Comodo update blocked, antivirus websites blocked, hosts file gets corrupted

Learn about Computer Security Virus/Malware Removal Assistance
1

OS: XP SP3
Comodo Version: 3.12.111745.560
Virus Sig. Database version: 3103

Hello,

I have had this problem for a couple of weeks. One day I notice that Comodo wasn’t doing the automatic updates as it usually does. I tried going to the website and it was blocked. At first, I thought I had a problem with the Internet con. but other websites still worked. Out of curiosity, I tried going to avg.com and that didn’t work as well! It turns out that all major websites for antivirus companies were blocked. So I immediately suspected that it was some type of malware that has corrupted my system in some way. Very clever indeed! What will they think of next?

Anyway, I searched on the net for a solution and found the same problem. They recommended that the ‘hosts’ file was corrupted and I needed to replace it. So I downloaded a new hosts file (XP version) from them and replaced the existing corrupted one located at:
C:\WINDOWS\system32\drivers\etc

After this, they recommended that I enter Command Prompt and enter this command:
net stop dnscache

I then restarted my browser and tried going to Comodo.com and it worked. I then hit the update on Comodo and that worked also. This solved the problem temporarily though. The next day the same problem happened. I have been repeating the process for a week now and it is getting tedious!

I still suspect that something is wrong. Whenever I update the virus database, it takes only a second? It reaches 5% and then notifies that everything is updated and goes green. Maybe it’s a trick? I don’t know. My virus database version is 3103.

I think I got this virus/malware when I went to France and put my USB drive into someone’s computer (no pun intended!). :wink: It wasn’t a French computer but one from Ghana Africa! Immediately I started having problems with my USB. I still am not able to format it as it says that there is a process happening. I tried doing a hard format in the Drive Management and it formatted but a ‘Recycler’ folder remains on there, appears for a second and then disappears. Comodo located a strange file called kure.exe that was in the processes. I stopped this and deleted the file. I also submitted it to Comodo for analysis. I don’t know if this USB problem is related to the hosts file that keeps on getting corrupted but both problems started happening at the same time.

Here are the messages I get when I plug in my USB drive:

First I get a Comodo defense alert for rundll32.exe trying to execute jwgkvsq.vmx (see uploaded picture)

Then after a minute, I get a windows RUNDLL error message regarding jwgkvsq.vmx - access denied (also picture uploade)

Does anybody know how to solve this problem permanently? I’m sure the Comodo staff have heard of this problem and may have a solution for it already. Please help! I would really appreciate any guidance!

Ramsey

[attachment deleted by admin]

2

are you using the full suite with default settings. if yes then i think comodo sandbox should sandbox the the autorun malware from usb. the expert guys here will definately help you. have you tried the section in the forum what to do if the system gets infected. mean while try the things mentioned there. hope that solves your probs.

regards
naren

3

Looks like a nasty infection, please read this post here for some guidance
https://forums.comodo.com/virusmalware-removal-assistance/what-to-do-if-youre-infected-experience-rev3-t41380.0.html

4

Thanks guys for your advice. I really appreciate it.

I did realize after you suggested sandboxing that my version didn’t have that feature. So I downloaded the latest ‘Premium – free” full-suite package which has it. Thanks Naren for that advice. So my plan is to do a full system check using Comodo with the latest updates and then I will proceed to the post that Ronny suggested (what to do if you’re infected) and share the log files. I am hoping that this will solve it.

Naren: regarding your suggestion regarding sandboxing the autorun malware it didn’t work. As soon as I installed the CIS 4.1 it started sandboxing certain processes. But when I insert my usb drive, it detects the malware but doesn’t give the option to sandbox it. It simply prompts:

 A malicious item has been detected!

 Name: unclassified Malware@8414303

 Location: G:\autorun.inf[/b][/b][/b]

Then it gives the options:

 Clean: Disinfect or Quarantine

 Ignore options…

If I clean it, the autorun file doesn’t show in explorer but it will detect it again the next time I plug it in the usb. If I don’t clean it, when I open the drive in explorer the autorun file shows. After the new comodo version install, and after I cleaned the malware off the usb, I can now format the drive finally. But, the next time I insert it, the same happens. I wonder if it is really formatting it or not? Maybe it is but when I reinsert it the malware gets transferred again onto it? I think this is what is most likely happening.

Is there any way in CIS of guiding the sandboxing to the USB and detecting it?

So far, it doesn’t seem to be doing any harm to my computers (3 got infected with the exact same problem) except for blocking AV updates and having to manually repair the hosts file and do the net stop. I am doing this every day and it is really getting annoying. I am considering reformatting all 3 but it will be a lot of work.

Can you refer this problem to other Moderators to see if they have seen this before and possibly have a simpler solution? If not, I will carry on with downloading all those programs and attempting to clean it and sending you guys the log files.

Thanks for all your help guys!

Waiting for your replies. Ramsey

5

I just completed the full scan of one of the computers. I just thought it might help my case if I made available a picture of the results.

Here it is. 5 threats total.

Check out the image below please. Thanks.

[attachment deleted by admin]

6

Sorry Naren, I failed to notice the sandbox options on the new GUI of the latest CIS version. I found it finally on the Defense + tab on the left which is new, not used to it yet. I tried to guide the sandbox to the autorun.ini file but it could not be located.

Funny, sometimes it stays on the drive and sometimes it shows for a second and then disappear. Other times it doesn’t show at all.

I forgot to mention this earlier, when I try to go to the folder settings in windows explorer and go to the ‘view’ tab and select ‘show hidden files and folders’, it doesn’t work. Even after applying, no hidden files show and when you go back to check the same settings, the option is NOT selected and is still on ‘hide’ mode. So this malware has placed a block on that feature making it impossible to see the hidden files.

7

Can you please go through your flash drive and upload every executable file you find to virustotal to see if they’re malicious. (I’m assuming there aren’t too many.) It’s possible you’ll be able to identify the culprit this way. Please post links to any of them you’re not sure about.

This sounds like there is a file on your flash drive that is currently not detected, but is creating processes that are.

Also, please check out my guide:
https://forums.comodo.com/virusmalware-removal-assistance/what-you-need-to-know-about-removing-infections-and-securing-your-computer-t56725.0.html
Try running scans with the programs listed. Let us know how it goes.

8

Thanks for the tip. I have managed to find only 1 file on my flash drive called “autorun.inf”. I have uploaded it to Virustotal.com and it reports that the file has been already analyzed. Here is the link to the report:

http://www.virustotal.com/analisis/dfc1f69b3efc968310ed8901eda055ea40fa488059a6a3763c356539820ccc3e-1279009388

I have no idea what this information means…but maybe it will be helpful to you guys.

I will read your guide Chiron. Thanks

9

It’s malicious. Is this the file that was being detected?

Either way, delete it and see if it comes back.

Also, you may just want to get all of your important information off the flash drive and then reformat it. This way you won’t have to worry about it.

10

Thanks again,

Yes, I know it is malicious even without the virus total scan because it appears and disappears as it wants. Sometimes I delete it manually and the next time I pop it back into the USB it is back! Other times it is hidden, Comodo detects it, I click clean, it just comes back on the USB drive the next time. Also, even if you format the drive, it comes back. It may be coming back from the computer to the drive again because a format should be a format right?

Also, it does not allow me to set the “view hidden files and folders” option. This is blocked on windows. I have to attempt to clean my computer first to see if I can salvage it or not. If not, I will format the heck out of it which is not preferable. we’ll see what happens.

Thanks for your help :slight_smile:

11
Also, even if you format the drive, it comes back.
I would check to see if your MBR is infected!!!!!!! also check to make sure you don't have any secret drives on the computer (Like most windows have a c:\) If you have any other drives scan for it for malware. If there is another drive on the computer post some details about it here, before you consider deleting that drive. (Some computer manufactures store stuff on a different drive which is why I say that
12

I would recommend doing a bootable scan, I would use two scanners, one is the Dr. Web CD ftp://ftp.drweb.com/pub/drweb/livecd/minDrWebLiveCD-5.0.3.iso ( down load iso and burn to a cd) and the kaspersky rescue cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/kav_rescue_10.iso ( same thing burn to cd and run) boot from the cd, do an update and fix whatever they find. make sure you have your usb drive plugged into the computer before booting from that cd, that way it will see it and scan it also.

13

It’s only that u have comodo 3 when u r suppose to have v4

14

I have installed ver. 4. That was an old message that has ver 3 written in it.

15

Thanks for all of your help. I appreciated it!

jay2007tech:

I checked and there are no invisible drives.
I could not find out how to check my MBR for errors. I searched and found that the Chkdsk command in dos will reveal if the MBR is corrupted. Is this true? Or is there a better way to check the MBR? Chkdsk finds some errors but I cannot fix them until I restart system which I will do now.

languy99:

I am downloading those bootable scan programs that languy99 recommended. Thanks for that advice.

16

Hello All,

Good News! I just wanted to announce to you all that I got the problem resolved finally. Someone at work had an extra yearly subscription to Kaspersky Anti Virus 2011 and I thought I would give it a try.

I installed it and did the update and ran a complete scan. It detected all the viruses and malware on my computer, deleted some of them and quarantined the rest. After this (the next day) I tried to access the comodo website and it worked! No more block on AV websites and updates. The damage was reversible it seems and the hosts file is no longer getting corrupted everyday like before.

I popped in the USB and it detected a whole load of viruses and dealt with them swiftly. I then did a format and the USB drive was clean and like new. No more viruses on it! Now, I don’t have to go through the trouble of formatting and reinstalling all of the data and programs!

I have attached logs of all the deleted, quarantined and suspicious files that were on my USB for your information. Many were the same that Comodo detected but wasn’t able to resolve. I do like Comodo very much and like to always support something new and developing but it was not able to cure my computer like Kaspersky was. I must give credit where credit is due.

Thanks anyway for all of your input. I do appreciate your help very much. I hope that these logs can benefit the people at Comodo to further improve their product.

Best regards,

Ramsey

[attachment deleted by admin]

17
Is there any way in CIS of guiding the sandboxing to the USB and detecting it
probably, how about a better way of PREVENTING the usb memory stick from infecting your computer again :)
  1. Click on the “Start Menu” and then click on “Run”
  2. type in gpedit.msc
  3. click on “Administrative Templates”
  4. Click on “system”
  5. The right side pane called “Turn off Autoplay” Click on “disable”
  6. Problem Solved :-TU

As for checking to see if your boot record has been tampered with (Do this)
Download Security Software for Windows, Mac, Android & iOS | Avira Antivirus
Run it (I’m not sure if you have to burn it to a cd, as it’s been a while). It’ll fix the damage, if any.

I popped in the USB and it detected a whole load of viruses and dealt with them swiftly.
Here's a good question for you!!!!!!!

Before you popped in the USB memory stick, where else has it been before you put it in your computer. THAT computer was probably infected and then infected your USB memory stick, then you put it in your computer then infected it too!!! :o

18

that your virus has been “deleted”, doesnt mean that the related problems have been deleted! (the obvious example for what i am saying is the fact: comodo has told you, it had deleted the file, and then came the next day. maybe kaspersky would say that on another virus, and the other day would show it wasnt true).

the antivirus maybe has thrown out the thief of your house, but if he opened a backdoor, maybe its still open.
the same about your favorite banking homepage, which might be a twin looking fake of the real one when you visit “it” the next time.

in your case, i definitely would not hesitate to make a clean operation system partition reinstallation!

and about kaspersky: i have a free license for a year, but i dont think i will use it. i am fine with comodo firewall and defense+, and for antivirus i use avira free edition. as an on demand scanner i use anti-malwarebytes free edition, 5mb big, but better than the most antivirus programs out there.

you should ask yourself, how a virus could install itself and download additional malware from the internet, WHEN you use comodo. something could be wrong with your settings.
there is no need to think, that you have to pay a lot of money each year to get a good program. just look for the nice free ones. in the right combination you will beat most of the paid programs out there.

19

clockwork: Thanks for your advice. I will consider what you wrote.

jay2007tech: Thanks for the tip for disabling the autorun.

20

about anti-malwarebytes (free):
use it as an additional opinion, not as a standalone on demand antivirus. its database is very small. but its one of the most powerfull additions to a usual antivirus.
anti-malwarebytes is specialized on “new undetected” examples, that other programs dont find. so in tests with old samples, anti-malwarebytes has often bad results.
but thats not the goal of this program! its a partner for a normal antivirus program.
each time when i could see (on other machines) how it found malware AFTER another antivirus said “all clean!”, i became sure, that no program is perfect.