Just wanted a bit of advice from someone who knows there mouse from keyboard…
I have - or at least I think I have - something the Comodo states is modifying the memory of all my programmes.
The log states :
C:\windows\system32\euabellxi.exe has modified the memory of C:\windows\system32\svchost.exe
Comodo has told me that this ‘euabellxi.exe’ has modified most, if not all my programmes in the memory like above and my spyware prog picked it up first as ‘Unknown Origin Trojan’ but now it doesn’t see it at all. I am concerned that it has modified my spyware prog, anti virus and I even got the same message stating that is had modified the Comodo firewall. I looked into the folder euabellxi is supposed to be in and it isn’t there - and I have checked to see if it is hidden, etc.
As a total techo newby - I know some stuff but 90% of what Comodo states when loading and running programmes might as well be in Chinese cos I really don’t understand any of it!
Did your antispyware program remove the file it found?
When CFP told you the file was modifying the memory of svchost did you click allow or block and did you select to remember what you clicked?
You can check your application monitor rules and see if the file is listed there. check all the svchost entries as well and remove any pertaining to the suspect file.
Then try re-booting your system and see if you get any further warnings from the firewall. If the firewall settings have no rule allowing or blocking the file and the antispyware program has removed the file you will get no further warnings. If the file is still on your pc the firewall will warn you again.
Firstly, I cannot send file for inspection because it doesn’t exist - ie - where Comodo tells me it is, it’s not actually there. I’ve searched as per My Computer but again, not there. Nothing showing in Task Mgr, etc either.
Secondly, I clicked ‘allow’ on all but that was because I clicked ‘deny’ to start off with and nothing worked - no 'net, no e-mail, nothing. Unless I clicked ‘Allow’ no programmes would open.
The ‘SuperAntiSpyware’ picked it up at first and removed it - called it ‘Unknown Origin Trojan’. I know where I got it from - Internet Gamebox. The unknown trojan was called something else then and once I removed it, the same messages Comodo came up with this new ‘euabellxi.exe’ so I think it’s just duplicated itself and called itself something else and SuperAntiSpyware doesn’t see it at all now. I also have ‘Spyware Terminator’ which hasn’t seen it either.
My thoughts are whenever I load up ANY new prog this ‘euabellxi.exe’ jumps on it and modifies it before I can do anything - Comodo tells me that it what is happening - could it be modifying it so it remains invisible?
Nothing really important gets done on this PC so it’s not a major issue (unless my PC triggers WWIII)…
Any further suggestions? I could ‘send for analysis’ I s’pose the next time it happens…
One thing worth mention: turn off your system restore before you get rid of any confirmed Trojans. Otherwise they may get restored after removal - you can turn it back on after your system is clean.
Are you using BOClean - it is definitely worth having and can clean up a huge number of Trojans.
:SMLR
EDIT: you should also install Hijack this. It can give you a good idea what is going on with any malware on your pc and can aid in removal of some of it. I suggest you remove any trojans that you can with other software and then run Hijack this to see if there are any odd remnants left over.
Follow instructions on this site to disable System Restore. It explains the reason why you need to take that step: http://www.f-secure.com/v-descs/sfc_dis1.shtml
After you’ve cleaned out the infected Restore point, you can re-enable it again.
Once you’ve done that, run a complete AV test. Same goes for anti-spyware. Spybot S&D removes trojans as well, so if you haven’t got it, download it from http://spybot.info
Then reboot into SafeMode with Networking. Install BOC in SafeMode w/Networking (as it will want to update when it installs). Then reboot normally.
BOC works differently than traditional file scanners; this may allow it to spot the malware. If it can detect it, it will stop it and remove it (it will give you a prompt to remove).
No disrespect intended Little Mac, but I still think he needs to disable System Restore first. AV scanners can’t access the protected storage folder and what’s happening at the moment is Slash is disinfecting the machine and then the operating system is overwriting the clean file with the infected one. He has to purge those Restore points first and the only way to do that is to disable System Restore and then reboot.
You are correct, as you had already posted. I probably should’ve clarified, but didn’t feel like reiterating your point. If I had disagreed, I would’ve said so…
To be perfectly clear, Slash, you should (in our humble opinions) disable System Restore immediately, if not sooner. This is a convenient way for malware to remain on in your system. You can enable it again after your system is clean. That oughta make a good headline - “System Restore Restores Virus/Trojan/Etc to System!” ;D
Guess what - as soon as I downloaded BoClean - message : ‘C:\windows\system32\euabellxi.exe has modified BOC425.exe in memory - typical of Virus, Trojan and Spyware behaviour’ shows on screen from Comodo.
Short of an AK47 any other suggesrions? I tried to send report for analysis but I got an error as stated above.
As for system restore - turned it off and ran all spyware progs again but not as many shows up this time BUT euabellxi.exe seems to be immortal. I know it’s unusual for forums to grant this but can any of the 5-star Comodo Heroes offer me an e-mail addy so I can screen dump and send and e-mail and show you exactly what Comodo says to me. Maybe you can then send to Comodo and see what they think…
I was very concerned that my post had been deleted then!!!
Anyway - I have found via msconfig.exe on run menu brought up euabellxi along with command c:windows\system32\euabellxi.exe euabellxi
location SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Now, I can take the tick out the box and… it boots up anyway! No tick in the box and everytime I load any prog it states euabellxi is modifying whatever I load.
I will give it another hour and then Fdisk floppy will be coming out its very dusty packet…
Found the little ■■■■■■ now I’ve disabled it - it is in the start up menu but now that’s disabled it cant hide itself.
However, I don’t know how to proceed in getting rid of it - no antispyware/antivirus can detect it and I’m not sure if just deleting the file is ample. The system restore is still off though.
The two sites given by a previous person who posted states my virus is: Virus.Win32.Fileinfector.gen (Virus total) and Heur.W32 (Jotti.org).
FYI : There are 3 euabellxi files - euabellxi.exe, euabellxi.dat and euabellxi_navps.dat - when these are running they are totally invisible - cannot be detected and only way I knew they were there was Comodo Firewall told me all this was going on. What does the file extension mean? I know ‘exe’ = executable but unsure what and why ‘dat’ files are there.
I advised SuperAntiSpyware of the problem and - told to ask Spyware Doctor! Service with a smile…
DING ■■■■ THE WITCH IS DEAD - WHICH OLD WITCH - THE EUABELLXI WITCH!!!
Well, I was advised by a fountain of computer wisdom - also known as a techo wizard - that deleting them would be OK. One deletion and removal of system restore plus a Registry Clean straight after and euabellxi.exe is no more.
Please tell one and all the Internet Gamebox has amazing games in it. Pity about the nasties that come with it too.
However, thanx for all the support. When I win the lottery I’ll buy you all a :■■■■
