Comodo let MSSpellCheckingFacility.exe onto my computer

I’ve been running Comodo Antivirus for the past 2 years. Suddenly today, I’m getting notices from Comodo about MSSpellCheckingFacility.exe trying to run. It seems to run whenever I’m on a page like this typing into one of these Rich Text blocks that might need spell checking. Anyway, I’m blocking the attempts.

I see the file at C:\Windows\System32. It was installed on 11/21/14 at 8pm. I don’t understand why Comodo let this file get installed onto my computer in the first place. I certainly did not “allow” it after any warning.

Anyone know how I can get this file off and fix any registry entries that might have been effected?

MORE INFORMATION: Comodo complains this file is not “digitially signed”. Version is 6.3.9600.17496 Previous version was 11/5/14. A bunch of files got changed on this same date 11/21/14. All of these files have an “unknown” ? User name associated with them. Is this a legit update date?

Please upload the file to Virus Total and post the link to the report.

Sorry, what is virus total? Can you link me to instructions on how to do what you are referring to. thanks. I’m definitely infecting with something here. :-\

Running Microsoft MRT and its not done but shows 9 infected files. I’m guessing its going to be the same group that loaded on 11/21. I’d like to just set my computer back before 11/21. I think it sets the registy back before that date. Microsoft showed me how to do that once but I can’t remember how to do it.

I just tried to check the file in quarantine, and right click upload…if thats what you mean? It fails and says: The system cannot find the file specified. However, the file is there…I see it in Explorer.

I remember I was downloading “FREE” fonts about then…I bet that is when it happened.

Very scary…while running Comodo antivirus the ENTIRE time, MRT found the computer infected with

Rogue: win32/FakeRean
Trojan: win32/Necurs.A
TrojanDropper:win32/sirefef.gen!D
TrojanDropper:win32/sirefef.gen!C

Umm, is your antivirus even working???

My computer has been contaminated by a VERY SOPHISTICATED USER.

My computer now has 4 Trojans all downloaded will running Comodo antivirus the entire time. A bunch of files installed on 11/21/14 BETWEEN 7 AND 9PM that I never OK’s and obviously 4 Trojans installed that I never Ok’d. I’ve never had this happen with any other antivirus product and I’ve been running, building, and programming computers since 1984 and WatFOR/WatFIV. HOW is this possible? In fact a Comodo scan found NOTHING. I run Microsoft MRT and it find 4 different trojans.

MRT found:
Rogue: win32/FakeRean
Trojan: win32/Necurs.A
TrojanDropper:win32/sirefef.gen!D
TrojanDropper:win32/sirefef.gen!C

And I can see 30 files downloaded into windows system 32 in the span of 3 hours that night and I would NOT even have been at my computer. I’m behind a computer software firewall. I’m also behind a hardware firewall with non-routable NAT’d IP behind the firewall. Its as if I had NO antivirus program running at all.

Also, one thing that I can guarantee is on that night at that time I was playing COD on XBox 360. And lately that gaming platform as well as Sony’s gaming platform has been attacked by LizardSquad. Is it possible that someone LizardSquad used the Xbox 360 to gain entry to my network and then further entry into my computer? Its the only “open” entry point that I can come up with…

MRT says it got rid of the Trojans that Comodo never even detected. How do I clean this computer? Those 30 files had permissions to a non-existent account and the ownership was set to something called TrustedInstaller. Some, if not all of these files are “LEGIT” Microsoft files and filenames with “newer” versions. They actually have MICROSOFT signatures, dates and versions numbers to the files…but the versions are beyond current Microsoft file versions as far as I can tell…so they all have a “previous” version. I’m wondering if I can “DELETE” these files somehow (I’m wondering if its even going to let me) and then roll back the system restore point to 11/4/14 which is prior to the infection. When the system restore, restore the file originals or do I need to leave the files in place to get the originals restored using system restore?

My English is not good to assist you, sorry for your infection.
Maybe you can follow this usefull guide : http://www.selectrealsecurity.com/malware-removal-guide
I hope you will get rid of them.

Comcity, I merged your second topic with your other topic.

Virus Total is a service to which you can upload files to have them checked by approx 40 AV scanners. Upload the file. When it says it has been seen before ask to retest the file. Then post the url to the results page here.

Other than that please check you computer with the following tools:
TDSS Killer
Hitman Pro
Malwarebytes Antimalware
Super Antispyware

If the signatures of the Microsoft files are valid then they are legit files. Tuesday this week was the second Tuesdsay of this week which means Windows got updates. The files have previous versions so the question pops up if you have shadow copies enabled in Windows. Also what Windows version are you using?

