Trojans allowed. Door fell off its hinges. Sticky tape fix. Advice please.

Help for v2
1

I occasionally click on a link in an email, and every time Comodo warns that “Thunderbird has modified Firefox User Interface, which may be a sign of a trojan”. I always ensure the “Remember answer” box is unchecked because I like the warm feeling of protection when Comodo tells me it is on the job.

Last week I felt an icy blast through my fire wall, a door had fallen off its hinges and it no longer protected me from Trojans. I have “cured” it by a minimally invasive hack of the registry, but I do not know if this repair will be any more permanent than using sticky tape to hold a door in place.

I exported the Comodo registry keys and compared with a similar set from a few weeks earlier. Can’t be done - There are approaching 900 “Component White List” keys, regrettably “humanised” without leading zeroes, hence keys “…\2]” and “…\20]” are listed between “…\199]” and “…\200]”,so when a new key is inserted before “…\199]” then “…\2]” etc are shifted between neighbours they were never close to before. This also happens to “…\3]” etc etc etc.
My file comparison utilities throw a wobbly. I would appreciate advice upon a freeware utility that can deal with this situation.

New approach - I searched for “thunderbird.exe” and found brand new entries.
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC\8]
This is for “C:\Program Files\Mozilla Firefox\firefox.exe” and gives a CRC32 value, and has “Num”=dword:00000002.
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC\8\0]
This is for “C:\Program Files\Mozilla Thunderbird\thunderbird.exe”
That is the culprit. I used RegEdit to change its location from C:\ to W:\ (which does not exist), and that has restored my protection against Trojans. I again get warned if I click on an email link.

Under Comodo > Advanced > Miscellaneous > Configure I have now removed ticks from boxes
2. “Do not show any alerts for the applifcations certified by COMODO”, and
5. “Automatically check for program files updates”, and
6. “Automatically check COMODO certified applications updates”
I removed those ticks because I assume that …\IPC\etc are where Comodo certified applications are stored, and I do not want this weakness sneaking in again.
Relevant information and advice would be appreciated.

I trust Thunderbird, but NOT the emails it might handle.
Thunderbird 2.0.0.6 itself does not trust emails;
I have one particular email mailshot from CNET which sometimes, but not always :-

  1. may get a “possible spam” warning the instant I open the message;
  2. may ask “Are you sure you want to visit …” when I click on a link that is overlaid with a human invitation.
    There have always been “Buffer Overflow” vulnerabilities. I guess there always will be unless we exterminate incompetent programmers!!! Only a few months ago there was yet another security patch to fix yet another Buffer Overflow.
    Many years ago there were emails that had embedded links that were disguised to lure a naive user into a click and then disaster.
    Then there were emails that auto-clicked upon being read - no need for the user to do anything but open to read.
    Then disaster if they got to the pre-view pane - user did not even have to read it.
    Then malformed headers - if the email was received then Outlook Express etc would automatically read the header so it could list it with subject, sender, and date, and that gave disaster.
    Although I hope Thunderbird will never make a mistake and let through something nasty and old, I would rather not depend upon it;
    Although I hope Thunderbird will be updated to deal with anything nasty and new, I suspect I could be unprotected for several weeks when something new has been invented.

Whatever the problem, If something nasty, old or new, should cause Thunderbird to get on the Internet for evil purposes, I would like to think that Comodo will give me protection. This is why I have restored protection against Trojans.

Whilst looking at …\IPC\8\ etc, I also noticed something horrendous at …\IPC\9.
“C:\Program Files\Windows Live\installer\WLSetupSvc.exe”
This is malware.
It is bloatware which has put 2 Giga Bytes of crud onto my external hard drive, which holds over 20 historical images of my internal system drive.
Last week I discovered that Windows Live Messenger included a 16 MByte rubbish *.msi installer that has NO purpose other than to POSSIBLY remove SOME of the registry settings if I remove Live Messenger, BUT if I do remove Live Messenger this rubbish installer can just about remove most of the stuff in C:\Program Files\Windows Live\Messenger, BUT IT CANNOT REMOVE ITSELF !!! I will admit that this rubbish installer can also re-instal Messenger if it gets broken, but this shows lack of confidence by MicroSoft in a product that can get broken, AND I would far rather download it again than put up with 100 MByte of permanent rubbish on my drive. How does 16 MByte of rubbish become 100 MBytes ? Simple, When Microsoft disables an existing version of Messenger my daughter can no longer communicate until I allow MS to update it, and that gives me yet another rubbish installer - they do not have the intelligence to remove the obsolete version that cannot work any more. Last week for a totally un-related purpose I did a search for *.msi, sorted in size order, and amongst the top runners I discovered that over the years I had accumulated 6 different versions of windows Live Messenger, every one of them totally anonymous, mostly with 6 hexadecimal digit names in C:\Windows\Installer, but some in alternative and totally unrelated and unexpected locations and with far more complicated (but still anonymous) names.
If MS has its way, I will finish up with so much rubbish installer junk for Live Messenger (and probably also for anything else created by MS) that my Internal drive will not have any room for any applications !!!
Last week, immediately I saw the 100 MByte wastage, I removed it.
Today, having seen …\IPC\9, I have changed it to permit “W:\ etc.etc.”. If I am to have another rubbish installer dumped on me it should be with my explicit knowledge and consent so that I can instantly minimise the accumulated junk, and not have it happen automatically without my knowledge because MS thinks it will be good for me, and because Comodo have certified it. I would prefer to simply remove …\IPC\9, BUT I suspect I would have to rename/renumber other keys, and perhaps there are other gotchas awaiting the unwary.

