Comodo Internet Security 3.10.102363.531 has flawed?

Hi,

My comodo internet security some how has allowed these malware to slip through w/o any detection. >:( And now my laptop is not able to launch its network to go to internet. I managed to find out these suspicious files inside my laptop. Is there anyone knew about these;
RtkBtmnt.exe - 0021DBE6.pf
jusched.exe - 25206883.pf

If these are melwares, how do I clean them up? ??? Thx in advance. ;D

Both files you found in the prefetcher folder of Windows.

RtkBtmnt.exe and jusched.exe may be legitimate files. When they were flagged by CIS it may be false positives.

Can you look up the files and take a look at their properties to see if they are the legitimate files we think they are?

BTW you are using an CIS. You may also consider updating to latest 3.14 as AFAIK the virus updates for 3.10 has already stopped.

Hi EricJH & layman,

Thank you for the reply.

The sympton was whenever I run windows or internet explorer. An error msg will pop up;
jusched.exe application error
The instruction at “0x00000000” referenced memory at “0x00000000”. The memory could not be “read”. Click ok to terminate the program. ???

I’m sure t physical memory is ok cos when I run on safe mode and pop up occur. Of course, I aslo couldn’t run any anti-virus sw. I think the only those which allows to run are portable type. Any suggestion? T malware already cause me 4 days w/o my laptop runs properly.

Thx in advance. ;D

You can try the Dr Web Live CD. That CD holds a mini Linux OS with virus scanner that you can update and scan your Windows with.

Also consider checking your RAM with Windiag. Let it run for 10 rounds in its default configuration and see if it reports any error. In case you overclocked your system please disable overclocking before running Windiag.

Hi EricJH,

Thank you for the quick reply. I just started the Malwarebytes scan to see if it catches any bugs. I’ll try the suggested “Dr.web live cd” if malwarebytes didn’t catch anything. 88)

My laptop is running at default mode and no other fancy stuff. I will chk it w/“windiag” after the scan. Will post the result. Thanks. ;D

Have you updated your CIS yet then, you are running a old version! :wink:

You can also try Comodo Cloud Scanner for a quick and thorough analysis. Ignore the privacy and registry errors it finds. They are not important for now.

It is still in beta. So, when it finds anything suspected let us know what it finds.

I would say that you normally do not need jusched.exe. This is just a java updater program. You say that you are not able to use internet. Are you able to surf internet using other programs like IE, Firefox etc?

Can you please check the following :

CIS-Firewall-Advanced-Network Security Policy

Please check whether there is any program which is shown as blocked there.

Also, please right click CIS tray icon and confirm whether the Firewall Security Level is at Custom Policy or Safe Mode (not blocked all mode).

I would also once again suggest updating to new CIS version.

Hi layman , EricJH & AyeAyeCaptain,

Here is t result I got frm Malwarebytes;

Malwarebytes’ Anti-Malware 1.44
Database version: 3679
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/5/2010 12:04:09 AM
mbam-log-2010-02-03 (00-14-09).txt

Scan type: Full Scan (C:|)
Objects scanned: 161243
Time elapsed: 37 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Adware.Ecobar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.Ecobar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.Ecobar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Ecobar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Adware.Ecobar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{988934a4-064b-11d3-bb80-00104b35e7f9} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{a1dd29ed-2598-48e9-9793-64a9cd08ac94} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{87ca3845-37fe-414c-81cf-e08a7d0f6779} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{802f530b-a8f6-4631-ae49-6bacaac6373e} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{802f530b-a8f6-4631-ae49-6bacaac6373e} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\cleansweep.exe\cleansweepupd.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\System Volume Information_restore{3046DEF3-D4CB-446D-B516-DC31E72D005E}\RP192\A0031983.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\System Volume Information_restore{3046DEF3-D4CB-446D-B516-DC31E72D005E}\RP192\A0032982.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\System Volume Information_restore{3046DEF3-D4CB-446D-B516-DC31E72D005E}\RP192\A0033988.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\System Volume Information_restore{3046DEF3-D4CB-446D-B516-DC31E72D005E}\RP192\A0034005.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\System Volume Information_restore{3046DEF3-D4CB-446D-B516-DC31E72D005E}\RP192\A0035056.exe (Trojan.Agent) → Quarantined and deleted successfully.

I don understand how did the malwares sliped through… ??? Malewarebytes cleaned all for me. I’m considered myself lucky this time, only light damage I got. May be not next time… >:(

My comodo setting is;

  • Defense + secuirty = clean PC mode
  • Firewall = safe mode
  • Antivirus = stateful

Thx

If they were there before you started using CIS in Clean PC mode then they were assumed safe and rules were made.

I installed it after i bought my laptop and I used it almost a year. 8) The infectioned only recently due to my laptop was behaved weird. :o

Anyway, I’ll use it as firewall(assume it works properly) and other will leave it to malwarebytes.

Thx.

Malware bytes is only a anti-spyware and is not intended to protect against viruses. Besides, the free version does not have real time protection and hence your computer will be vulnerable. You may use one of the AVs like CIS, AVG, Avast or Avira (if you don’t want to pay for AV) along side MBAM. MBAM is a very good product which will complement the AVs.

Because you evidently don’t update your security applications. that is very important , you know :smiley:

Sorry to interupt in here, User109 and Eric, but there is 1 thing you should do first.

Please update your CIS version to the latest version. The version you are using at this moment is outdated and does NOT get the latest antivirus database updates anymore, and for that reason you will NOT be protected against the latest malware.

You can upgrade through the installer which is available over here or you can upgrade through CIS itself (CIS → Miscellaneous → update)

please update, run a scan with CIS and afterwards we can continue looking at your problem if it still persists.

best regards,
eXp