Just wanted a bit of advice from someone who knows there mouse from keyboard…
I have - or at least I think I have - something the Comodo states is modifying the memory of all my programmes.
The log states :
C:\windows\system32\euabellxi.exe has modified the memory of C:\windows\system32\svchost.exe
Comodo has told me that this ‘euabellxi.exe’ has modified most, if not all my programmes in the memory like above and my spyware prog picked it up first as ‘Unknown Origin Trojan’ but now it doesn’t see it at all. I am concerned that it has modified my spyware prog, anti virus and I even got the same message stating that is had modified the Comodo firewall. I looked into the folder euabellxi is supposed to be in and it isn’t there - and I have checked to see if it is hidden, etc.
As a total techo newby - I know some stuff but 90% of what Comodo states when loading and running programmes might as well be in Chinese cos I really don’t understand any of it!
Does anyone think I have a problem?
Try to upload it first in http://www.virustotal.com/ or at http://virusscan.jotti.org/ to make sure if it’s malware or not.
Did your antispyware program remove the file it found?
When CFP told you the file was modifying the memory of svchost did you click allow or block and did you select to remember what you clicked?
You can check your application monitor rules and see if the file is listed there. check all the svchost entries as well and remove any pertaining to the suspect file.
Then try re-booting your system and see if you get any further warnings from the firewall. If the firewall settings have no rule allowing or blocking the file and the antispyware program has removed the file you will get no further warnings. If the file is still on your pc the firewall will warn you again.
Thanx guys…Nice quick response!!!
Firstly, I cannot send file for inspection because it doesn’t exist - ie - where Comodo tells me it is, it’s not actually there. I’ve searched as per My Computer but again, not there. Nothing showing in Task Mgr, etc either.
Secondly, I clicked ‘allow’ on all but that was because I clicked ‘deny’ to start off with and nothing worked - no 'net, no e-mail, nothing. Unless I clicked ‘Allow’ no programmes would open.
The ‘SuperAntiSpyware’ picked it up at first and removed it - called it ‘Unknown Origin Trojan’. I know where I got it from - Internet Gamebox. The unknown trojan was called something else then and once I removed it, the same messages Comodo came up with this new ‘euabellxi.exe’ so I think it’s just duplicated itself and called itself something else and SuperAntiSpyware doesn’t see it at all now. I also have ‘Spyware Terminator’ which hasn’t seen it either.
My thoughts are whenever I load up ANY new prog this ‘euabellxi.exe’ jumps on it and modifies it before I can do anything - Comodo tells me that it what is happening - could it be modifying it so it remains invisible?
Nothing really important gets done on this PC so it’s not a major issue (unless my PC triggers WWIII)…
Any further suggestions? I could ‘send for analysis’ I s’pose the next time it happens…
Hi again guys
Thought I’d let you know I tried to send for analysis and it wouldnt let me
421 Idle Timeout issue
You could try using an online scanner such as this one:
Ran Spyware Terminator - nothing
Ran SuperAntiSpyware - nothing
Ran Spyware Doctor - found over 400 problems! 211 somekind of trojan alone. However - euabellxi.exe still there! :BNC :BNC :BNC
Running above online Spyware Link as I type. Been at this for like 6 hours now and getting on me nerves!
One thing worth mention: turn off your system restore before you get rid of any confirmed Trojans. Otherwise they may get restored after removal - you can turn it back on after your system is clean.
Are you using BOClean - it is definitely worth having and can clean up a huge number of Trojans.
EDIT: you should also install Hijack this. It can give you a good idea what is going on with any malware on your pc and can aid in removal of some of it. I suggest you remove any trojans that you can with other software and then run Hijack this to see if there are any odd remnants left over.
Follow instructions on this site to disable System Restore. It explains the reason why you need to take that step: http://www.f-secure.com/v-descs/sfc_dis1.shtml
After you’ve cleaned out the infected Restore point, you can re-enable it again.
Once you’ve done that, run a complete AV test. Same goes for anti-spyware. Spybot S&D removes trojans as well, so if you haven’t got it, download it from http://spybot.info
Download BOC http://www.comodo.com/boclean/boclean.html
Then reboot into SafeMode with Networking. Install BOC in SafeMode w/Networking (as it will want to update when it installs). Then reboot normally.
BOC works differently than traditional file scanners; this may allow it to spot the malware. If it can detect it, it will stop it and remove it (it will give you a prompt to remove).
