##Exmodul?? - Weird Virus??

[Fads]

Hi there,

I'm having a problem so i thought i'd sign up to this forum and see if anyone can help me

About a week ago i noticed my PC lost web connection alot. Avast! said that the internet connection had timed out to the site i wanted to visit for example it would say:

Internet Connection time Out Elapsed: Continue Waiting?
[55exmodula.exe -> yahoo.co.uk]

when I looked at my task manager, i found the 55exmodula.exe application and closed it and then it worked fine.

I then did a google search and found nothing

A few days later i noticed the same behaviour. Only this time the app was exmodulaz.exe with a different number prefixing the modula bit.
Every now and then the numbers change that prefeix the modul bit and the letters after but before the .exe change.

I did another search on google, only to find that non english speaking people have mentioned this behavioud and even with google translation, I fail to comprehend what's going on.

Neither Avast!, Spybot or adware pick up on this problem and there are files in my temp folder called ##exmodul??.exe which I constatly delete only for them to come back. I've even cleared my registry from any files containing the above.

Has anyone here suffered the same behaviour?

Does anyone know what is wrong and how I can remedy this inconvenience?

I thank you all in advance for taking  the time to check this thread out.

Yours,

Fads

[essexboy]

No but it does appear very suspicious, what I would suggest is a scan with Ewido which has an excellent trojan DB. Find it here http://www.ewido.net/en/.  Do the scan in safe mode after updating then follw this up with an avast boot scan.  Welcome to the forum

[polonus]

Hi essexboy and Fads,

We solved the mystery to the exmodulag virus before, read this thread here on this forum, and the beautiful Brazilian solution:
http://forum.avast.com/index.php?topic=19474.0

Searching our own forum can lead to immediate results. This was the third person with this infection.

polonus

[austinwolfclaw]

I got caught with a variation of the worm. This one didnt have a letter after exmodul, so it looked like ##exmodul##.exe.

I followed the steps Rafael posted in english on a french forum (Thanks) and now it's all clean again....my precious computer

I posted the minor-revised steps, (the ones regarding the variation) in my LiveJournal at http://austinwolfclaw.livejournal.com

Based on the posts on this board (and the hits I got from Google) this is a rather new worm. I hope Lavasoft, Kapersky, McAfee, Norton AVG and others get word of this soon...

I apologize if this was a stupid post, but I should point out there are some folks out there who take instructions word by word.

Safe Surfing,
Austin Wolfclaw

[polonus]

Hi austinwolfclaw,

Thanks for your post, feedback like this is always helpful to someone, and we were glad we could help you in some way. I am certain you learn a lot thru' the process of cleaning your own computer in this way, and that is very good, because in a sense you grow the awareness that is needed to stay free of it. You can later help the ones that come after you with this posting of yours, so we help each other in this community, surf safe and stay secure,

polonus

[Spiritsongs]

   Hi All :

     I looked through the thread on the commentcamarche site
     and saw an out-of-date version of Sun Java, the "suspect"
     GetRight program and MessengerPlus3, which can be
     "infected" with the Lop malware. So I wonder if any of
     these could be the source of "exmodulag.exe", especially
     when the thread mentioned that there was a "smss.exe"
     located in a wrong location. Better to eliminate the source
     of the problem rather than just the problem !?
     And to see if an entry like this is in the HJT log :
   "O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w " .

[austinwolfclaw]

OK guys, i have a serious problem here.....
BTW be sure to add C:\WINDOWS\TEMP to your list of places to find the thing...the installer's there and stuff. HOWEVER

Everytime i restart my computer, it seems to reinstall itself, even though i thought i removed everything...but get this...I did a search of the recently modified applications (that is, after i deleted every sign of this worm.... and i found nothing suspicious!!!

I have my computer firewall on tight security....if it is indeed coming from the internet, then i can tell you right now, it aint coming in.

You guys can help me by finding the source of the file. Here are some clues, and you may have to do a LOT of research......

I have Microsoft Update, and not Windows Update. I do not know what files are added and what are deleted, if you guys do, send me a list. Because i notice that windows update feature is disabled on my security program......


more to come....i hope....

~AWC

[polonus]

Hi austinwolfclaw,

Resembles the workings of a worm. Have you found an executable files with the name nvsvcd.exe

And inside a HijackThis Log: 023 - Service:Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing) ?
This might be at the crux of the problem. Like to hear more, but this has been reported on French antispyware sites.
Look here: http://www.infos-du-net.com/forum/216035-7-exmodul-kesako

See for the 023 HijackThis alerts here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#O23Diag

An update to virustotal produced nothing, so it could be a new thing, and sometimes the vulnerability window can be six weeks between those first infected in the wild and protection for the general user through AV or AT or AS software.

