I am running CIS v5.10.228257.2253 on my Win7 Ultimate x64 PC. I have no other real-time AV scanners installed. Each time I log in, I get an AV alert for:
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
Malware name=Backdoor.Win32.Turkojan.a38@122853176
I choose “Ignore Once”. When I then manually scan the file with CIS, there no detection. It is not in D+'s Trusted Files list. I checked it with 3 upload services, and there are no detections (including Comodo):
The file came installed on this MSI laptop, but I am concerned that malware has overwritten it, or this is a symptom of malware coming from another file. Kaspersky TDSSKiller found nothing. A Smart Scan by CCE found nothing.
In the past, I added this EXE to the Trusted Files list. Recently, however, I got alerts on two other EXEs with the same malware name. The alert came a few minutes after they were launched. I am not able to reproduce the alert on these other two EXEs, which VirusTotal has no detections. Therefore, I removed MGSysCtrl.exe from the Trusted Files list so I could investigate this strange alert behavior.
Could it be that CIS is detecting Backdoor.Win32.Turkojan.a38 on these processes in memory? That could explain why scans of the EXE files show no detections. Before I continue investigating whether this is really malware or a CIS FP, I need to understand why CIS is behaving this way. Please help.
The file belongs to MSI and is capable of recording keyboard input: MGSysCtrl.exe Windows process - What is it? . May be that’s why it only gets detected in memory and not on disk (just thinking out loud)…
Can you go through the D+ logs (View Defense + Events) and AV logs (View AV Events) to see what other files triggered the same detection? That way we will get more clarity.
Because CIS will protect .exe files it is not very likely that he MSI file is infected. So chances are that it could be a f/p detection here. Bur first I want to learn more about the other detections.
Could you also check the stamp on the MGSysCtrl.exe file when it was last changed. If it was last changed a year ago it is not likely to be infected…
I have MSI laptop with Win 7 64 bit and something is not right.
I have CIS premium 5.10 with virus signature 13065
Now it’s getting annoying Comodo is detecting and putting more files into quarantine. Thing is even more funny with LOL (league of legends). Comodo is putting league of legends.exe file into quarantine ONLY if I’m using web browser (firefox) during the game(I like to check heroes builds). When i just play the game and there is no web browser in background then there is no backdoor.win32.turkojan.a38[at]122853176 detection ……
so far I had detection inside:
The binding of isaac (small game from steam)
warlock master of arcane game(steam)
league of legends
dota 2(steam)
I scanned files manually and send them to VirusTotal but again there is no turkojan detection
detection happens only by the real-time scanner
I check my system with OTL, HijackThis, did full system scan with comodo(!) but I have found nothing.
So it really looks like Comodo don’t like MSI win7 64 bit laptops or there is really clever and sneaky trojan out there.
Ps
I hadn’t had any problems with MGSysCtrl.exe so far