of my clients called saying they had 21 viruses on the computer. Upon attending the location, I found that “XP Antivirus 2012” seemed to be installed. Right beside Comodo, running in parallel.

No reports from Comodo, no errors or failures in Comodo.

What seemed to happen was the user was searching via a web search engine and clicked on one of the links, which brought to a fake website - which instantly redirected to another page.

That page loaded a fake XP Antivirus which looked like a Windows Explorer / My Computer page. The computer uses IE 7.

It also secretly installed a program, which then ran and added a tray icon beside Comodo. Fake virus scans were displayed and encourage the user to buy the fake virus program.

Xp Antivirus is a well known fake trojan/virus/malware - hard to decide exactly what it is.

We are very surprised that Comodo did not detect this download / automatic install. It certainly should.

Hi SpyderX,
If you can find the FP file,you can submit through this
link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.
Thanks and Regards,
Lin mengze

Mengze.lin, If you are using “FP” to mean “false positive”, then it seems you misunderstood SpyderX’s post. I believe that XP Antivirus 2012 is a rogue that Comodo should detect as malware. Somehow it got installed on the computer. From SpyderX’s post, we cannot be sure what CIS settings were used or how alerts were handled. So it is unclear if this file was installed because of user error or a comodo inadequacy (e.g. inappropriately whitelisted file, no signature yet, etc). But, it does not appear to be a false positive.

SPyderX, it may be helpful to provide the following info: CIS settings, windows version, log entries pertaining to this rogue.


So sorry.
Can you give us SHA1 or MD5 of that file.
Or if you can find the file,you can submit through this
link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.

Lin mengze

Did you restart the PC after rogue installation?
I’m sure that when this virus got sandboxed:

  • it could appear as a windows and in the windows tray,
  • it couldn’t change/delete critical system files/ registry entries,
  • it couldn’t create files in significant catalogs,
  • it couldn’t add itself to the autostart - after a restart there would be no simply trace (running process, problems with your system) at all.

Give me 5 minutes and i test Comodo against this rouge… (If i find it in my collection…)

The point is here:

[attachment deleted by admin]

I never understood why 98% of antivirus out there can’t block this virus or remove it?

My parents have been attacked twice by this in the last three months and Comodo kept it out both times, so I’m a bit surprised to see it manage to get in…

Sandbox is OFF on their PC mind you.

It’s not as simple as you think… :slight_smile: