Hi,
earlier this afternoon I got a message from the Comodo firewal that some process windows\system32\dmh3ELIg.exe has changed the parent application explorer.exe in memory and that Internet explorer was trying to connect to the internet. The Comodo message also stated that this was typical trojan behavior. I denied access but since then I cannot reach the internet anymore with that machine. When I got a similar message from Comodo concerning a Roxio module, I searched the file and its timestamp was today. I ran Avast against the c-drive (windows included) an it did not mention this particular file. I searched on the internet for the filename and got 0 results. Idem at the Avast forum. As Comodo invites you to send the problem file to its research center, I tried to that but that did not succeed (CF error - host ??? - probably a Comodo server message). I renamed the file and restarted the system. It seems to run fine. I started Ineternet explorer and got no further message from the firewall. I am left a little troubled though. Anybody knows more about this file ??
Thanks and regards, Rudy
The first issue is more serious as there should be no need for explorer.exe to connect, unless you type a URL into the Address: window and modifying it in memory, injection is a clasic sign of a trojan at work. I have explorer permanently blocked on my system if I want to connect to the internet I use my browser. Like you, the dmh3ELIg.exe returns zero hits on google which in itself is suspicious.
The second roxio module, you don’t say if this was the same injection of either that module or explorer, etc. or if it was the same dmh3ELIg.exe doing the modification.
You could also check the offending/suspect
dmh3ELIg.exe file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
If detected by multiple scanners, send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
- If using winXP AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator. Or a-Squared free if using win98/ME.
Thanks a lot for your advice. I will return when I ran the scanners.
Regards, Rudy
Hi again,
I just sent the file to Virustotal in an attachment of my mail client. Immediately Avast warned me for a suspicious outgoing attachment. That was fast, I must say. I will post the results from Virustotal when I have them.
Regards, Rudy.
And hi again. Virustotal reported lots of suspicions. So, as advised, I sent the info to Avast. Thanks a lot for the help. Regards, Rudy
No problem, glad I could help.
A belated welcome to the forums.