Hi. I got a defense+ alert today saying “please block this request and submit it to COMODO for analysis” but when i try to send the file, it will not send. Please see attached screenshots. After about 6 instances of the same/similar notice, I chose Block and Remember… what do you think about this? Thanks in advance.
[attachment deleted by admin]
Greetings, and welcome to the forum!
It looks like you’ve been infected with a rootkit. Information from PrevX.
Note that the legit Windows-file is named svchost.exe and NOT system32:svchost.exe!
You should block everything related to system32:svchost.exe.
Do a scan with Avira AntiVir. It scans for malware, and also for rootkit.
Rootkits hide themselves in other files, so it’s hidden in svchost.exe. As it’s a safe file, it’s already in the safe list, and therefore it can’t be submitted.
and to know more, also scan with Gmer anti-rootkit to see if it finds anything suspicious.
Easy-to-use specific anti-rootkit scanners (self-contained exes):
F-Secure Blacklight (direct download)
Avira also has anti-rootkit scanning capabilities as you’ve been told, the free version as well as the premium one. Also Comodo BOClean, you may do well installing it and seeing if it stumbles upon anything immediately, it wouldn’t be the first time. Gmer’s results may be difficult to interpret, but do give it a try. You can never be too sure if you’ve been exposed to rootkits.
Rootkit Revealer I have found useful at one stage.
By the way you should get into the Defense+ rules and delete everything about “system32:svchost.exe” (NOT “svchost.exe”). From that point on, always DENYing access in all the popups about “system32:svchost.exe”, you may have neutered the threat with CFP alone and you may be able to delete the file(s) manually. But do scan with everything you can, as I said you can’t be sure.