n.b. I assume that …\IPC\etc is where Comodo certified applications are held. Does anything else go there ? What is its purpose ?

Alan.b

2

Your post looks more like a rant than a request for assistance. What exactly is the problem? Try to be a little more concise in your response please.

3

If you been messing around with your system that much or have INDEED been infected by a Trojan. Has your Antivirus not Detected it? You’re best bet is to backup all important stuff to say a spare harddrive or a double layer DVD Disc and then re-install everything from scratch if it’s done that much damage to your system files. Do it from the Installation CDs though as the Trojan will have probably affected your Ghost copy. It happened to me earlier this year.

P.S. I use CPFirewall, Antivir PE Premium (one of the best detection rates going and only about £11) and I use ComodoBOClean to catch trojans and remove them before they damage my system. Antispyware, at the moment using Spywareterminator (Free) as it includes HIPS etc…

Comodo Firewall does protect you. You NEED to read the pop-ups carefully!!

Eric

Eric

4

Zito

Sorry about the rant. I am still steamed after just finding out how much junk MS left on my machine

EricEgan

I have no evidence of getting a Trojan.
As you say, “You NEED to read the pop-ups carefully!!”, and that is exactly my problem. The pop-ups were not happening, therefore if a Trojan did strike I would not get warned.

To all

I was using a PC before there were Windows. There were many email vulnerabilities I knew about and have so far evaded. I am sure there are now many more which I do not know about or understand. Until Christmas the Internet cost me between 1p and 3p per minute on a dial-up modem, so connection was a very brief affair, and I did not read any emails until after disconnecting to save my pennies, and also to ensure that any attempt to connect me to a hostile site would fail.

Since Christmas I have broadband at zero pence per minutes - habits die hard, but I am beginning to relax in the comfort of Comodo Firewall Protection - sometimes I even stay on-line for a whole day!!!

My present concern is that a hostile email may find a vulnerability in Thunderbird that could act as though I had clicked the link, and it would take me to a hostile site. When I click the link and Comodo warns that “Thunderbird has changed the FireFox U.I. … it could be a Trojan”, then I do not feel insulted at being called a Trojan - I am pleased that Comodo was warned about this possibility. Last week Comodo gave no such warning, so I assume that if I get a “BAD” email I will not be protected. I assume this is because Comodo have certified Thunderbird as safe and incapable of harm - in which case why has FireFox had another update, and I would not be surprised by a new one for Thunderbird.

What I would like :-

  1. An absolute and categorical assurance that Thunderbird will never launch Firefox as a result of anything that it receives from the Internet or anything else, or failing this
  2. Advice on how I can ensure the Firewall never again places absolute confidence in Thunderbird, but will always warn if there is a possibility that it is acting as a result of malware.

I found that my reduced protection coincided with the arrival of a new registry key set
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC\8\0]
which seems to permit Thunderbird as a parent of Firefox, and when I crippled the path to Thunderbird this immediately restored full protection.

I do not know the purpose of registry …\AppCtrl\IPC\ etc., but Advanced > Miscellaneous refers to Comodo Certified Applications, and I assume this is where they are stored, hence I have blocked Updates to prevent another reduction of protection, but I would appreciate advice - especially if I am doing the wrong thing.

n.b. Registry Hacking is NOT my hobby - it is last resort when all else fails. I am more than happy to use the Application, Component, and Network menus to adjust my protection, but I cannot see any way to counteract something automatic that happened to …\IPC.

Regards
Alan.B