Random .exe running under Cmdagent.exe

I keep getting 5-6 randomly named .exe files that pop up and appear to be running from Cmdagent.exe when i look at the running processes. The exe files themselves are located in my “D:\WINDOWS\Temp” folder. My +Defense alerts me to them and i block them every time…which then makes them disappear from the temp folder. The virus alert also pops up for each of them which i select the remove option. The name they are called by on the virus alert is “Trojware.mailfinder.agent”

As far as i’ve been able to find out its a type of virus called “Sality”. I don’t know how to get rid of it short of formatting my entire system, and i would like to know if there is a way i can just pre-emptively block any .exe files from running in the Temp folder. I tried to do this in the “My Blocked Files” option in +Defense settings by adding in this line “D:\WINDOWS\Temp*.exe”, but it hasn’t worked.

The comodo virus scanner doesn’t find anything, and i also run Malwarebytes, and SUPERAntiSpyware. They also find nothing.


Try To Follow These Steps:
1: Boot Your Computer In Safe Mode
2: Run a virus scan
3: if it doesnt find it then run a scan with your other antivirus, antispyware programs
4: if one of them does find it remove it
5: restart your computer
it should work then…

Doh, I wonder why I made that sticky… Why read it anyway, it can only help you 88)


See if that helps, afterwards, post back the hijackthis log, thanks


lol :smiley:

I tried to get BitDefender to work…At first i couldn’t get it to even install then i got into safe mode and installed it, but then i couldn’t get it to even come up to be able to update it, although “bdmcon.exe” runs in the background the actual program never comes up. I think that has something to do with the virus since its the same way with Spybot. One thing i noticed about this virus is that when i reboot my pc (i have comodo set to run on startup)…is that the first program i start whether its HijackThis, SAS, even msconfig will set off a never ending stream of +Defense requests to change protected registry lines and other protected things. The virus must be running off of whatever i run first.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:25 AM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [COMODO Internet Security] “D:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [COMODO Firewall Pro] “D:\Program Files\COMODO\Firewall\cfp.exe” -h
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208010685511
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208011215833
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVScan - Unknown owner - D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)

End of file - 4165 bytes

I can’t find anything weird in it, but you might want to fix these, as they’re invalid.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Also, do you still use Norton AV ?


No, i haven’t used Norton for a long time, but its not in my Add/Remove programs, and my search doesn’t work…guessing virus disabled that too. Heres a txt file list of events over the past 2 days. In it you can see the random lettered .exe files that try to run and also the registry keys and access attempts the virus tries to do.

[attachment deleted by admin]

Guess nobody looked at the .txt file. Here’s some i just copied. They are in order.

All of these happened when i opened… \Device\HarddiskVolume2\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe…But any other program does it too.

Block File \Device\HarddiskVolume2\Documents and Settings\ATB\Local Settings\Temp\qawgd.exe

Block File \Device\HarddiskVolume2\Documents and Settings\ATB\Local Settings\Temp\windqgaa.exe

Modify Key HKUS\S-1-5-21-1275210071-1935655697-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify

Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA

Modify Key HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\smss.exe

Modify Key HKLM\SYSTEM\ControlSet???\Services\IPFILTERDRIVER

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\csrss.exe

Modify File \Device\HarddiskVolume2\WINDOWS\system32\drivers\mhngmn.sys

Modify Key HKLM\SYSTEM\ControlSet???\Services\Agnitum Client Security Service

Modify File \Device\HarddiskVolume2\Program Files\COMODO\COMODO Internet Security\cfp.exe

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\winlogon.exe

Modify Key HKLM\SYSTEM\ControlSet???\Services\abp470n5

Modify Key HKLM\SYSTEM\ControlSet???\Services\ALG

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\NOTEPAD.EXE

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\services.exe

Modify Key HKLM\SYSTEM\ControlSet???\Services\Amon monitor

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\lsass.exe

Modify Key HKUS\S-1-5-21-1275210071-1935655697-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Modify File \Device\HarddiskVolume2\Program Files\COMODO\COMODO Internet Security\cfpupdat.exe

Modify Key HKLM\SYSTEM\ControlSet???\Services\aswUpdSv

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\svchost.exe

Modify Key HKUS\S-1-5-21-1275210071-1935655697-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr

Modify Key HKLM\SYSTEM\ControlSet???\Services\aswMon2

Modify File \Device\HarddiskVolume2\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe

Access Memory \Device\HarddiskVolume2\WINDOWS\System32\spoolsv.exe

Modify Key HKUS\S-1-5-21-1275210071-1935655697-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools

Modify Key HKLM\SYSTEM\ControlSet???\Services\aswRdr

Access Memory \Device\HarddiskVolume2\WINDOWS\Explorer.EXE

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Modify Key HKLM\SYSTEM\ControlSet???\Services\aswSP

Modify Key HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

If you have the “Sality” virus it would be best advised to back up your important data,try to avoid backing up compressed file(eg .zip .rar) and to do a re-format.

Alternatively you could try http://www.freedrweb.com/cureit/ this utility which is supposed to be of good use with removing this.

You have to have something deep in there. I’m curious as to what Dr.Web might find.
But whatever happens, it might just be better to back it up and format.

Please download a-squared free
Install it, update it.

then reboot into safe mode with NO networking (how to boot into safe mode ?)

then scan and write down all the things it finds in a text log. Later upload it here, I’m asking you this to protect you, A-squared has a really sensitive but great scanner and it has a lot of FP.


DrWeb seems to have worked better then any others at finding this thing. It found 39 infected files that were almost all .exe files. Says they had something called “Win32.Sector.17”…and 1 file had “Trojan.PWS.Multi.21”. I will try A-Squared next if DrWeb didn’t do the trick.