Malware@#22wjgrn2jfohb

Hi, I need some help.

Long story short, was trying to load Android Lollipop onto my S4 and it was malware infested.

I was pretty stupid to not realize because MBAM, and Comodo were lighting up clearly telling me to NOT ignore this, disabled both of them and some adware and others popped up. Immediately I booted into Safemode and ran MBAR, MBAM, Adware Cleaner and that solved it. Few hours ago I scanned my entire system with Comodo and sure enough - came back and see this malware which atm is in quarantine.

I’m currently running another scan with Comodo just to be sure, also I noticed that HIPS was disabled and quickly reinabled it, when I wanted to launch ShareX to screenshot everything it Comodo popped up telling me that ShareX was trying to modify a registery key and wants to access the screen. Samething with Dropbox, in the end I just terminated the program.

Please help, here are the logs from MBAM and adware cleaner if they of use

[attachment deleted by admin]

Your system seems clean to me. The threat detected by Comodo is in temp folder so nothing to worry about. If you want another scanner opinion, you can try HitmanPro (http://www.surfright.nl/en/products/) the first one, not HitmanPro Alert.

So from there can I just delete it from quarantine?

I’d also like to add, when I turn on my computer each morning, Comodo doesn’t start - but when I check in the processes it’s still there. It prompts me to run a diag but it comes up with no errors.

What do you mean with it doesn’t start? Can you describe in more detail? Can you post a screenshot of the alert you are receiving?

Can you check with Windows Task Manager which of the following processes are running or not upon boot:
cmdagent.exe
cis.exe
cistray.exe
cavwp.exe


this is it atm, should I restart the computer and get a ss of the processes if Comodo doesn’t start?

Can you open Task Manager to show processes from all users by pushing the button “Show processes from all users”? Then see if cmdagent.exe and cavwp.exe are running or not.

Could you also restart the computer for a screenshot of the alert?

Sorry for the late reply, here are the pictures you requested.

http://imgur.com/KP1ICKT,QUWweWe,u9MqRgu

EDIT; also the files in quarantine - the only that is actual malware is the one on the top, the last ones on the bottom are not but being flagged as viruses. Are these false postives?

I see cmdagent.exe and cavwp.exe also running. That’s how we want it. Do you get an alert when your computer starts that CIS is not working properly? What did you mean with CIS doesn’t start? How do you determine it didn’t start?

They could be false positives. When you know the programs and the website where they are from to be trustworthy you can assume them to be false positives.

Or you can follow the article How To Tell If A File Is Malicious by Chiron.

After my computer boots, CIS pops out and simply says that it couldn’t start and prompts if I should run a Diag (no results), I normally solve this by opening my start menu and simply clicking on Comodo Internet Security which brings out the interface. If it’s not on taskbar on the bottom right I just click to bring it back up.

It’s key that cmdagent.exe is running because that’s what does the protection. Can you check with task manager if cmdagent.exe is running or not running when you get the alert? And then when Diagnostics has run. I am curious to learn what process is not running when you get the alert.

I ran the diag and created a report, here it is.

After exiting from the Diag Comodo just stops working, checked in processes from all users and cavwp.exe and cmdagent.exe and maybe csrss.exe ( there are two of this processes running) are the only ones running that.

I dont know about csrss.exe but discription says Client server runtime process.

I opened up Comodo and, cistray.exe, and cis.exe started running. theres two processes of cis.exe

[attachment deleted by admin]

Csrss,exe is a Windows system file; it’s not related to CIS.

Good thing is that cmdagent.exe is running. It looks like the startup key for cistray.exe may be missing (cistray.exe will also start cis.exe).

I attached an xml file that you can add to Task Scheduler and should create the task to start cistray.exe. I had to edit the xml file because my installation path differs from yours but I think it will work.

[attachment deleted by admin]

Sorry, but how do I go about adding it to my task scheduler?

Hi ChronosF1inite,
First up download/save the attachment from Erics post, then right click the zipped folder to extract the .xml document and save to a known location.
In the external link below, scroll down on instructions on how to import a task into Windows Task Scheduler.
How to Import / Export (Backup / Restore) Tasks Using Task Scheduler in Windows?-askvg

Kind regards.

hey sorry, just got home…

http://i.imgur.com/bsEqXr0.png i am getting this error when i trying to import the task.

Hi ChronosF1inite,
You are running Windows 7 64-bit, is this correct?
If yes, sorry I do not have a Win7 64-bit system.

I imagine a scheduled tasks exported from any other operating system other than Win7 64-bit may have compatibility issues.

I only have Win7 32-bit and Win8.1 64-bit systems.

If someone could export then attach the task from the same operating system, it should work AFAIK.
Thanks.

Edit: After a bit further checking, I think the 32-bit task in this situation should work fine on a 64-bit system.
I have attached the tasks from my Win7 32-bit system for you to try.

[attachment deleted by admin]

The task I provided is coming form a 64 bit version of Windows 8.1.

The attachment CaptainSticks provided seemed to have worked

Hi ChronosF1inite,
That is good to hear, I hope it continues behaving. :slight_smile:

Kind regards.