It could be a recurring infection of Spambot AZ for a cleaning session of this look here: http://forums.techguy.org/security/461118-help-remove-trojan-spambot-az.html
(This is just informative, because the procedures may vary depending on what is found- it is just a guideline, what it should be). This is how far I have delved into this, now it is your turn to come up with additional information, you apparently have or had this running on your box, if I am rightly informed.

Also make use of the info here, towards the bottom of the page: http://cbl.abuseat.org/checkploit.html



polonus

[grash]

Stumbled upon this forum while searching for “modula”, the only common bit, and most of my hits have been in foreign languages.  In many years of computing I have NEVER had a virus or worm… I am firewalled at my router, use ZoneAlarm Pro, Norton Antivirus, anti-spyware programs, and even script controls in Mozilla!  But here I am… hat in hand   

I’ll take a look at some of the links offered here, and in the meantime here’s a bit more information I’ve found on my system, maybe something y’all want to clean once you figure out the problem (I had lots of registry entries).  ZoneAlarm keeps exmodulah.exe from running or accessing the web in any of its various forms. 

In registry under my computer\HKEY_LOCALMACHINE\SYSTEM\ControlSet003\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\:
C:\DOCUME~1\GRASH\LOCALS~1\Temp\0exmodulah.exe:*:Enabled:Microsoft Update
C:\DOCUME~1\GRASH\LOCALS~1\Temp\10exmodulah.exe:*:Enabled:Microsoft Update
C:\DOCUME~1\GRASH\LOCALS~1\Temp\16exmodulah.exe:*:Enabled:Microsoft Update
C:\DOCUME~1\GRASH\LOCALS~1\Temp\18exmodulag.exe:*:Enabled:Microsoft Update

In \windows\prefetch\:
3EXMODULAP.EXE-03BE097F
57EXMODULAP.EXE-07C6782A

Process running as local user:
49exmodular.exe

Any other suggestions? 

Thanks!

GRASH

[Tweak]

<<<Tweak- I just got hit by a wonderful Trojan/Worm tried to send out emails as well as lock things up, it also somehow deactivated my Norton antivirus. For me it was file 73exmodul32.exe that was causing it, took a while but I found this solution on a French website, posted by a Brazilian in English, as mentioned above. Thought I’d spread the word. I did all my searches with exmod >>>

This was the sequence of actions I used to get rid of these damn files:

Check the processes of Windows Task Manager for .exe files with numbers followed by "exmodula" plus a letter, for example:

46exmodulag.exe

As it was written above, this name varies, in my computer I had several different files, some using "exmodulaf" and "exmodulag". End the process.

Next, go to your

C:\Documents and Settings\Rafael\Local Settings\Temp\

where "Rafael" varies according to the username on your computer. You’ll find several files that follow the format described above. (**exmodula*.exe). Delete them.

Now perform a search on your registry for the "exmodula" word you’ll probably find references to it in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List key. In this key you’ll find something like this:

C:\DOCUME~1\Rafael\LOCALS~1\Temp\46exmodulag.exe:*:Enabled:Microsoft Update

What this key does is to create a fake entry on Windows Firewall under the name "Windows Update" for each new **exmodula*.exe file it creates. Remove this entry from the registry.

I thought this was enough, but no, those damn files kept coming back after a while!

So I ran HijackThis 1.99.1 (wonderful little program by the way) and it found the file smss.exe (file responsible for automatic windows updates) running in the C:\WINDOWS\system\ folder, which is wrong. This file is responsible for generating the **exmodula*.exe files. Delete it.

NOTICE: the smss.exe file running under C:\WINDOWS\system32\ is a legal file, do not touch it!

<<<Tweak- I did a complete file search for smss.exe and found 5 instances of it, checked date created and 4 of them were created within the last week, all where they didn’t belong>>>

Now search your registry for smss.exe and you’ll find references to it under these keys, delete them.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_USERS\...\Software\Microsoft\Windows\ShellNoRoam\MUICache

<<<Tweak- That cleaned it all out for me, but I still had to uninstall and completely reinstall Norton. >>>

[charlesbsbio]

I got it too.  I found the nvsvcd file before I realized what was wrong.  The main thing is my connection shows the sent almost equal to the received so it is sending information from your computer somewhere.  AVG cant find it.

