I have been trying sort out a possible infection with the security section of another site during the course of which I have run BitDefender and also done an online scan with Virustotal (www.virustotal.com).
All the scans are suggesting that the following file is infected (see Virustotal scan log).and I have been told to uninstalll Comdo and reinstall.
However, as VE is a separate product I would like to see if anyone can offer any help as to why the various anti-virus engines are reporting an infection before taking any action.
AhnLab-V3 2008.2.20.0 2008.02.20 Win32/Duel.B
AntiVir 126.96.36.199 2008.02.21 W32/Patched.AF
Authentium 4.93.8 2008.02.21 W32/Resourcer.A
Avast 4.7.1098.0 2008.02.20 Win32:Patched-DL
AVG 188.8.131.526 2008.02.21 Win32/PEPatch
BitDefender 7.2 2008.02.21 Win32.Cuter.A
CAT-QuickHeal 9.50 2008.02.20 W32.Luder.C
ClamAV 0.92.1 2008.02.21 W32.Cuter
DrWeb 4.44.0.09170 2008.02.21 Trojan.Inject.351
eSafe 184.108.40.206 2008.02.20 -
eTrust-Vet 31.3.5552 2008.02.21 Win32/Resourcer.A
Ewido 4.0 2008.02.20 -
FileAdvisor 1 2008.02.21 -
Fortinet 220.127.116.11 2008.02.19 W32/Patched.AF
F-Prot 18.104.22.168 2008.02.20 W32/Resourcer.A
F-Secure 6.70.13260.0 2008.02.21 Trojan.Win32.Patched.af
Ikarus T22.214.171.124 2008.02.21 -
Kaspersky 126.96.36.199 2008.02.21 Trojan.Win32.Patched.af
McAfee 5234 2008.02.20 W32/Resourcer
Microsoft 1.3204 2008.02.20 Virus:Win32/Resourcer.A
NOD32v2 2891 2008.02.21 Win32/Pecutex.A
Norman 5.80.02 2008.02.20 -
Panda 188.8.131.52 2008.02.20 W32/ZlFake.A
Prevx1 V2 2008.02.21 -
Rising 20.32.30.00 2008.02.21 Virus.Win32.Agent.b
Sophos 4.26.0 2008.02.21 Troj/RunPatch-A
Sunbelt 3.0.884.0 2008.02.19 -
Symantec 10 2008.02.21 Trojan.Patchep!inf
TheHacker 184.108.40.206 2008.02.21 W32/Patched.af
VBA32 220.127.116.11 2008.02.17 -
VirusBuster 4.3.26:9 2008.02.20 Win32.Duel.H
Webwasher-Gateway 6.6.2 2008.02.21 Win32.Patched.AF
I should mention that this all came about because I was, and still are, getting random Blue Screen of Death and restarts. Was told it was probably due to an infection but I am not convinced as I hooked up a spare drive I have with a cloned version of my XP Pro install done several months ago, and therefore clean, and during a six day period had three restarts. I am now back on my default drive.
Might not be an appropriate forum for this but can someone tell me if it is SAFEto disable the Auto restart On Error in XP. Whne the system restarts I can’t read the stop/error report and it disappears very quickly. Thought it might be useful to be able to see what Windows was reporting in the hope this might shed light on the problem. Don’t want to do without being sure It won’t cause any damage if disabled and the fault is hardware.
Hi and welcome,
Where did you download the program from? Was it from comodo.com or an alternative source? I’ve just scanned my own file and it comes out clean at virustotal.com.
It may be the file on your computer has been infected by a virus, maybe bundled with it when you downloaded the software (if you downloaded from somewhere other than comodo.com), or it infected after the program was installed.
As for your question on auto restart on error, i’m afraid I’m unable to answer that. Someone should be able to give you better information than I can on this.
File was downloaded direct from Comodo.
Should I uninstall VE and then do a fresh download and install?
Yes, they would seem the best option. You should make sure your computer is completely clean of any infection, if you need help with this there is a board on the forums dedicated to this.
Think I’ve managed to clean out any nasties once I reinstall VE.
I am a bit perturbed that despite having the Comodo Firewall Pro, Boclean, Anti-virus and VE running I still got infected. Any thoughts?
I must say I’m a bit shocked it got through all them. From the name of the virus, it is one that ‘patches’ onto existing files, often legit windows files. You can read a bit about this here:
The best was is to replace the files (do not delete any windows file as this could seriously affect your computer)
Did CFP alert to a modifield file in vengine? When was CFP installed, and was it installed in clean pc mode?
Also, if you have a copy of the infected vengine.exe file can you please submit it to malwaresubmit [ at ] avlab.comodo.com for analysis, or submit the file through one of the submit features in CFP or CAVS. If you send via email please zip and password protect the file and include the password in the email.
Have submitted file as you suggested with comment.
Can’t in all honesty answer your other questions. I have been running CFP for several months and applied the update to v18.104.22.1684 when advised having previosuly run the Beta 22.214.171.124. I don’t recall any alert for a modified file in vengine. That said, I have to say that I get a bit frustrated somethimes when HIPS and Boclean keep flagging files up so it could well be that I failed to notice any warning.
When you say clean pc mode I assume you mean before I came aware of any infection. The answer to this is yes, until I strated to get BSD and restarts I hadn’t made any specific scan for infection as I assumed that I was adequately protected, which has me wondering now.
I still like CFP but perhaps I need to be less complacent in the future???
Thank you for submitting the file.
Clean PC mode in CFP is a mode in CFP that marks all applications currently on the PC as safe, and will give fewer alerts as a result. IF the file was already infected then CFP may have marked the file as safe, if it was installed in this mode. If the file was infected after, you should have got a defence+ alert for a modified file.
I understand how the number of alerts can make you become complacent. There are somenew features being introduced to CFP to help people with making a decision on alerts, and also further reducing the alerts.
One reason why BOClean may not have detected this is that, the malware had not yet loaded itself into memory (i.e. it hadn’t run) which is where BOClean would have detected the malware - if it had the signatures for it.
I have repaired VE using the latest download and Virustotal has given it a clean bill of health.
As my system should now be clean I have been checking CFP which is currently set as Network Defense - Train with safe mode and Defence + as Clean PC Mode.
Glad to hear that there may be some help with dealing with alerts in the future.
I am obviously anxious to avoid a repeat infection so can you offer any help as to what I should do to protect myself in the future, other of course than making sure I read any alert properly?
Should I do a full system scan, just to be sure?
A full system scan wouldn’t hurt, and would offer some reassurrence. In regards to protecting yourself in the future, you need to make sure that all security software is up to date, perform regular scans of your system, check security programs are functioning correctly (e.g. eicar test files). It is also recommended to have a ‘layered aproach’ to your security needs. Melih provides an interesting article here about this: