CFP can not send an exe to Comodo for analysis

malavan · June 19, 2007, 6:09pm

(:WAV) Hi everybody. Please try to understand my frenchy english : (:KWL)

Send to Comodo for analysis : ok, I already used with succes this very good fonctionality of CFP, even if I had never received a reply (yes : when you send something, you wait for a reply ! (:WIN) )

Now look at this : I subscribed to a very popular Torrent Tracker Forum (Demonoid for not to name it ! (:TNG) ). For a good “Ratio”, you have to login to the site before you run your Client. You have also to enter some codes each time you want to reply to a topic. BUT sometimes (:KWL) I get an error meesage asking me to re-type. AND I get it even if I am sure that I typed the exact password or code. AND when I re-type it (:NRD) immediately after that, CFP popups to say some “strange.exe is trying to inject itself to uTorrent.exe…and this is a trojan behavior etc…” Merci CFP but…

What I call “strange.exe” is an exe with a file name which changes each time (kowgk2y5.exe, yaleA27N.exe…I think it is randomely produced). It resides in system32 but there is no entry about it in the Registry. Its time of creation is one or two minutes ago (I mean when I was loging to Demonoid), and it has no information in its property window. No information either on the Internet about it. Good news (or perhaps very bad news?!) : Nod32 declare it OK.

But what is it and why it is trying to inject itself to my uTorrent?
So I ask CFP to send it to Comodo for analysis. Normally CFP ask you to wait when it is compressing the file, then it confirms and then you have to clic “Close” to finish. But when sending “strange.exe”, CFP window comes up and immediately disappears…

And as you know with CFP, if I ask it to bloc strange.exe, it will also block my uTorrent and or every other web application that I will run, because the nasty strange.exe is able to inject itself to almost every web application I tried. I have to delete strage.exe manualy and restart the computer.

Anybody had the same problem? Is there any application which can examine an exe and determine what it is? Thanks and before replying, dont forget to drink for Viva CFP ! :Beer

Little_Mac · June 19, 2007, 7:14pm

Sorry you’re having trouble submitting to Comodo, malavan. You may also want to try some online sites for analysis as well…

http://www.virustotal.com/en/indexx.html

http://virusscan.jotti.org/

Those are just two of many that will analyze a file for you.

Hope that helps.

LM

PS: Also, have you tried an online search (like google) for one of these filenames?

malavan · June 21, 2007, 10:55am

As I already said it in my post, i did not find any info about it on the Internet !

I used your first link to analysis one the files. This is an trojan, a variant of win32 worm, a rootkit, etc. More detail here :
http://www.virustotal.com/vt/en/resultadox?38a0ae1c6b8aaf2a363c461068af6527

(:NRD)

panic · June 21, 2007, 12:13pm

G’day,

The type of behaviour you’ve described (randomly named executables with an “almost-now” creation date) is an almost certain indicator that your PC is infected with something. The infection is not the randomly named EXE - it’s being created automatically by another component on your PC.

Can you please run HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe), create a system log and attach the log to a reply post, so we can go through the log and see if we can pick up what could be spawning the EXE.

Until we can find what is generating it, continually getting rid of the randomly named EXE is only treaing the effect, not the cause.

Cheers,
Ewen

Little_Mac · June 21, 2007, 2:50pm

We have an entire board within the forum dedicated to helping identify and remove malware. There are instructions and steps to take to help with the process, and places where you can post for help with the specific one you’ve been infected with.

this is all here: https://forums.comodo.com/virusmalware_removal_assistance-b58.0/

LM