Trojan from Cracked.com

I wasn’t really sure where to post this but I would appreciate some input and assistance here.

I run the latest version of Comodo Internet Security Free version. My defense and Firewall settings are both on Safe level and I have Sandbox always on.

A few hours ago I was surfing cracked.com’s humorous articles when I was attacked by some sort of virus.

First thing I noticed was sandbox popped up and said it had sandboxed a file called out[1].bat and immediately afterwards the comodo anti-virus popped up saying it had detected a trojan virus called shell.exe and I hit the Clean button.

I immediately went to check what process were running and saw a couple that I had never seen before and definately had no notification about or prompts about and I immediately did the Terminate & Block on all 3 of them. I checked the defense events history and my explorer.exe was constantly trying to re-open them, though it didn’t seem to be able to thankfully but it was still attempting to do so every few seconds.

I found these files and did a Comodo Virus scan on them but they all came up clean despite obviously being related to that virus. They were called vsxwwyatsbl.exe, caa8d3ae.exe, and a83a4cf2.exe. Although comodo didn’t stop them from executing in the first place, after i told it to terminate and block them they couldn’t seem to re-open but I had no way of stopping explorer from just constantly trying to open them every few seconds. Since comodo didn’t recognize them as bad files, I tried to manually delete them but of course I got the “you lack sufficient permissions to do that” ■■■■ and it wouldn’t let me remove them.

So after I was sure I had blocked everything that was running, I decided to reboot in safemode and delete all 3 files there because safe mode is awesome like that (comodo should really add a “YES I WANT TO DELETE IT, DONT GIVE ME FLAK ABOUT IT” function).

So now I rebooted normally, defense events doesn’t indicate that those files are trying to execute anymore (since they aren’t there) but i’m really not sure what to do next.

So now i’m not sure what to do. Since explorer kept trying to re-open those files, I kind of feel like they somehow edited some registry keys but I opened regedit and did a search for those exe names and found no mention of them, also defense logged one failed attempt at altering a registry key by one of the programs.

It would have been worse without Comodo installed, but i’m still left wondering how this all happened, I thought Comodo would protect my machine against that kind of thing. Why did it allow a random bat file to just be picked up off the internet, execute without my permission, and then allow it to create all these additional files and execute them as well? How do I know my machine isn’t compromised and has some sort of keylogger or is gathering my personal information ?

I also downloaded and installed Avast anti-virus hoping maybe it could be more helpful in removing things that get past Comodo and I did a quick scan which said it detected nothing. Everything “seems” ok now but i’m not really sure where to go from here. How can I be totally sure? And what can I do to prevent this from happening again?

If you had just restarted there shouldn’t have been any problems. Any files running in the sandbox or created by sandboxed processes can’t autostart with windows. Hence you could have restarted and no malicious files would have been running or doing anything.

Only the bat file showed up as sandboxed, nothing else did.

Also even after restarting the first time, I only deleted 2 of the virus exe’s in safe mode originally and forgot the third one, but after starting back up in normal again explorer was still trying to open that one so I had to go in safe mode and delete that as well.

So just restarting didn’t really help anything.

What do you mean when you say explorer was trying to open it? Can you please clarify as to how you knew it was trying to open it?

Thank you.

I feel your pain. Processes I use daily sometimes randomly get sandboxed by comodo, and I can see the flipping program right infront of my face still running.

Sandbox does absolutely nothing, it’s up to you to terminate & block as soon as you can.

But the main idea is that, obviously, you couldn’t just get some random ■■■■ from the internet, which is why avast found nothing. Maybe it was preexisting and you blocked it just in time.

The sandbox does not do nothing. It prevents programs running inside it from performing dangerous actions while allowing most programs to still run. That’s why a program can be running in the sandbox while you are still using it.

I’m trying to figure out the specific case that Drexxus has pointed out. An application running in the sandbox shouldn’t be able to autostart with Windows, so I’m trying to figure out what’s going on.

“Processes I use daily sometimes randomly get sandboxed by comodo, and I can see the flipping program right infront of my face still running.”

explain that then please?

As I said before a program can run while it’s in the sandbox. I apologize if I’m misunderstanding you.

The problem in your scenario is that a process should either be trusted or untrusted. If the same process is sometimes trusted and sometimes untrusted then this is indicative of a bad install or you have identified a bug. This is not the way the sandbox is supposed to work.

If you do have a legitimate bug then please create a bug report here. Just make sure you put in in the correct format or they’ll force you to do it anyway. It just saves time.

I suggest using SandboxIE whenever you “surf”.
I had a similar thing happen and it was just a matter of deleting the contents of SandboxIE.
Problem solved.

Seriously, I never open my browser unless it’s inside SandboxIE.

i wonder how may only browse on a web page can infect a computer
can anyone send my a pm with one if thesse site i wanna do some test

Most often, the infection needs the user interaction, clicking to a fake window of a codec, plugin, video, or a fake website (e.g. google poisoning).

But browsing is enough if one of the numerous vunerabiliies not only of the browser itself, but also of associated plugins is exploited through an iframe hidden in the website.

No need to pm whatever: linking to the first porn or ■■■■■ site you can think of is usually enough.

What i mean by that is I opened up my Defense Events log and it said
Explorer.exe, Block File, then whichever virus infested EXE file was listed there
That message was spamming my entire events log, literally hundreds of entries of that… Explorer, Block File, the virus exe files because before this happened i specifically went into the Active Processes part of comodo and did the Terminate and Block on them.

