Yesterday, my computer was updating to Win 1903 by itself. After the update, CIS behaved abnormally, so I uninstalled and then reinstalled CIS, following the suggestions on the forum.
After CIS was installed successfully, during the phase of updating the signature files in its first-time scan, a shortcut icon labeled as “Booking” appeared on my desktop and apparently, something unwanted was being installed into my computer.
https://imgur.com/a/Nd9w45h
https://imgur.com/a/4tj77Ux
HIP detected three unrecognized files:
“bookingDesktopAppUpdateSetup.exe”
“Book-with-upd.exe”
“jz1.exe”
https://imgur.com/a/avDMnZq
But CIS didn’t detect any malwares upon the completion of the first-time scan.
https://imgur.com/a/0wPITYQ
I then submitted these files to Virustotal and they seem to be malwares. Worse, the last two files had never been submitted to Virustoatl, suggesting they are designed to morph themselves. I also ran Hitman Pro and it showed my computer was infected.
https://imgur.com/a/xQrfgs9
Today, I restored my computer to the earlier state before the Win 1903 update, using a system image. To make sure my computer was clean, I ran a full scan by CIS and a scan by Hitman Pro, and both showed no sign of infection.
I then uninstalled and reinstalled CIS all over again, except that this time the CIS installer was obtained from the link announced here, instead of the Comodo homepage. Unfortunately, the entire problem just occurred again exactly the same way at exactly the same moment, except that the random-name file “jz1.exe” was actually some name else last time.
Does anyone encounter the same or similar problem recently? Is it possible that the CIS installer or updater somehow downloaded some virus? (By the way, I am in Taiwan.)
To my best knowledge CIS does not provide Booking application unless Comodo has a deal for your region in the world.
Could you post the Virus Total reports of the two files? I am curious to find out if they could be false positives.
Here are the Virustotal reports:
I will try uninstallation/reinstallation again using the offline installer.
I assume both times you used the online installer. Could you try installing using the off line installer: http://download.comodo.com/cis/download/installs/1000/standalone/cispremium_only_installer.exe ? I am curious to know if the off line installer would also provide Booking.com app assuming it was Comodo bundling it.
Upon first sight booking.com program seems an adware and therefor unwanted. Can you uninstall the booking app from Programs and Features? The verdict on jz.exe shows a downloader related to adware. It may be related to the booking.com app.
CIS would look at Booking-with-upd.exe because it doesn’t scan files bigger than 40 MB.
The Booking.com app can be uninstalled by the standard Add/Remove Programs functionality, though some random-name folders in "\Users.…\AppData\Local\Temp" have to be removed manually. This adware is not too malicious after all.
I have tried the offline installer, and it doesn’t install Booking.com app.
Out of curiosity, I reinstalled CIS again using the online installer. This time, I found that the Booking.com app is indeed bundled with the installer. Here is the screenshot during the installation:
https://imgur.com/a/rqecX2c
In the first place, I failed to notice this message “hidden” in the picture and thought I was simply accepting the standard end-user agreement.
I am wondering why it seems nobody else on the forum encountered the same problem as I.
These are secondary offers which recently became included in the CIS installation. You can simply click “Decline” if you do not want the program. It’s an offer only as an additional way to support Comodo and you can just Decline that offer if you don’t want it. Not sure why Booking.com was offered, I usually see ones for Winzip or something similar but even my laptop came with booking.com installed though it wasn’t a virus, just the app for booking holidays etc. It’s fairly popular here where I am in the UK.
Anyway, us mods we don’t have control over those, it’s up to Comodo which products they offer but having reported it as a virus hopefully they will remove that choice form their installer but you are using an offline version so not sure whether it changes with each installation or not.
Eric
Thank you for testing and confirming that the booking.com app comes bundled when using the online installer in Taiwan. I know that users in Russia (and may be also Ukraine) get an offer for Yandex that others don’t get.
As the other Eric points out you can always decline such an offer during the installation.
I must say I am surprised as well there are no other people reporting the booking.com app. Interestingly odd.
Many thanks for you guys’ help. For your information, I confirm that the online installer won’t add any unwanted apps/files, if you simply press “Decline” instead of “Accept” when the installation is presenting the picture of Booking.com.
Thank you for the all the testing you did. :-TU
Probably the bundled offers are not present with the online installers linked in the forum release topic, but are found when downloading the installer from the main comodo website. I used the firewall only installer in the release topic and did not get offered anything else to accept or decline.