I know the files are infected, but this virus has put “real” microsoft files down with “newer” version #'s. Programs like vbscript.exe and the MS spell checker. They are not disquised Microsoft file names…they are real microsoft OS files that actually have different non-existent versioning. I’ve seen anything like that before. I’m running ESETNod32 and eventhough Comodo didn’t find any viruses or threats, ESET is overloaded. 33 threats found and 25 cleaned so far. That goes back to my question. HOW CAN Comodo not have stopped this? Why did Comodo find No threats even afterwards with a scan: no trojans, and no viruses. At this point, I’ve lost some serious confidence in the Comodo AV product.

It doesn’t look virustotal is noticing that these files are not authentic either. And virustotal says it has already been scanned?? Maybe ESET is already running it through that program?

I’m running windows 7 I believe. The files have a restore point of 11/4. The Microsoft update that did that restore point was 11/19 I believe. So that doesn’t make sense to me. It would have the 12/2 restore point if the files were updated this tuesday…not 11/4. These files all have the same date of 11/21 between 7pm and 9pm. Microsoft updates don’t take 2 hours? Also, 11/21 was not an MS update time. Are you saying those dates/times are the “build date” or are they the copy date…they can be either. I suppose Microsoft could have done a build on 11/21 but unless each successive update already knows the “NEXT” Tuesdays files and already sets them as a restore point, I don’t understand how the dates can all work.

[b]
It looks like some of those threats from ESETNOD are not real as they are finding the files in Comodo’s quarantine folder

In any case, these 30 files…this is what I want to do. Tell me if this is ok or makes sense… AFTER running every antivirus program I can get my hands on. [/b]

RESTORE Permissions:
I will go in to security, take file ownership back to administration, remove the unknown user and the user named TrustedInstaller.

FILE RESTORE Points:
Then I want to go to Previous version and open and restore the previous version of the files restore point.

SYSTEM RESTORE POINT:
Next, I want to run the System Restore back to 11/4/14.

WINDOWS UPDATE:
Then RERUN windows update and if it goes and gets all new versions of the same files again so be it. However, I don’t believe that it will. Because I believe these files have basically been “shadow-compiled” to the same name and wrapped with the same microsoft compile details with new versions that don’t exist and then the permissions changed so as to isolate them.

This file MsSpellCheckingFacility.exe, Comodo is actually catching and saying it is an “unrecognized file” and flagging it and I have been “blocking” the file because its one of the files with the 11/21 change date and bastardized permissions. Its actually the file that flagged me to everything. VirusTotal says the file is fine with a compile date of 11/22 eventhough the files date is 11/21 (perhaps there is UTC timing problem there). So, is the file good or bad. Virustotal says its fine. Comodo doesn’t recognize it. And on the platter, I can see the permissions are infected and I can the file date is suspicious to ALL the other FILES with the same bastardized permissions and the same File data +/- 2 hours.

Link to VirusTotal report: VirusTotal .

I changed the long post with File Detail information for a url to the analysis page to keep the topic more readable. Eric

Windows update log does have entries for 11/21

2014-11-21 00:11:50:251 676 9d4 Shutdwn user declined update at shutdown
2014-11-21 00:11:50:251 676 9d4 AU Successfully wrote event for AU health state:0
2014-11-21 00:11:50:251 676 9d4 AU AU initiates service shutdown
2014-11-21 00:11:50:251 676 9d4 AU ########### AU: Uninitializing Automatic Updates ###########
2014-11-21 00:11:51:203 676 9d4 Report CWERReporter finishing event handling. (00000000)
2014-11-21 00:11:51:281 676 9d4 Service *********
2014-11-21 00:11:51:297 676 9d4 Service ** END ** Service: Service exit [Exit code = 0x240001]
2014-11-21 00:11:51:297 676 9d4 Service *************
2014-11-21 09:18:10:055 404 878 Misc =========== Logging initialized (build: 7.6.7600.320, tz: -0600) ===========
2014-11-21 09:18:10:913 404 878 Misc = Process: C:\Windows\system32\svchost.exe
2014-11-21 09:18:10:913 404 878 Misc = Module: c:\windows\system32\wuaueng.dll
2014-11-21 09:18:10:055 404 878 Service *************
2014-11-21 09:18:10:913 404 878 Service ** START ** Service: Service startup
2014-11-21 09:18:10:929 404 878 Service *********
2014-11-21 09:18:16:139 404 878 Agent * WU client version 7.6.7600.320
2014-11-21 09:18:16:139 404 878 Agent * Base directory: C:\Windows\SoftwareDistribution
2014-11-21 09:18:17:153 404 878 Agent * Access type: No proxy
2014-11-21 09:18:19:337 404 878 Agent * Network state: Connected
2014-11-21 09:19:12:814 404 878 Report CWERReporter::Init succeeded
2014-11-21 09:19:12:814 404 878 Agent *********** Agent: Initializing Windows Update Agent ***********
2014-11-21 09:19:12:814 404 878 Agent * Prerequisite roots succeeded.
2014-11-21 09:19:12:814 404 878 Agent *********** Agent: Initializing global settings cache