No disrespect intended Little Mac, but I still think he needs to disable System Restore first. AV scanners can’t access the protected storage folder and what’s happening at the moment is Slash is disinfecting the machine and then the operating system is overwriting the clean file with the infected one. He has to purge those Restore points first and the only way to do that is to disable System Restore and then reboot.
You are correct, as you had already posted. I probably should’ve clarified, but didn’t feel like reiterating your point. If I had disagreed, I would’ve said so…
To be perfectly clear, Slash, you should (in our humble opinions) disable System Restore immediately, if not sooner. This is a convenient way for malware to remain on in your system. You can enable it again after your system is clean. That oughta make a good headline - “System Restore Restores Virus/Trojan/Etc to System!” ;D
Guess what - as soon as I downloaded BoClean - message : ‘C:\windows\system32\euabellxi.exe has modified BOC425.exe in memory - typical of Virus, Trojan and Spyware behaviour’ shows on screen from Comodo.
Short of an AK47 any other suggesrions? I tried to send report for analysis but I got an error as stated above.
As for system restore - turned it off and ran all spyware progs again but not as many shows up this time BUT euabellxi.exe seems to be immortal. I know it’s unusual for forums to grant this but can any of the 5-star Comodo Heroes offer me an e-mail addy so I can screen dump and send and e-mail and show you exactly what Comodo says to me. Maybe you can then send to Comodo and see what they think…
I will run BO Clean now and see what happens…
i didnt read to close the problem,
but boot to safemode, open taskmngr and stop all tasks suspect and let run your virscans.
also make sure get controlpanel.cpl so you see startups, go also in services tab and check there all,
then go into devicemanager, check show hidden devices and look esp in legacy drivers.
also add to system variables this:
you have a nasty virus that renames itself and jumps into memory, but you can get it, im sure, gluck
and dont delete the virus file if found it, move to a diskette and throw diskette away
Slash, if this thing is modifying BOC before you can install it, that’s probably not a good thing…
You may want to reboot into SafeMode with Networking, and download BOC that way. Then install while you’re there, and let it update.
PS: I’m moving the thread to the Malware removal assistance board.
PPS: Rather than a screenshot, a HijackThis log would be more helpful to those with the skills to interpret it.
I was very concerned that my post had been deleted then!!!
Anyway - I have found via msconfig.exe on run menu brought up euabellxi along with command c:windows\system32\euabellxi.exe euabellxi
Now, I can take the tick out the box and… it boots up anyway! No tick in the box and everytime I load any prog it states euabellxi is modifying whatever I load.
I will give it another hour and then Fdisk floppy will be coming out its very dusty packet…
I found msconfig.exe and the start up menu had euabellxi.exe in it - ticked the box and it came back. Ticked it again and - didnt boot up.
Still listed as a start up icon and now time to kill it for good!
Time for a well earned :■■■■
You could try running F Secure Blacklight Rootkit detector. Might get rid of any left over nasty…
Found the little ■■■■■■ now I’ve disabled it - it is in the start up menu but now that’s disabled it cant hide itself.
However, I don’t know how to proceed in getting rid of it - no antispyware/antivirus can detect it and I’m not sure if just deleting the file is ample. The system restore is still off though.
The two sites given by a previous person who posted states my virus is: Virus.Win32.Fileinfector.gen (Virus total) and Heur.W32 (Jotti.org).
FYI : There are 3 euabellxi files - euabellxi.exe, euabellxi.dat and euabellxi_navps.dat - when these are running they are totally invisible - cannot be detected and only way I knew they were there was Comodo Firewall told me all this was going on. What does the file extension mean? I know ‘exe’ = executable but unsure what and why ‘dat’ files are there.
I advised SuperAntiSpyware of the problem and - told to ask Spyware Doctor! Service with a smile…
What does everyone advise?
DING ■■■■ THE WITCH IS DEAD - WHICH OLD WITCH - THE EUABELLXI WITCH!!!
Well, I was advised by a fountain of computer wisdom - also known as a techo wizard - that deleting them would be OK. One deletion and removal of system restore plus a Registry Clean straight after and euabellxi.exe is no more.
Please tell one and all the Internet Gamebox has amazing games in it. Pity about the nasties that come with it too.
However, thanx for all the support. When I win the lottery I’ll buy you all a :■■■■