CIS reports file named as [], no path found/ bug?/ false positive?

Learn about Computer Security Virus/Malware Removal Assistance
1

Dear board members,

hello to everybody from Turrican!

I encountered a strange issue with my Comodo Internet Security, with the firewall in particular. Yesterday, an Defense+ alert was raised, as Comodo reported a file requesting a connection from the outer limits, asking me to allow/block this. Normally, as every user knows, the file is displayed with its full name and path (e.g. c:\windows\system32\badprogram.exe), so the user can have a look at the requesting program by himself. In my case, there was no program name at all, only a little square [] was shown. Clicking on it resulted in an error message, reporting that the file cannot be found.

I blocked the request, but in the list of programs that have been allowed/blocked to send/receive connections (Firewall → Network Security Policy) I found this strange entry twice, both allowed (!!) by CIS. I immediately blocked the two entries. A few moments later, CIS showed up the same request again, the program called “[]” wanted to receive a connection from the Internet. Blocked of course.

My HiJackThis log has been analysed to be clean in the German Anti Trojaner board, but they asked me to pass this strange issue to the Comodo experts. If needed I can post a screenshot of the strange program.

Maybe a bad request, camouflaged malware, new attack, rootkit maybe? Something evil, able to hide itself or just a strange but?

I run two version of Windows on my laptop, on two separate harddrive partitions. C is holding Windows Vista, D is holding Windows XP Prof. and the issue came up on XP only. On Vista, the firewall list does not contain the strange square.

By the way, the program reported in the threadcast rating, this alert has been blocked by another user before, so it seems, I am not the only one.

Can anybody help? Would be much appreciated!

Thanks in advance and have a nice weekend.

Greetings from Germany,
Turrican

2

Please post a screenshot, yes this is very likely to be a GUI bug.

Thanks.

3

Hello,

of course I will do that - please see below, the two last entries in the list.

Thank you
Turrican

[attachment deleted by admin]

4

Thanks, i was kind of hoping for a screenshot of the alert… (Should have said that)

Do you remember how many other users have blocked it in Treatcast?
Do you remember what incomming port the firewall alert said?

Edit: seems like your not the onlyone with a bug like this.
https://forums.comodo.com/empty-t44358.0.html;topicseen

5

Hi,

I was eager to deliver a screenshot of the alert, but it didn’t appear anymore :-(, if you want a problem to occur, it doesn’t ^^. Hmm I think the number of those who blocked the request was small, about 1 or so, but I’m not absolutely positive. Also the port, ■■■■ don’t remember it, I just clicked the windows away in a little panic as it popped up. The address did not seem to be a normal one, not 127.0.0.1 also.

I saw the picture, thanks. Hmmm hard to say, if this is a hidden malware? Could be a new sort of threat maybe? If the alert comes up again, I will make a screenshot at once, will use my XP more often.

Thanks you!!

Best regards
Turrican

6

You can try to run rootkit scanner Gmer, www.gmer.net, to see if you have a rootkit active. Also Process Hacker is able to scan for hidden files: http://processhacker.sourceforge.net/ .

7

Hi,

I just created a report file with GMER, but it is impossible to post this file, as it is too big. I tried to split the report up, but the software either tells me the text is too long, or I cannot post a text via my IP in a not defined period of time :-(.

Is it possible to send the report for analysis or does GMER report mailicious code somehow so the user can identify it? Most of the entries (processes) feature a string like this at the end:

7C91DFAE 5 Bytes JMP 100018B0 D:\XP\system32\guard32.dll (COMODO Internet Security/COMODO)

Thank you very much for the support!

Cheers
Turrican

8

By the way… this one here seems to be a smaller report (directly at the beginning of GMER):

GMER 1.0.15.15077 [o86gu4oi.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-29 21:11:29
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xB7F824FE]
SSDT vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xB7F8DCB0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8ABEC1D8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \Fat 88F25B78

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Appears clean to me :wink:

Cheers
Turrican