Author Topic: malicious website got past comodo today - (possible prevention method enclosed?)  (Read 7520 times)

Offline nalacknick

  • Comodo Loves me
  • ****
  • Posts: 176
Hi guys, this morning I had the fright of my life just by clicking onto a website via google. My gf and i were discussing baby names so I decided to do a google search on modern names for boys. I clicked on this one particular link form google (cant remember name) and as soon as i did I got lots and lots of windows trying to open. Comodo isolated a couple of .exes to the sandbox (restricted). I thought CIS had caught everything so carried on chatting with my gf on msn. I then happened to notice that the shortcut to msn had gone off my desktop along with various other programs inc' CCE. So I rebooted thinking all would be ok upon reboot. How wrong I was...most of my programs were still missing from the desktop. numerous folders were missing doc, vids, pics etc. internet explorer had lost all of my favourites. Windows security had been disabled and the clock was an hour fast. Also some of the programs that were left wouldn't open. I did a sys restore and most of my progs came back (although CCE couldn't connect to the internet to update so i imported from CIS did a scan and all was fine. I checked killswitch all safe. Opened quick repair and security center had been disabled so i repaired that. I did a scan with mbam all ok. Did a scan with TDSSKiller all ok. Rebooted and my folders were still missing. To cut a very long story short-ish ;) I did a google search and found a piece of software on bleeping computers.com called unhide.exe. I ran it and hey presto all my hidden folders/shortcuts were restored (after reboot). So here is the log of what the malware changed and my question is...can these lines be added to the protected registry keys without causing any problems??
Log here
Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  * NoActiveDesktopChanges policy was found and deleted!
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  * Start_TrackDocs was set to 0! It was set back to 1!
Thx in advance
Nick

win7 sp1 64bit (IE8)
CIS 5.10 fully updated Config internet security -  sandbox  - enabled set to restricted AV stateful - FW safe - D+ safe
CCE (not open/running at the  time of infection)
MBAM (on demand)
TDSSKiller (on demand)
UAC disabled at the time (now enabled and put up with the popups + using Comodo dragon as default browser)
« Last Edit: March 29, 2012, 04:16:00 PM by nalacknick »
Intel Pentium E5800 [at] 3.20GHz
8.00GB Dual-Channel DDR3 [at] 401MHz
Windows 7 Home Premium 64,
Comodo Internet Security 7.0.317799.4142 premium, MBAM on Demand,  latest Comodo Dragon

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3940
what dns servers are you running? Also can you provide me with a link in a PM to the site so I can test when I get a chance?
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline nalacknick

  • Comodo Loves me
  • ****
  • Posts: 176
Hi languy99 - I'm just using the standard DNS servers as used by sky (but I'm thinking of changing to Comodo as of today (unless you know of any better ones?) I cant supply you with the link as I have cleaned my system  so no history remains. As mentioned i just did a search on google for popular boys names/ modern boys names and it was in the first half dozen links that appeared. Sorry I cant be any more specific than that. All I can say is that Comodo did clear the infection but couldn't stop the registry from being changed (maybe restricted sandbox isn't restricted enough??) Also it would be good if CIS or CCE could include these things to check/fix when doing a scan.
Intel Pentium E5800 [at] 3.20GHz
8.00GB Dual-Channel DDR3 [at] 401MHz
Windows 7 Home Premium 64,
Comodo Internet Security 7.0.317799.4142 premium, MBAM on Demand,  latest Comodo Dragon

Offline Kelvin12

  • Comodo Member
  • **
  • Posts: 31
That does sound scary  :o
Maybe this is a D+ leak?

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3610
That does sound scary  :o
Maybe this is a D+ leak?

sounds more like a sandbox leak. If the sandbox was disabled im sure he would have gotten an alert from d+ and been able to block it. Since the sandbox is restriction based (rules) it is allowed to do certain things so it slipped through the crack. once the sandbox becomes virtualized stuff like this will not happen.
« Last Edit: March 29, 2012, 05:32:40 PM by wasgij6 »
| Win 8.1 Pro (x64) | UAC Disabled | CFW 7.0.315459.4132 | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 16gb RAM | Samsung 840 SSD |


Offline offchu

  • Comodo Loves me
  • ****
  • Posts: 145
    • off
Administrator account + UAC disabled = Bad idea

A:
That does sound scary  :o
Maybe this is a D+ leak?

Q:
UAC disabled at the time (now enabled and put up with the popups + using Comodo dragon as default browser)
.

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3610
Administrator account + UAC disabled = Bad idea

A:
Q:

this is how i run my computer and i havent had any infections or problems.
| Win 8.1 Pro (x64) | UAC Disabled | CFW 7.0.315459.4132 | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 16gb RAM | Samsung 840 SSD |

Offline nalacknick

  • Comodo Loves me
  • ****
  • Posts: 176
yes I too think it was a sandbox leak...so is it ok to add the lines that were modified to the protected registry keys?

Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  * NoActiveDesktopChanges policy was found and deleted!
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

  * Start_TrackDocs was set to 0! It was set back to 1!
Intel Pentium E5800 [at] 3.20GHz
8.00GB Dual-Channel DDR3 [at] 401MHz
Windows 7 Home Premium 64,
Comodo Internet Security 7.0.317799.4142 premium, MBAM on Demand,  latest Comodo Dragon

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3940
well in D+ there is this protection enabled that should cover the first two,

*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\*

and there is also one for *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\*

so D+ should have prompted you about these, how do you have D+ set up to work for you? Can you provide a screen shot for use of the settings tabs?
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline naren

  • Comodo's Hero
  • *****
  • Posts: 4372
Did you checked the Trusted Lists? Anything there related to this malware?

Offline pc_pete

  • Comodo's Hero
  • *****
  • Posts: 363
  • No idea where this came from!
this is how i run my computer and i havent had any infections or problems.

I see this a lot, usually after someone calls me because some critical Windows file has been overwritten.
Absolutely no criticism intended, but I'm really intrigued as to why?

Offline lyn

  • Comodo's Hero
  • *****
  • Posts: 231
How about surfing in the manual sandbox in future!

Offline Siketa

  • Comodo's Hero
  • *****
  • Posts: 4532
  • ZIG ZAG
What browser were you using?
Were there any particular browser add-on such as WOT installed?

Offline Seany007

  • Comodo's Hero
  • *****
  • Posts: 2376
  • Comodo Commando
Well I don't want to scare nobody but it happened to me as well today! Half of my pics missing! Wtf? All security is in MAX settings with UAC and sandbox enabled! None of the AV's detect nothing... System restore don't help!
Proud Comodo User (CIS, CD, CID and CMS)

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek