Defense+ notifies some applications tried to modify other executable/registry

Hi guys,

This last few days I keep receiving notification from Defense+ that some applications could not be recognized and is about to modify the content of some other executable files, or some other applications’ registry key.

Is this trojan or virus behavior? My virus database is always up to date and scan result didn’t show any virus, nor the computer is showing other strange behavior other than these notifications. I also didn’t find any unrecognized process in the task manager. But these notifications keep popping up, the application in question keeps changing, but always the ones running in background.

Can anyone suggest what should I do next?

[attachment deleted by admin]

I guess other members will be more helpful anyway before anyone else notice this topic please submit few of the applications that triggered these alerts to

or

http://virusscan.jotti.org/

or

http://virscan.org/

PS: what CIS version and Virus Signature Database version are you using? (click CIS miscellaneous button → bottom right click About )

AsusProbe itself is a valid application. Because of what it does, I myself have marked it as Trusted and placed the Asus folder as one of my protected files.

Thanks Endymion, turns out I might have virus or malware infestation after all. When I tried those three links, the browser timed out on all three of them. I thought that’s weird, since I can still open other regular sites normally, how can these three timed out at the same time. So I tried to open several other antivirus websites, symantec, trendmicro, bitdefender, etc, and I can’t access all of them. SAS and ASC didn’t find anything. Norman malware cleaner can’t run at all. I tried to boot into safe mode, the computer always restarted before starting windows. Will try to boot with hiren’s boot cd and scan on command prompt now.

I used CIS 3.8.65951.477, virus database version 1157.

PS: Maybe this thread should be moved to Virus/Malware Removal Assistance?

Latest DB version is greater than 1276 can you manually update the DB?

It should be possible to access Virscan browsing to http://222.171.15.73/

Then submitting 3-4 samples of those background apps that triggered the same alert you attached in the first post could provide more info.

Yes the virus must have prevented the update. There is no error message though, it appears as if CIS was updated successfully. On the Summary screen, the date for the virus database update is today’s date.

I have found out that the virus was Win32:Sality. Detected by Avast on another computer. I found another thread on the forum mentioning the same virus not detected by CIS. More than 300 files were infected, Defense+ was only preventing several files only.

I downloaded and ran the utility to fix registry key infected by the virus which made the computer unable to enter safe mode, then ran grisoft’s sality remover tool. So far everything is normal.


https://forums.comodo.com/index.php?action=dlattach;topic=40843.0;attach=34584

Latest CIS AV DB detect salty thus it was a somewhat unfortunate occurrence that the DB wasn’t updated.

Current AV DB version is equal or greater than 1278
If you can still not update it would be reasonable to open another topic to troubleshoot this issue.

I’ve read that thread before but ,despite explicitly asked to few times, the OP was was not apparently interested to post a link to virustotal and CIMA reports.

BTW Did you preserve some of these samples and sent them to http://222.171.15.73/ (virscan) like I suggested?

Can you reach the previously mentioned sites using their common addresses again?

Defense+ should be able to prevent the infection in the early phases if the vector (the infected executable that originated the infection) is not manually safelisted.
Still in more advanced phases D+ was able to point out some suspicious behavior.

[attachment deleted by admin]

Sorry 3.8 does not update virus database you have to update to 3.9 to receive virus updates.
Dennis

CIS is just finished updating now. A big one, took about more than one hour on my cable connection. My virus database version is now 1278. I didn’t get to save any sample cos my infected computer was unable to connect to the site, while at my other computer, access to the infected file was directly blocked by avast. I will try to scan the rest of the network and will submit it if I find any. Thanks for the help guys :slight_smile:

You’re welcome. :slight_smile:

Not sure why it did take so much time on you setup as the updates are often carried in minutes.

BTW, as I may have misunderstood you post, can you confirm you attempted to connect to http://222.171.15.73/ (virscan) and you were unable to?

Perhaps the virus has been on my sistem for quite some time and preventing CIS to download the updates. Now it has been removed, the cumulative update files are relatively big so it took a while to download.

Yep I was unable to visit virscan and other antivirus related website before, but now I can visit them all.

Indeed that’s why I asked as in such cases visiting http://virscan.org/ may yeld different results from visiting http://222.171.15.73/ although both point to the same virscan website.

Well I didn’t get to try using the ip address since the virus was already removed when I get to your post. My guess is I might be able to open the index page, but would have problem submitting files or visiting other page in the website if the virus works by blocking access based on certain words on the address. I might be wrong though CMIIW.