malicious website got past comodo today - (possible prevention method enclosed?)

[Guest]

[nalacknick]

Hi guys, this morning I had the fright of my life just by clicking onto a website via google. My gf and i were discussing baby names so I decided to do a google search on modern names for boys. I clicked on this one particular link form google (cant remember name) and as soon as i did I got lots and lots of windows trying to open. Comodo isolated a couple of .exes to the sandbox (restricted). I thought CIS had caught everything so carried on chatting with my gf on msn. I then happened to notice that the shortcut to msn had gone off my desktop along with various other programs inc' CCE. So I rebooted thinking all would be ok upon reboot. How wrong I was...most of my programs were still missing from the desktop. numerous folders were missing doc, vids, pics etc. internet explorer had lost all of my favourites. Windows security had been disabled and the clock was an hour fast. Also some of the programs that were left wouldn't open. I did a sys restore and most of my progs came back (although CCE couldn't connect to the internet to update so i imported from CIS did a scan and all was fine. I checked killswitch all safe. Opened quick repair and security center had been disabled so i repaired that. I did a scan with mbam all ok. Did a scan with TDSSKiller all ok. Rebooted and my folders were still missing. To cut a very long story short-ish I did a google search and found a piece of software on bleeping computers.com called unhide.exe. I ran it and hey presto all my hidden folders/shortcuts were restored (after reboot). So here is the log of what the malware changed and my question is...can these lines be added to the protected registry keys without causing any problems??
Log here
Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  * NoActiveDesktopChanges policy was found and deleted!
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  * Start_TrackDocs was set to 0! It was set back to 1!Thx in advance
Nick

win7 sp1 64bit (IE8)
CIS 5.10 fully updated Config internet security -  sandbox  - enabled set to restricted AV stateful - FW safe - D+ safe
CCE (not open/running at the  time of infection)
MBAM (on demand)
TDSSKiller (on demand)
UAC disabled at the time (now enabled and put up with the popups + using Comodo dragon as default browser)

[languy99]

what dns servers are you running? Also can you provide me with a link in a PM to the site so I can test when I get a chance?

[nalacknick]

Hi languy99 - I'm just using the standard DNS servers as used by sky (but I'm thinking of changing to Comodo as of today (unless you know of any better ones?) I cant supply you with the link as I have cleaned my system  so no history remains. As mentioned i just did a search on google for popular boys names/ modern boys names and it was in the first half dozen links that appeared. Sorry I cant be any more specific than that. All I can say is that Comodo did clear the infection but couldn't stop the registry from being changed (maybe restricted sandbox isn't restricted enough??) Also it would be good if CIS or CCE could include these things to check/fix when doing a scan.

[Kelvin12]

That does sound scary 
Maybe this is a D+ leak?

[wasgij6]

That does sound scary  
Maybe this is a D+ leak?

sounds more like a sandbox leak. If the sandbox was disabled im sure he would have gotten an alert from d+ and been able to block it. Since the sandbox is restriction based (rules) it is allowed to do certain things so it slipped through the crack. once the sandbox becomes virtualized stuff like this will not happen.

[Chiron]

How to Stay Safe While Online

[offchu]

Administrator account + UAC disabled = Bad idea

A:

That does sound scary 
Maybe this is a D+ leak?

Q:

UAC disabled at the time (now enabled and put up with the popups + using Comodo dragon as default browser)

[wasgij6]

Administrator account + UAC disabled = Bad idea

A:
Q:

this is how i run my computer and i havent had any infections or problems.

[nalacknick]

yes I too think it was a sandbox leak...so is it ok to add the lines that were modified to the protected registry keys?

Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  * NoActiveDesktopChanges policy was found and deleted!
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  * Start_TrackDocs was set to 0! It was set back to 1!

[languy99]

well in D+ there is this protection enabled that should cover the first two,

*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\*

and there is also one for *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\*

so D+ should have prompted you about these, how do you have D+ set up to work for you? Can you provide a screen shot for use of the settings tabs?

[naren]

Did you checked the Trusted Lists? Anything there related to this malware?

[pc_pete]

this is how i run my computer and i havent had any infections or problems.

I see this a lot, usually after someone calls me because some critical Windows file has been overwritten.
Absolutely no criticism intended, but I'm really intrigued as to why?

[lyn]

How about surfing in the manual sandbox in future!

[Siketa]

What browser were you using?
Were there any particular browser add-on such as WOT installed?

[Seany007]

Well I don't want to scare nobody but it happened to me as well today! Half of my pics missing! Wtf? All security is in MAX settings with UAC and sandbox enabled! None of the AV's detect nothing... System restore don't help!

[Tags:]