And just to clarify there was no interaction what-so-ever on my part. Matter of fact, I was like halfway through the article on the 2nd or 3rd page of it before it happened. I think one of the advertisements changed and updated to a new ad and something NASTY was in the new one and that is where it came from. I didn’t click anything at all, I was simply reading. And like I said sandbox popped up said it had sandboxed that out[1].bat file and while i was still in the process of reading that popup, before i even interacted with it, thats when comodo started alerting me that these new executable files were trying to do certain things.

Somehow Comodo failed to stop that bat file from altering my system registry, it failed to prevent those executable files from running on their own. Thankfully at least it blocked them from re-opening after i did the terminate & block on them.

The only thing the virus seemed to do was enable a proxy server on my computer that pointed back at it’s self at 127.0.0.1 and some port i don’t recall, 50370 or something like that. I manually fixed those entries in my registry because certain online software wouldn’t work, that is how i discovered this proxy problem that was created.

I was only trying to explain to kinemitor that one actually can be infected without actively doing anything.

Nevertheless, for what you are concerned with, we probably are faced not with a trojan, but with some malicious adware; the analysis of the source page at cracked.com shows in this regard it is full of dozens of javascripts.

Even if not very comfortable, blocking javascript in your browser should be enough (e.g., Firefox Noscript).

Admitting you don’t, and that javascript actually runs from an iframe without your intervention, bat is supposed to be a protected executable, and should not run without defense+ intervention (i made again this test writing a bat on my desktop, i have no way to launch it without being intercepted by defense+).

Without even speaking of globally allowing javascript (one should never do that), and only speaking of Comodo, your settings seem therefore to be defectuous as they should not allow to run bat without your permission.

Nah, all you need to deal is block third party scripts that are hosted off-site. Unless you visit questionable sites, (Warez, Porn, etc…) you’re pretty safe allowing locally hosted scripts to run. Any legit site isn’t going to be stupid enough to host malicious scripts locally.

Disabling Javascript globally breaks a great deal of the websites out there, which is a kneejerk reaction to a possible threat. Javascript isn’t evil…

I visit Cracked daily. Never had a problem. I do however block third party scripts. You can check Cracked yourself at URLVoid.com. All 17 site scanners list the site as clean. Any malware you picked up from visiting the site would have come from third party scripts. (Scripts such as ad banners) These are scripts that the site owner has no control over, as they are hosted off site.

A better approach than disabling Javascript completely is to use the Firefox extension AdBlock Plus and use the filter:

*$script,third-party

This will allow the majority of the websites out there to function normally, while protecting you from third party scripts.

If you encounter a site like YouTube whose content is delivered through third party scripts, just add an exception to that domain.

*$script,third-party,domain=~youtube.com

read what sandboxIE can do for you when you run the browser in it. thats a real sandbox. instead of nursing comodo sandbox with thousand tips and suggestions…

but if everyone makes such complicated suggestions for security, with scripts, exceptions ect… no wonder that most people say: security is for nerds, i dont have time.

it is so easy. better tell AND show that.

when i hear “make a reboot”… omg, who knows that? until reboot a virus can run in the comodo sandbox… there are computers out there who dont get rebooted for days…

Isn’t also Sandboxie for nerds?

The sandbox is the “poor man’s” last security, and is itself dubious if not even dangerous.

The relevant question is whether a security software, abstraction made of a “sandbox” (or of Sandboxie) is enough if standalone to stop third-party scripting (or, as asked elsewhere, to control hosts files), and i am afraid that the answer is most often no.

Speaking of Comodo alone and as i said, even if a bat file is automatically downloaded and called from an iframe and a javascript, Comodo knows how to ask if executable com, bat, or cmd must be launched or not: there’s therefore a defectuous Comodo setting in the reported event.

Now, i suppose that any sensed person running IE uses its (limited) anti-scripting and anti-ads abilities, and i also suppose that any sensed person running Firefox runs both Noscript and Adblock: they are the 2 only extensions i use (outside of Flashplayer when i have no other choice), while it’s enough to read whatever forum to learn that the large majority of Firefox users use dozens of plugins and extensions.

I suppose all of them are nerds, i am not one in this regard but, yes, a significative proportion of users of all levels don’t rely for their security on only one software.

sandboxie is a beautiful application and every windows user should have it installed.it is one product that is ACTUALLY worth paying for and amazingly its free.

i think the windows community owes a big debt of gratitude to mr tzur for creating this.

bye for now.

brucine, somehow we speak different languages… i noticed it with another post.

what do you want to say?

i find your post not usefull. you criticise and say nothing better.

i didnt said: use only sandboxie, and nothing else!
wanted to mention that its a usefull additional thing to the rest (apart from comodo sandbox). And that its easier than to use exceptions and antiscripting, because i wanted that novice users are not afraid of security because it “looks so difficult and so much”. i use noscript and adblock too. but it doesnt protect you from bad drive by`s… thats why i use sandboxIE too.

when i say: the use of a real sandbox like sandboxIE had avoided this infection, you tell me about poor mans protection… and about dangerous sandboxes… (a dangerous sandbox is: a sandbox which lets things stay on the hard drive and which needs a computer reboot to stop things).
well, go to other firewalls, if you want rich mans protection. and you can pay for sandboxie if you want.

use what protects you, the rest is only opinion!

have you comodo internet security and avast installed at the same time those will conflict.

where you able to fix the infection you got?

if not i suggest you try malwarebytes antimalware download install,update and scan and remove whats it finds.

http://www.malwarebytes.org/

a second tips is to download a different web browser because internet explorer is not that good. I would suggest:

firefox, opera or google chrome instead because there faster and safer than internet explorer.

Only if you have the same types of processes running at the same time. For example, if you aren’t running the AV in CIS, running only the AV in Avast will be just fine.