CIS protected me against one very nasty malware, but...

I found this file on MDL and CIS 5.3 saved me, but frankly I had very nervous 10 minutes of my life :wink:

http://www.virustotal.com/file-scan/report.html?id=e68142b057af63c0f29c921ba3a2ed7e9a4d04e07737dc00a54f0622a337f430-1295383104

I think i need to say that i use CIS 5.3 with default settings.

This is a Russian (i suppose, because I saw some gibberish) full screen high-jacker that tookover my desktop, demanding to send an sms to unlock it (i think).

I use Win 7 64 bit, so I could press ctlr-alt-delete to get my task manager in order to close this application. In task manager I saw that i have CIS cloud scanner message, but couldn’t see it because this full screen malware on my desktop. When I closed it, i could see the cloud scanner pop up about some malicious file and deleted it.

After that my tool bar disappeared, but i saw start button so i restarted windows. After the restart all was fine. Scans with MBAM and Hitman pro didn’t detect anything.

So, on one side comodo did a great job and protected me against a very nasty zero-day malware.

But on the other hand this file could start itself (i don’t know if it was sandboxed, because i restarted my computer). Is it possible to prevent such hijackers from starting totally?

Egemen already knows this, i discovered this virus today and wrote to him;).
I’ve said it several times : CIS should warns when app want to go into full screen mode.

Sorry if I spammed something that was already known :embarassed:

Anyway this is another reason for me to love Comodo. may be it’s not ideal (nothing is ideal ;)) but it has a great community that makes huge efforts to make it better :110:

Noo, that’s great that you posted it.
It deserve for attention from egemen.
I wrote PM to him Today morning.

Sure it was sandboxed, that’s why you got rid of it by restart. If it was bypassed, you’d still have it.
Thanks for sharing, bro! :-TU

That’s why I say that Comodo saved me, but frankly I had a very unpleasant moment :wink:

I checked now my D+ events logs and I see that the file was sandboxed. But then i see a modify key action: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\Current Version\Winlogon\Shell

Then another flag that file was scanned online and found malicious.

So does it mean the malware still managed to modify a key?

:-TU

Do a scan with MBAM, HITMAN PRO and Norton Power Eraser. See what they will find. MBAM handles registry, if there’s something malicious, it will find it.

You’re using 64-bit Windows, PatchGuard could also save you a lot of trouble…

MBAM and Hitman pro didn’t detect anything

Then you should be clean then… :P0l

thats the power of “Default Deny architecture with Automatic Sandboxing”…its geared towards preventing infection.

And we will continue to improve it at every release!

Melih

Thanks Melih! I know that I can be calm with Comodo. That’s why when i get bored i run sometimes malicious files on my main system (i know it’s not so smart but i want a little extreme :embarassed: and with this malware i really got it LOL).

P.S. Where else can you see a CEO who talks to users, explains them and helps them :rocks:

That’s what my best friend does with Comodo on his system

True! :-TU

Thanks Adonis for sharing this.

+100

Welcome!

So good news that I can declare after 2 checks with MBAM and Hitman Pro and a check with SuperAntispyware that my system is clean and Comodo protected me even on default settings.

I am an amateur in computer security but may be only safe application should be allowed to go full screen mode?

Because if this malware did not took over my desktop i could just neutralize it (cloud scanner detected it 2 seconds after the start, but i just could not reach the pop up to delete what it detected).

Also some good news that AV already detects this malware file! So really impressive and fast job of the AV team who responsible for the database :-TU

P.S. Where else can you see a CEO who talks to users, explains them and helps them :rocks:

+100 :-TU

That’s always a risky business.If you must do that I suggest you have a disk imaging and/or snapshot strategy in case of disaster.

Comodo Time Machine or Macrium Reflect may well save you from a major headache some time.

Thanks for the advise. I know it’s not so smart. I probably need to try Comodo Time machine.

I just heard in the past that it was a little buggy doing some problems to those who used it :frowning:

In my experience it may be safer to run malicious files than fool with CTM. Great in theory, just too buggy.

Rollback Rx is a good program that takes snapshots… it basically will save you from any kind of disaster except hard drive failure.

But I use Acronis True Image for a daily partition image that backs up my partition I have windows and programs on. All my data is located on a different partition which I back up a few important folders in a separate back up task. I would like to use both a snapshot program along side Acronis True Image. But there is some possible conflicts with the mbr[master boot record] in which you may have to repair it if you used Acronis to restore from an image from a system that uses snapshots. I may be wrong but I read it on other forums. :-X EDIT: [I read that if you do a sector-by-sector image it will contain all the snapshots and all is cool.]

I would probably use/try Comodo backup but as far as I know I don’t think you can restore an image partition if your windows crashes because it does not include a disaster/recovery boot up disc. Please correct me if I am wrong.