Hi guys, this morning I had the fright of my life just by clicking onto a website via google. My gf and i were discussing baby names so I decided to do a google search on modern names for boys. I clicked on this one particular link form google (cant remember name) and as soon as i did I got lots and lots of windows trying to open. Comodo isolated a couple of .exes to the sandbox (restricted). I thought CIS had caught everything so carried on chatting with my gf on msn. I then happened to notice that the shortcut to msn had gone off my desktop along with various other programs inc’ CCE. So I rebooted thinking all would be ok upon reboot. How wrong I was…most of my programs were still missing from the desktop. numerous folders were missing doc, vids, pics etc. internet explorer had lost all of my favourites. Windows security had been disabled and the clock was an hour fast. Also some of the programs that were left wouldn’t open. I did a sys restore and most of my progs came back (although CCE couldn’t connect to the internet to update so i imported from CIS did a scan and all was fine. I checked killswitch all safe. Opened quick repair and security center had been disabled so i repaired that. I did a scan with mbam all ok. Did a scan with TDSSKiller all ok. Rebooted and my folders were still missing. To cut a very long story short-ish I did a google search and found a piece of software on bleeping computers.com called unhide.exe. I ran it and hey presto all my hidden folders/shortcuts were restored (after reboot). So here is the log of what the malware changed and my question is…can these lines be added to the protected registry keys without causing any problems??
Searching for Windows Registry changes made by FakeHDD rogues.
Start_TrackDocs was set to 0! It was set back to 1!Thx in advance
win7 sp1 64bit (IE8)
CIS 5.10 fully updated Config internet security - sandbox - enabled set to restricted AV stateful - FW safe - D+ safe
CCE (not open/running at the time of infection)
MBAM (on demand)
TDSSKiller (on demand)
UAC disabled at the time (now enabled and put up with the popups + using Comodo dragon as default browser)
Hi languy99 - I’m just using the standard DNS servers as used by sky (but I’m thinking of changing to Comodo as of today (unless you know of any better ones?) I cant supply you with the link as I have cleaned my system so no history remains. As mentioned i just did a search on google for popular boys names/ modern boys names and it was in the first half dozen links that appeared. Sorry I cant be any more specific than that. All I can say is that Comodo did clear the infection but couldn’t stop the registry from being changed (maybe restricted sandbox isn’t restricted enough??) Also it would be good if CIS or CCE could include these things to check/fix when doing a scan.
sounds more like a sandbox leak. If the sandbox was disabled im sure he would have gotten an alert from d+ and been able to block it. Since the sandbox is restriction based (rules) it is allowed to do certain things so it slipped through the ■■■■■. once the sandbox becomes virtualized stuff like this will not happen.
Well I don’t want to scare nobody but it happened to me as well today! Half of my pics missing! Wtf? All security is in MAX settings with UAC and sandbox enabled! None of the AV’s detect nothing… System restore don’t help!
Yeah something freaky going on with my PC programs turn on and turn off… And I didn’t switch them on or off, ect… It’s slower at some times… I hate PC’s! Should got Mac! And where is my pics? Why only half gone missing? No errors… Go figure ??? ??? ???