Please help me fix Comodo

Hi,
My little experiment with Green Border Pro has created a problem for me. If I try to run their test now, it runs without Comodo prompting me. I scanned through the list of Component Control rules and don’t see mshta.exe there, or I would delete it. I have changed the system from learning to on, and the test still runs. What can I delete or change to fix this?

Looking forward to Version 3!

Thanks in advance for you help.
Sue

Hi. I just took the liberty of running this myself so I could answer you without guessing. My results were fine, it popped up. I think you may have accidentally allowed it before. Have you tried to get rid of any G files and run Ccleaner, delete mshta.exe from comodo, also, there are a number of mshta.exe files as the screen shot will show you. This is another program that pulls my ears…
It claims stolen files, my Docs, lol. Well I purposely allow this on my pc, of course it can access any file. I unhooked from the internet and it still says stolen, lol. So as you see this is another download, allow, to fool people into thinking their security is no good. Let them run it from their server, if they can hack me, then tell me my security is null. This may be your problem. I don’t allow IE access for good, only when need be. If it attaches to IE, it may be allowed through.

Paul

[attachment deleted by admin]

Hi Sue

Perhaps it has a GUI… check under the Application Monitor… Woah… hang on, mshta.exe? That’s the HTML placeholder thingy. You’re looking for the wrong thing. Probably RUNDLL was run (loaded with a command string - probably including the source DLL!) to populate MSHTA’s screen (like the Add-Remove Programs applet… uses the same method). You need to run something like… SysInternal’s Process Explorer, find the RUNDLL process & its command start-line… that’s what you’re after. Mind you MSHTA, if it accessed the Net, would be under the Application Monitor, since it has GUI.

Edit: Saw Paul’s post. But, I think he’s missed what MSHTA is as well. CFP might have detected the DLL on the RUNDLL.

I sort of see what you are saying but the mshta.exe is in the processes when you start it and this is what is trying to access Comodo, there is no Gui on my end either. The only one doing access is the mshta.exe.

Not sure…

Paul

Ah… but, if MSHTA is started by and populated by RUNDLL using a DLL to do it, then CFP would know that. Right? If not, then I can see how its leaking without CFP noticing.

Sue: What were the results of this Green Boarder leaktest?

Do you mean the mshta.exe C:\Windows\System 32\dllcache ?

https://forums.comodo.com/index.php/topic,5651.msg41635.html#msg41635

LM

No, I meant C:\Windows\System32\mshta.exe.

LM

You’ve deleted mshta.exe? But, what happens when you open the Add/Remove Progams applet?

So, you all failed the test & deleted mshta.exe? Why didn’t you just create a block for MSHTA? Or… since I read it quickly, did I miss something?

Kail,
I didn’t delete MSHTA.exe, someone else delted it on their system. I just checked and rundll isn’t appearing in my list in Comodo, neither is mshta.exe. Any other thoughts?
Thanks!
Sue

Hi, I have worded that wrong, do not delete the mshta.exe’s. mshta.exe is simply being used by Green and you can’t delete them, they are needed system files. What I meant by deleting the mshta’s is from Comodo and meant simply to show a list of them that may appear from snapshot. Yes, I worded that whole thing badly, my apologies.
Paul

Paul,
this is the problem, mshta.exe isn’t appearing in my list in Comodo. I have just gone in and deleted a number of microsoft communicaiton dlls. I am hoping that Comodo will approve them for valid applications as needed. I would just like to be sure that whatever go authorized in Comodo as an ongoing approval is no longer approved, as I don’t want to now have a problem I didn’t have before allowing mshta.exe to run in the first place.
many thanks,
Sue

Hi, I know what you are saying and what I would suggest is doing a system restore , perhaps right before you even tried Green. Somehow this is being allowed. I checked Little macs link but it doesn’t resolve your current issue. There are no entries in the application monitor either, I checked mine. I have included a snapshot of the correct settings in network monitor, can you compare these to yours? Thanks…

Paul

[attachment deleted by admin]

Its probably OK, unless Sue has turned off System File Checker… which I suspect not (Sue?). SFC has probably already put them back.

Hi Kail, I think you misunderstand, I believe she is deleting\removing from component monitor, not the actual files. :wink:

Thanks,

Paul

Heh, no, I didn’t delete anything. The test could not complete on my system, because I do not use IE as the default browser, which is what the exploit is all about.

I specifically allowed it to run, just to see what would happen. In my case, nothing. It could not get back out; not because of the firewall, but because of my choice of browser…

I don’t know whether or not it is possible to delete the system file of MSHTA; my point was that in some cases it is actually needed, and using a “stop” program to turn off that scripting in Windows would be a better option, so that the function can be restored if needed.

LM

Paul,
I’m not seeking the shot of what the network settings should be, could you send me a private message with them?
Thanks!
Sue

I have as I said in the other thread moved/renamed mshta.exe from all the places I found it. No problems with control panel or add/remove programs.
I will keep them moved/renamed until I get any problems.
When I moved them, I got a warning that they are protected system files and that I had to put in my WinXP CD to replace them. I denied the offer… :wink:
They haven’t been replaced, and all is working great so far… :o

That’s curious concerning the other site’s advice. I’m wondering if the jam up will come after rebooting. I will be glad to know the results. I jammed myself up this evening by deleting too many of the dll entries in Comodo. I had to reinstall some apps as reloading them didn’t get the dlls re-entered in Comodo. I guess that’s a good security confirmaiton.
Sue

Hi Sue, I think reinstalling Comodo may be the easiest fix for you. This way, everything is reset and we know for SURE what’s being allowed or not. I don’t know what anyone else’s opinions are but if they think this a good move, please throw in an opinion. A simple restall of ANY software can solve major issues and save days worth of time. :wink:

Paul