Malware is able to screw up "My computer"

evil_religion · October 11, 2008, 4:10pm

Hello,
malware is able to ■■■■■ up “My computer” in the way it is portrayed in the attached picture.

It seems there is missing some registry protection?
With Disk Heal ( http://www.luqsoft.com/diskheal/DiskHealSetupv1.48.exe ) everything can be repaired, so Comodo should look there which keys are modified by Disk Heal and should add them to “My protected registry keys”.

[attachment deleted by admin]

Kyle142 · October 12, 2008, 3:33pm

Hello can you please post your system specs and security applications,
Aswell as please post a step by step way to reproduce this.

As for the malware sample, Please wait for a comodo staff member\moderator etc to request this so they can try to reproduce this.

Ragwing · October 12, 2008, 3:46pm

If you still have the malware sample, please upload in on a file hosting service (such as Rapidshare) and PM the link, so that I can tell what it modifies.
I tried to check what it modifies by using Disk Heal, but it seems like I’ll have to ‘corrupt’ my disk before I can fix it.
Also, what mode do you have Defense+ in?

evil_religion · October 13, 2008, 2:20pm

WXP SP3, AntiVir.

Start malware → “My computer” gets ■■■■■■■ up (sorry, I don’t know which malware sample it is exactly, I just started more than one at once but maybe I can find it out.

Safe mode, does also happen in paranoid mode.
Using proactive security as default config so all registry keys that Comodo has in database should be monitored.

Kyle142 · October 13, 2008, 2:40pm

Hey Evil, Please upload the nasty file and send the link to ragwing.
Much appreciated

aigle · October 19, 2008, 7:42am

It,s an aurtorun malware. The file is cleaned but autorun.inf file is left behind. LOcate it and delete form the D partition. It might be hidden.

The prevent it via Defence Plus. Create a rule to prompt you on creation of autorun.inf files.

Defence Plus> Common Tasks> My Protected Files > autorun.inf … and apply the settings.

[attachment deleted by admin]

salmonela · October 21, 2008, 4:49am

I am very skeptical that Comodo can recognize “?” or “" symbols as “any” for drive letters (in front of ":"), I would rather use “\Device*\autorun.inf” or just "\autorun.inf”

aigle · October 21, 2008, 6:28am

Hmmm… but it is recognizing here.

Kyle142 · October 21, 2008, 7:14am

Maybe there is some bug within comodo, Since exclusion lists and also protected files dont work properly with
Drive:\folder*