Comodo saved my ass - the importance of layered security and a good firewall.

I have been using CPF for a couple month now. Previously I had been “borrowing” a neighbors wireless. I just installed a Cable Modem as I was in need of something more stable. Any way I did not put in a hardware FW as I had been using CPF and did not want to spend the money.

The other day I was having some problems and turn CPF off for a minute to test something and turned it back on after about 1 min. I was talking to some one on VOIP when I got a Application Monitor security alert which I ignored for a few seconds soon I had twenty plus alerts showing I enied access, and looked at my security log my pc was trying to flood the network with connection attempts. Below is a short sample of the log which had been cleared just a minute before within 2 min the log file exceeded 3 Meg

Date/Time :2007-06-05 22:00:58
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (qvfcauz.exe: :2967)
Application: C:\WINDOWS\system32\qvfcauz.exe
Parent: C:\Archivos de programa\Symantec AntiVirus\winupd3.exe
Protocol: TCP OutDestination:

Date/Time :2007-06-05 22:00:58
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (qvfcauz.exe: :MS-ds(445))
Application: C:\WINDOWS\system32\qvfcauz.exe
Parent: C:\Archivos de programa\Symantec AntiVirus\winupd3.exe
Protocol: TCP OutDestination:

This repeated add infinitum with ports 445, 2967 and any address in the 190.X.X.X range

I think it got on my PC using a Symantec AV security vulnerability and I try to keep everthing patched. Neither Symantec nor BOClean picked it up but when I turn CPF back on after a couple seconds CFP picked up the traffic and blocked it. I quickly finished what I was doing disconnected from the Internet did a search for both:
“qvfcauz.exe” found nouthing as this is probably a random name
winupd3.exe did not find much 7 entries in google this suprised me.
The only real thing of interest was
and I was not sure if I trusted this site
Did a Hijackthis scan Here is very summerized list
Running processes:

O4 - HKLM..\Run: [Windows Service Agent] qvfcauz.exe
O4 - HKLM..\RunServices: [Windows Service Agent] qvfcauz.exe

Updated Symantec with a file downloaded to a different PC
Booted into Safemode scanned the PC
Symantec found W32.Spybot.Worm
one of the details in the technical details is
May drop Hacktool.Rootkit to hide the worm from the process list and register the hacktool as a service.


Lessons learned all of which I knew and failed to follow

  1. It is best to have layered security
    1a)run both a hardware firewall and a software firewall. Software firewalls tend to be a bit more robust and have more features however all things have their weaknesses
    1b)If you don´t have both never connect to the internet withyour software firewall turned off, even the windows firewall might have prevented this
  2. No antivirus is perfect ( both BOClean and Symantec missed this)
  3. Comodo Personal Firewall with Application Monitor, Component Monitor, Network Monitor and Application Behaviour Analysis is a good firewall, I think it might have saved me a lot of problems

Thank God I kept good back ups because the only way I knew of to be sure to remove a rootkit is 1.format the drive 2.write 0s to the drive 3. reload and 4. restore

What a pain (:AGY)

Oh well Thanks Comodo you stop it before it could get worse and someone got into my PC (L)
I cant wait for V3 It should be out tomorrow in beta :THNK

Lesson learned this time before I had major problems. I hope!!
Opus Dei

Last night I got the latest Greeting card Virus and had to format and restore from DVD. CFP Caught it, but as is often the case the user, in this case me, clicked “Allow” without really thinking until to late. I was playing with things I should not have been playing with outside of A VM. CFPA3.0.2.5 caught it but at the time I was updating JAVA and was being inundated with popups so I was clicking away with out reading the prompts. Something Poped up that I thought looked supicious. A file called C:\Windows\System32\COM\promngr.exe was downloading from the internet. I clicked Allow and then thought that did not look right. So, I began to snoop around and found my HOSTS file had been edited to loop back many security sites including I had been at that site 5 minutes before downloading updates. I Went to look at the C:\Windows\System32\COM\ Directory and promngr.exe looked out of place. I scanned my sysyatem with Symantec with Virus definitions from the same day and nothing scaned just promngr.exe nothing I had just read Sy,anmtec still did not have defs that did not yet detect this virus as of 6/29/07 2 days before. Afterward MY Network Browsing ability was gone I could not visit Symantec nor Mcafee. I figured the safest and easiest was format and restore to a known good point in my system.

Another display of CFP’s power


In the C:\Windows\System32\COM directory, what are the Date Accessed/Created/Modified? I’m sure malware can disguise them to whatever it wants, but just curious if we can rely on Windows to sort by the latest date & time when performing a full system search for suspicious files.