When the signatures are valid they are uncompromised Microsoft files. When all the detected files by ESET detections are Microsoft files with valid signature then those are false positive detections

That’s what may happen when scanning with multiple scanners. It’s best to exclude the quarantine folders from being scanned

In any case, these 30 files...this is what I want to do. Tell me if this is ok or makes sense..... AFTER running every antivirus program I can get my hands on. [/b]

RESTORE Permissions:
I will go in to security, take file ownership back to administration, remove the unknown user and the user named TrustedInstaller.

FILE RESTORE Points:
Then I want to go to Previous version and open and restore the previous version of the files restore point.

SYSTEM RESTORE POINT:
Next, I want to run the System Restore back to 11/4/14.

WINDOWS UPDATE:
Then RERUN windows update and if it goes and gets all new versions of the same files again so be it. However, I don’t believe that it will. Because I believe these files have basically been “shadow-compiled” to the same name and wrapped with the same microsoft compile details with new versions that don’t exist and then the permissions changed so as to isolate them.

Before I give any advice I need to know which files have valid Microsoft signatures as they are false positives. Also detection of a virus in the quarantine folder does not count as an infection.

That in its self is interesting. But since this file has a valid signature it is a legit Microsoft file. There is no reason to worry.

and flagging it and I have been “blocking” the file because its one of the files with the 11/21 change date and bastardized permissions.

There are numerous files with Trusted Installer as owner

Its actually the file that flagged me to everything. VirusTotal says the file is fine with a compile date of 11/22 eventhough the files date is 11/21 (perhaps there is UTC timing problem there). So, is the file good or bad. Virustotal says its fine. Comodo doesn't recognize it. And on the platter, I can see the permissions are infected and I can the file date is suspicious to ALL the other FILES with the same bastardized permissions and the same File data +/- 2 hours.

Link to VirusTotal report: VirusTotal .

I changed the long post with File Detail information for a url to the analysis page to keep the topic more readable. Eric

Again, the file has a valid signature of Microsoft and is therefor a legit Microsoft file.

In short: I need to know what files you find suspicious have no valid Microsoft signatures and are not in a quarantine folder of CIS or other security solution.

Without that information we only have conjecture and speculation and no proof your system is infected.

Lets start again with what I know.

[ol]- Comodo was flagging MSSpellCheckingFacility.exe as “unrecognized” (I suspected the file)

MSSpellCheckingFacility.exe did not just have trustedinstaller as owner. It also had a totally unrecognized “user ?” on my system with permissions to the file. (Added suspect to the file)

29 other files with the exact same date had this unrecognized user? with permissions. The unrecognized user is “? S-1-15-2-1”

I ran a Comodo full scan. It didn’t find anything.

I ran MS MRT and it found 4 trojans which I listed

I ran ESETNOD32, eliminating the quantined files, it STILL found 2 more detections (viruses/trojan varients). One of the files Comodo had flagged as unrecognized but left it
[/ol]

1. So the computer IS or WAS definitely infected because POST the comodo scan as detected by both MRT and ESETNOD32, trojans and viruses were found.
2. The files are still suspect because 1, comodo marked at least one of them as suspect and 2, there is no reason for this unknown user to have permissions to this file unless that is some kind of mistake at Microsoft and they actually released the compiled file to the update service with a user still attached to it. I guess that is possible but I would call it complete ■■■■■■■ up.