[polonus]

Hi charlesbsbio,

Hello, the malware can be identified as: Backdoor.Win32.IRCBot.nw
alias IRC.Bot SS, as you can read here: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=108446
----------
roj/IRCBot-FP is a backdoor Trojan for the Windows platform.

Troj/IRCBot-FP has the functionalities to:

- disable Anti-Virus applications
- access the internet and communicate with a remote server via HTTP
- allow unauthorized access to the infected computer via IRC
- hide processes

When run Troj/IRCBot-FP copies itself to <System>\smss.exe and creates the following files:

<System>\netf.dll
<System>\nvsvcd.exe

The file netf.dll and nvsvcd.exe is detected as Troj/IRCBot-FP.

Troj/IRCBot-FP sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc
<System>\smss.exe /w

Troj/IRCBot-FP creates a service named "Windows Log" and sets registry entries under:

HKLM\System\CurrentControlSet\Services\Windows Log
----------------------------------
Here is some more information about this. Some of the text is in German but the general information is informative here:

http://virus-protect.org/artikel/dienste/nvsvcd.html

Above link was pre-scanned by Dr.Web (R) daemon for Linux v4.33
(4.33.0.09211) Copyright © Igor Daniloff, 1992-2005

Last update time: 2006-05-01,19:43:27

File size: 34562 bytes


nvsvcd.html - archive HTML
>nvsvcd.html/Script.0 - OK
>nvsvcd.html/Script.1 - OK
>nvsvcd.html/JavaScript.2 - OK
>nvsvcd.html/Script.3 - OK
nvsvcd.html - OK


Just a few steps closer to resolving this phenomenon.

polonus

[stuzoo]

Hi
I had an xxmodul32.exe

I've deleted the xxmodul32.exe files from my temp dir.
delted smss.exe from windows\system

I have found the following registry entries
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="smss"
"001"="exmodul32"
which are now deleted
"002"="v0060pin"
"003"="raconfig2500"
"004"="exm"
"005"="steam"
"006"="ninet"
not deleted

[\HKEY_LOCALMACHINE\SYSTEM\ControlSet003\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
various entries for "....\Temp\39exmodul32.exe:*:Enabled:Microsoft Update""
now deleted
also entried in the same place for ControlSet002

I deleted all exmod files in windows\prefetch

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
".nvsvc"="C:\WINDOWS\system\smss.exe /w"
deleted

[HKEY_USERS\...\Software\Microsoft\Windows\ShellNoRoam\MUICache]
smss entry deleted

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\SysProcs]
"smss.exe"=0

also found in ControlSet001 and CurrentControlSet
not deleted

The only nvsvc* files I found were nvsvc32 which are part of the nvidia drivers and all in the corrct place.

I have rebooted and everything seems to be OK.
Cheers
Stuart

[gabssnake]

Hey good to find this forum. I also got the "##exmodulXX" thing.
Its pretty new in my system, I think. I don't use antivirus, and I usually have no problems. I however sometimes run an antispyware scan or look for info when find something odd.

I recently opened a network in WinXP Home to connect with my laptop. I then started to notice that 2 files were created in every shared folder: "setup.exe" and "autorun.inf" (pretty obvious something was wrong). I also have the process ##exmodulXX which really slows down the network, I also have some ##exinXX.X.exe. I'm not sure if they're the same; I'll clean and come back if it doesn't work or if I find something new.

The only thing I've been doing which is different from normal use is that I downloaded some vast quantity of videos (*.mpg) from eMule, maybe it came in one of those, not rally sure how I got it.

Just a brief note, I also download some french songs which happened to be unreadable by MeadiaPlayer but did read in WinAmp. I heared the virus was first detected in french pages...... :p

I'll follow the steps in the linked doc.
I'll also be looking forward if you find ideas of the host file or the way it gets to your system.

Regards,

[mauserme]

I don't use antivirus ...

...I downloaded some vast quantity of videos (*.mpg) from eMule, maybe it came in one of those, not rally sure how I got it.

I'll also be looking forward if you find ideas of the host file or the way it gets to your system.

I think you've answered your own question - P2P with no antivirus invites many problems.

A user at geekstogo found some help with a Dr. Web Cureit Scan followed by a Panda scan.  The thread can be found here

http://www.geekstogo.com/forum/index.php?showtopic=115418

You may need to do this on each of the computers in your network individually.  Keep them non-networked until you get this solved on every one of them or it will likely reinfect previously cleaned machines.

Oh and, by the way, welcome to the forum.