possible hijacking alert

I’m using Comodo AV & FW since a few months, with good results 'till now. Point is that since some time I’m plagued by alerts about possible hijacking through scvhost and Internet Explorer.
The alerts always come up during the use of IE, either when opening a new page or during surfing on a page change.
The big point is that the possible hijacker is some programme that I’ve been using in that session. Can be anything, just as an example: PSEL v3, Noiseninja, Pixmantec RSP, but also programmes that I did write like my e-mail client or my clock synch, which I know for sure that will not try to hijack anything. They seem to “stick” for Comodo, I mean that the alert point to them, even after they have been ended.

Just had an alert with cpfupdat.exe, a Comodo component, and this night I had one that alerted me that Skype was trying to hijack … Skype.

My system (Win2k, updated to a few days ago both for MS and Comodo) is pretty much steady, I’m not installing new programmes very often, and has been checked for trojians and so on with no result.

This has become pretty annoying, so, short of dropping Comodo FW, what can I do?

ASpes

Hi, Let me say that you are not the only one, I too have been getting these attempts, others have as well, with nothing on their systems. I too scanned my system and nothing. They may be giving a false trigger to make you drop your defenses, don’t. The first thing a hacker wants is for you to take away your security by bothering the heck out of you. I suggest you clear history, cookies, etc…and download hijack this, and post the log.

Paul

Thanks for your reply Paul.

It looks something related just to Ms-IE, alerts never pop-up with anything else, and of course if I deny the alert IE hangs there forever.

Here’s a scan log by HijackThis, I do not seem to find anything that shouldn’t be there, but I’m no expert at this level.

Thanks in advance for any help.

ASpes

[attachment deleted by admin]

There is this associated with internat.exe. And there’s a better explanation here.

I have a couple of checks to do but I don’t see anything drastic off hand, will get back you you.

Paul

Ok, that was one, loll. I think they use multilingual though. If not, then it’s a winner. Well, thanks for saving me the search Kail.

Paul

Sorry Kail, that was a good shot, but, as Paul hinted, I’m using a localized Win2k version, so “internat.exe” has a fair citizenship in my system.
I checked it anyway against a good copy and it compares bit by bit. I checked for all the files the Sophos advanced tab deems as signs of that trojan, but found none. Then I ran a scan with Sophos’ Registry Booster, pointed out in your link, and it reported only some broken paths in registry.

So I’m back to first base.
Could that be a Commodo fw issue? getting confused in the prog link chain?
After all this started not a long ago, I cannot remember exactly but seems to me likely less than a month, so it could be after one of the last updates, which I do manually more or less every couple of weeks.

Thanks anyway to both for looking into this.

ASpes

I couldn’t find any other candidates in the HiJackThis log. So, I recommend that you scan your system with the EMCO Malware Destroyer. The freeware is right at the bottom of their download page. So, make sure you download the right destroyer… the pay version is for networks. And you’ll probably need to update the signatures before you scan your system.

Ok, just did the scan with Emco, and it doesn’t show a single line, it says my system is clean.
Did it a second time with some registry in the advanced tab settings … just as clean.

I also tried to “turn back the clock” by deleting all IE and svchost lines in the programmes list in Commodo FW, and deleted also some items that I did not recognise from the module list, on the assumption that permissions would be asked again.

After that my surfing went back to zipping … and fairly silent for a while, then the alerts began again always when I boot IE or go to a new page.

The alerts warned that my own email client was “parent” to IE and sent “special window messages”, ok, it just launched a web pointer, but that’s all it can do, I do know, I did write it.
After running the Emco sw (and after closing it) the Commodo FW alerted me the Emco was trying to use svchost, parent to IE, through OLE and so hijack …

So I’m back to first base again.

What stumps me is why everything went smooth for quite a time, and suddenly began this crazy alert chain.

If I cannot sort this out I’ll revert to my beloved old Syquest or to ZA.

Thanks for reading.

ASpes

Actually, that sounds like normal behavior for CPF given what has happened. Post some screen-shots of the pop-ups that you are seeing.

Silly question: Are you saying “remember” to these pop-ups?

Hi, I agree with Kail on this. It sounds like normal OLE behavior. Even if you have an OLD email client, many programs leave an XXXX.exe file behind or some other that will still attempt to access the internet although it has been deleted. I usually use Agent ransack, do a search for deleted\uninstalled file leftovers and get rid of them. But you have to know what you are doing. As it has been said before, OLE automation is an application’s way of accessing the internet if it has no true connecting program of it’s own, it uses\modifies and uses IE to connect to server, etc… It doesn’t mean it’s a hijack.

Paul

LOL !!!

Kail, Paul, I understand you’re trying to help, and I thank you for that, but I’m an old dog, have been using a FW for quite a few years, so I know what to expect from them from a user’s point of view, which actually I am, because while I can write internet related stuff, as most programmers, I could not write the libraries I use to build it, least of all a FW itself, which needs an understanding
I definetely not have.

Back to the main point. As far as I know and to all the test I can do, my system is clean.
Now, as an example, here’s how it went this very evening.
Boot the pc, surf internet for a while, not a single alert, close IE.
Run Pixmantec’s RSP to work on a pic, it fires PS for more editing, close everything.
Back to my folder of web sites to fire one of the previous ones, ■■■■, as soon as IE starts the (attached) alert pops up, “RSP could be hijacking…”, deny, IE stops.
RSP can actually connect to internet to check for updates, but that’s on request. OK, fire RSP, check for updates and deny it (with ‘remember’). Now RSP should be blocked by default. Fire again IE, same alert as before with RSP, ok, let’s allow it this time, another identical one pops up for PS. Allow it and IE connects to the page.

How come it asks me about letting out a programme that is now in the block list? Besides, as far as I can recognise, no instance nor service nor whatever module of RSP is listed in Task Manager.
Ok, I can hide from that list, but I cannot see any reason why RSP would do that. And with my own programmes I know for certain they are not definitely trying to connect when closed, and some of them do not use OLE aut.

The alert is always that one, just change the programme name to what I just used.
That’s what stumps me. End of story.
I can just add that all this started out not a long time ago and that all FW options are at default.
(two alerts in attachments)

I see that other threads after me are complaining for about the same reason, what gives?

Thanks for reading and for any hint you might have.

ASpes

[attachment deleted by admin]

svchost.exe hosts a couple of COM interfaces. DNS service is one of them. These alerts may be related to such things.

Your alerts are about PARENT(svchost.exe) COMed. These are very common safe alerts. You can remember and allow.

Egemen

I have been having the same issue, I started this thread a while ago.

https://forums.comodo.com/index.php/topic,2445.msg19095.html

I don’t feel that the hijacks are from any outside source or spyware/malware, I think they are just programs sending info back to thier owners.
I just want to know how to stop the programs without disabling IExplorer.