Sorry if this is the wrong forum for this question.
I have Comodo Firewall and Defense+ (but not the Comodo AV) installed (vers. 4.1.150349.920). I noticed the other day that cmdagent.exe is listed in Task Manager - it always seemed to be there with vers. 3.x. Is this OK? cfp.exe is listed there, and FW and Def+ still pass CLT and CPILSuite tests, as well as Shield’s Up.
Thanks for the response, John. I see that I posted “is” listed in Task Manager, when I meant to type “isn’t”, but you got the gist.
Last week an Avira scan revealed a Trojan - it was quarantined, and multiple follow-up scans found nothing. I posted a HJT log at WhatTheTech and they found nothing, so I just wanted to make sure the missing cmdagent.exe wasn’t some result of that.
By the way, the two or three times I’ve noticed it missing, it has always re-appeared after a reboot.
cmdagent.exe wasn’t in the Defense+ “active process list”. I ran the Diagnostic, which found some problems with the installation. I clicked “Yes” to repair; diagnostic said the problems were fixed and suggested I reboot, which I did.
Upon reboot cmdagent.exe is back in the Task Manager list, but that has been the case other times I’ve noticed it missing and rebooted without any fix from the diagnostic.
I’ll wait and see if it pulls another vanishing act.
I’m surprised there wouldn’t be some sort of alert, either from Windows Security Center or Comodo, if cmdagent.exe’s disappearence meant the FW wasn’t functioning properly (unless cmdagent.exe itself is responsible for making those alerts).
Thanks for the responses, and I’d appreciate any other thoughts you may have on the matter.
First time I’ve used Event Viewer - took me a little while to find it.
Under “Applications” for yesterday there are a few “crypt32” errors, and from last week and a little earlier “ntbackup” and “Application Error” errors, but I see nothing for cmdagent or cmd*** related. I have to admit what I’m looking at is foreign to me, and therefore can be a bit unnerving - for instance under “Security” in Event Viewer there’s an “anonymous logon” at one point.
I’ve run some malware scans recently, including an ESET online scan yesterday, which have not shown any malware since Antivir caught a Trojan couple weeks ago, so I’m hoping that’s not the issue.
I have GMER and run it occasionally, but again, it’s something I don’t quite know how to read. I’ve just always assumed that since nothing was highlighted it wasn’t detecting anything. Once again, nothing highlighted.
Not sure how many Red warnings would be a lot. There were three yesterday (that crypt32). Prior to that there had been three last Saturday (Jun. 26) preceded by a couple Yellow warnings related toUserenv and WinMgmt. I updated to SP3 about the time those happened, so they may be related to that.
Just make sure you run the latest available version, and normally if it does a quick scan at start up it will pop a message box that “rootkit activity” has been detected, if not it just shows a few entries probably.
If you do a full scan it will also return with a message box.
One tip, save the results to a file and do that every time you run it so you can compare results later if in doubt if anything has changed…
Yesterday I did delete the version of Gmer I had and downloaded the version from the link you supplied.
It never has given a pop-up indicating detection of rootkit activity.
So, I just brought the computer out of stand-by for the first time today and cmdagent.exe was missing from Task Manager and Process Exp. again. I ran the Diagnostics program again but didn’t reboot yet. I ran GRC’s LeakTest and the firewall caught it.
I had opened Firefox with no problem, but then closed it and, when trying to reopen it, Def+ alerted me that Firefox was trying to access dwwin.exe. First I blocked it, which caused an Application Error message. Then I tried Firefox again, got the same alert and allowed it, which brought up a Microsoft send or do not send and error report type window. After that Firefox opened up OK.
Not sure what’s going on with this. I may just keep it shut down for the holiday and look into it more tomorrow.
I ran into some troubles just after my last message yesterday. There was a message that “avwsc.exe has encountered a problem and needs to close”. I assumed that would have something to do with Windows Sec. Center checking if my AV was up-to-date, but a Google search indicates it’s an actual Avira program - it just opened for a second now while I had Task Manager open - I think it checks to see if I’ve updated Avira recently.
After that I tried to open Firefox and had the dwwin.exe alert from Def+ again. Trying to open Firefox again led to "A breakpoint has been reached. 0x80000003 occurred in the application at location 0x300074a9. That made me nervous, so I shut down til this morning.
This morning I booted to safe mode, ran Avira, MBAM, SuperAntiSpyware - all found nothing. I decided to run Auslogics Defrag but it wouldn’t open, then dwwin.exe Application Error recurred, followed by the Exception Breakpoint.
I let things cool down, rebooted, Avira automatically ran a scan which detected nothing. The Red errors recorded in Event Viewer for yesterday all have “Application Error” as Source, Category is None for one, (100) for the others, with 1000 as Event, and User as N/A. The one this morning is the same, with “None” as Category.
I’ll see if I can recreate cmdagent.exe being gone after coming out of stand-by.
Does this look like a malware problem to you, or do you think it may be worthwhile to try a reinstallation of Comodo? Or maybe it’s something to do with my update to SP3 last week?
Thanks for the help and info.
btw WSC just let me know that Avira needs updating, so I’m glad to see that didn’t cause an error this time.
I’ve brought the pc out of stand-by three times today, and each time cmdagent has been present in Task Manager. Each time I’ve used the computer for 20-30 minutes before putting it back in stand-by, and cmdagent.exe hasn’t pulled its’ vanishing act.