Other > Viruses and worms

##Exmodul?? - Weird Virus??

<< < (2/3) > >>

Spiritsongs:
 :)  Hi All :

     I looked through the thread on the commentcamarche site
     and saw an out-of-date version of Sun Java, the "suspect"
     GetRight program and MessengerPlus3, which can be
     "infected" with the Lop malware. So I wonder if any of
     these could be the source of "exmodulag.exe", especially
     when the thread mentioned that there was a "smss.exe"
     located in a wrong location. Better to eliminate the source
     of the problem rather than just the problem !?
     And to see if an entry like this is in the HJT log :
   "O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w " .

austinwolfclaw:
OK guys, i have a serious problem here.....
BTW be sure to add C:\WINDOWS\TEMP to your list of places to find the thing...the installer's there and stuff. HOWEVER

Everytime i restart my computer, it seems to reinstall itself, even though i thought i removed everything...but get this...I did a search of the recently modified applications (that is, after i deleted every sign of this worm.... and i found nothing suspicious!!!

I have my computer firewall on tight security....if it is indeed coming from the internet, then i can tell you right now, it aint coming in.

You guys can help me by finding the source of the file. Here are some clues, and you may have to do a LOT of research......

I have Microsoft Update, and not Windows Update. I do not know what files are added and what are deleted, if you guys do, send me a list. Because i notice that windows update feature is disabled on my security program......


more to come....i hope....

~AWC

polonus:
Hi austinwolfclaw,

Resembles the workings of a worm. Have you found an executable files with the name nvsvcd.exe

And inside a HijackThis Log: 023 - Service:Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing) ?
This might be at the crux of the problem. Like to hear more, but this has been reported on French antispyware sites.
Look here: http://www.infos-du-net.com/forum/216035-7-exmodul-kesako

See for the 023 HijackThis alerts here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#O23Diag

An update to virustotal produced nothing, so it could be a new thing, and sometimes the vulnerability window can be six weeks between those first infected in the wild and protection for the general user through AV or AT or AS software.

It could be a recurring infection of Spambot AZ for a cleaning session of this look here: http://forums.techguy.org/security/461118-help-remove-trojan-spambot-az.html
(This is just informative, because the procedures may vary depending on what is found- it is just a guideline, what it should be). This is how far I have delved into this, now it is your turn to come up with additional information, you apparently have or had this running on your box, if I am rightly informed.

Also make use of the info here, towards the bottom of the page: http://cbl.abuseat.org/checkploit.html



polonus

grash:
Stumbled upon this forum while searching for “modula”, the only common bit, and most of my hits have been in foreign languages.  In many years of computing I have NEVER had a virus or worm… I am firewalled at my router, use ZoneAlarm Pro, Norton Antivirus, anti-spyware programs, and even script controls in Mozilla!  But here I am… hat in hand    :(

I’ll take a look at some of the links offered here, and in the meantime here’s a bit more information I’ve found on my system, maybe something y’all want to clean once you figure out the problem (I had lots of registry entries).  ZoneAlarm keeps exmodulah.exe from running or accessing the web in any of its various forms. 

In registry under my computer\HKEY_LOCALMACHINE\SYSTEM\ControlSet003\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\:
C:\DOCUME~1\GRASH\LOCALS~1\Temp\0exmodulah.exe:*:Enabled:Microsoft Update
C:\DOCUME~1\GRASH\LOCALS~1\Temp\10exmodulah.exe:*:Enabled:Microsoft Update
C:\DOCUME~1\GRASH\LOCALS~1\Temp\16exmodulah.exe:*:Enabled:Microsoft Update
C:\DOCUME~1\GRASH\LOCALS~1\Temp\18exmodulag.exe:*:Enabled:Microsoft Update

In \windows\prefetch\:
3EXMODULAP.EXE-03BE097F
57EXMODULAP.EXE-07C6782A

Process running as local user:
49exmodular.exe

Any other suggestions? 

Thanks!

GRASH

Tweak:
<<<Tweak- I just got hit by a wonderful Trojan/Worm tried to send out emails as well as lock things up, it also somehow deactivated my Norton antivirus. For me it was file 73exmodul32.exe that was causing it, took a while but I found this solution on a French website, posted by a Brazilian in English, as mentioned above. Thought I’d spread the word. I did all my searches with exmod >>>

This was the sequence of actions I used to get rid of these damn files:

Check the processes of Windows Task Manager for .exe files with numbers followed by "exmodula" plus a letter, for example:

46exmodulag.exe

As it was written above, this name varies, in my computer I had several different files, some using "exmodulaf" and "exmodulag". End the process.

Next, go to your

C:\Documents and Settings\Rafael\Local Settings\Temp\

where "Rafael" varies according to the username on your computer. You’ll find several files that follow the format described above. (**exmodula*.exe). Delete them.

Now perform a search on your registry for the "exmodula" word you’ll probably find references to it in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List key. In this key you’ll find something like this:

C:\DOCUME~1\Rafael\LOCALS~1\Temp\46exmodulag.exe:*:Enabled:Microsoft Update

What this key does is to create a fake entry on Windows Firewall under the name "Windows Update" for each new **exmodula*.exe file it creates. Remove this entry from the registry.

I thought this was enough, but no, those damn files kept coming back after a while!

So I ran HijackThis 1.99.1 (wonderful little program by the way) and it found the file smss.exe (file responsible for automatic windows updates) running in the C:\WINDOWS\system\ folder, which is wrong. This file is responsible for generating the **exmodula*.exe files. Delete it.

NOTICE: the smss.exe file running under C:\WINDOWS\system32\ is a legal file, do not touch it!

<<<Tweak- I did a complete file search for smss.exe and found 5 instances of it, checked date created and 4 of them were created within the last week, all where they didn’t belong>>>

Now search your registry for smss.exe and you’ll find references to it under these keys, delete them.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_USERS\...\Software\Microsoft\Windows\ShellNoRoam\MUICache

<<<Tweak- That cleaned it all out for me, but I still had to uninstall and completely reinstall Norton. >>>

Navigation

[0] Message Index

[#] Next page

[*] Previous page