I can’t really tell you all the files because there are 30 of them. Here let me see if I can put a list into a file. Ok, here is a list of the files.
11/21/2014 08:22 PM 490,496 dxtmsft.dll
11/21/2014 08:05 PM 316,928 dxtrans.dll
11/21/2014 07:49 PM 718,848 ie4uinit.exe
11/21/2014 07:03 PM 800,768 ieapfltr.dll
11/26/2014 07:43 PM 389,296 iedkcs32.dll
11/21/2014 08:35 PM 114,688 ieetwcollector.exe
11/21/2014 09:06 PM 4,096 ieetwcollectorres.dll
11/21/2014 08:49 PM 48,640 ieetwproxystub.dll
11/21/2014 07:43 PM 14,412,800 ieframe.dll
11/21/2014 08:40 PM 34,304 iernonce.dll
11/21/2014 08:49 PM 2,885,120 iertutil.dll
11/21/2014 08:50 PM 66,560 iesetup.dll
11/21/2014 08:37 PM 633,856 ieui.dll
11/21/2014 08:35 PM 144,384 ieUnatt.exe
11/21/2014 07:46 PM 2,125,312 inetcpl.cpl
11/21/2014 08:14 PM 77,824 JavaScriptCollectionAgent.dll
11/21/2014 08:34 PM 6,039,552 jscript9.dll
11/21/2014 08:34 PM 814,080 jscript9diag.dll
11/21/2014 08:41 PM 54,784 jsproxy.dll
12/11/2014 09:05 PM 0 junk.txt
11/21/2014 07:49 PM 800,768 msfeeds.dll
11/21/2014 09:13 PM 25,059,840 mshtml.dll
11/21/2014 09:06 PM 2,724,864 mshtml.tlb
11/21/2014 08:48 PM 88,064 MshtmlDac.dll
11/21/2014 08:08 PM 92,160 mshtmled.dll
11/21/2014 07:47 PM 1,359,360 mshtmlmedia.dll
11/21/2014 08:09 PM 199,680 msrating.dll
11/21/2014 08:26 PM 968,704 MsSpellCheckingFacility.exe
11/21/2014 07:15 PM 1,548,288 urlmon.dll
11/21/2014 08:50 PM 580,096 vbscript.dll
11/21/2014 07:28 PM 2,358,272 wininet.dll
31 File(s) 65,952,432 bytes

When it comes to detection of malware. There is too much malware produced for any scanner to be able to detect all malware at any given point in time. That’s why you always use multiple scanners in case of a suspected infection. It’s the way of the world.

I am not disputing your system was infected but I am not convinced the mentioned system files are effected. Can you see if under the HKEY_USERS in the registry is a branch with name “S-1-15-2-1”

To know for sure that a system file is the original file you can use Sigcheck to see if it is digitally signed by Microsoft.

Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the system32 folder, look up and select the file you want to check, click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.

Please check all the suspicious files with the signature checker or let Windows check its integrity with system file checker: Use the System File Checker tool to repair missing or corrupted system files - Microsoft Support . Those are trustworthy procedure to tell whether system files are genuine ones.

Eric:
7 more files were added to system32 today. One of these files is: aepdu.dll
Comodo AV is actually complaining so much about this file trying to change the registry that I had to turn Comodo off just to use my computer. I went to VirusTotal to upload the file and the Virustotal choose file “can’t see the file” It simply doesn’t show up in the file picker box for me to pick. However, I can plainly see the file in File Explorer. So how exactly can I check this file?
If I look at the properties, it says its a real Microsoft OS based file and it has a restore point as well.

In response to your other points: No, there is no user named “S-1-15-2-1”. There are a couple of entries for a similar user that has a classid attached to it:
HKEY_USERS\S-1-5-21-1529233804-752100026-2430352630-1000
HKEY_USERS\S-1-5-21-1529233804-752100026-2430352630-1000_Classes

Are you suggesting that in addition to virus software, you have a malware detection suite installed all the time as well like Malwarebytes Antimalware?

I have been having problems with this file and Comodo as well, perhaps its is relevant that there has just been a windows update (W7 HP) on a laptop. Perhaps the ‘Fix’ that Microsoft issued today has something to do with it too??

Yeh could be. It looks like the file was on an update that happened 8am this morning. The thing is this file has TrustedInstaller, but it does NOT have this weird user attached to it.

What I want to do now, is GO BACK IN TIME. I want to run system restore and force Microsoft to go back and get these updates over again if they are real. I’ve never done that before. If I do a system restore, when it go back to the shadow copies of these files and the re-update them. I don’t believe these Trojans were on my system for very long. I would like to go back to a know clean version of my registry just in case. Then if they are virus file remnants on my system they would be basically dead files with no way to initiate.

Comcity. Could you please check the signature of the files in system32 folder that you find suspicious as described in my previous post using the sigcheck shell extension?

Before I am willing to comment on things I need to know if these files have valid signature updates or not. That is the proof that I need to assess whether these are legit and untouched files. My advice on how to handle depends on the outcome of the signature checks.

This month’s update for root certificates with number KB 3004394 has officially been withdrawn by Microsoft. It is wreaking havoc on systems. People are getting UAC alerts for Task Manager and msconfig. Defender is said to be broken. Microsoft published a new update to remove KB 3004394: Install KB3024777 to fix an issue with KB3004394 on Windows 7 and Windows Server 2008 R2.

May be a problem with a Microsoft root cert update is also effecting CIS. I advice strongly to install the new update to fix the problems caused by KB 3004394.