Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"exmodul" Virus Or Something - Help!


  • This topic is locked This topic is locked
6 replies to this topic

#1 Klyack

Klyack

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 28 April 2006 - 07:48 PM

Actually, McAfee from time to time greets me with windows, warning about some infected .exe created in Temp directory, each time with different description (like "malformed archive", "product key viewer", etc), then another window assures me, that antivirus can't do anything with it. Exe usually named like this "24exmodul32.exe" - numbers are different each time. I can manually kill the process with the same name and delete .exe but after some time story repeats.
I'm not a complete newbie (I'm a C# developer after all :thumbsup: ), but I have no expirience with malware. So I ran full scan with McAfee, TrojanRemover, TrojanHunter - nothing. SpyBot and AdawareSE just found some dangerous cookies. I tried VundoFix and other stuff from www.atribune.org in SafeMode - nothing.
Today I tried HijackThis.exe - it found a Backdoor-CXT!
O23 - Service: Windows Log - Unknown owner - E:\WINDOWS\system32\nvsvcd.exe
After fix - trojan has gone, but above story repeats again and again, so it's something else. Searching in registry gave me only list of all "exmodule"s executed.
Stinger is scanning right now. What else I can do? My log:

Logfile of HijackThis v1.99.1
Scan saved at 8:46:25 PM, on 28/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\McAfee.com\VSO\oasclnt.exe
E:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
E:\WINDOWS\system32\svchost.exe
E:\Program Files\ATITool\ATITool.exe
D:\Program Files\eMule\emule.exe
E:\Program Files\Trillian\trillian.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
e:\program files\mcafee.com\agent\mcdetect.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
e:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Mozilla Firefox\firefox.exe
e:\PROGRA~1\mcafee.com\agent\mctskshd.exe
D:\Downloads\Anti\stng260.exe
D:\Downloads\Anti\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "E:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] E:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] E:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] E:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [.nvsvc] E:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: ATITool.lnk = E:\Program Files\ATITool\ATITool.exe
O4 - Startup: eMule.lnk = D:\Program Files\eMule\emule.exe
O4 - Startup: Trillian.lnk = E:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - e:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - e:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - e:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PDEngine - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDSched.exe

BC AdBot (Login to Remove)

 


#2 Klyack

Klyack
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 28 April 2006 - 08:55 PM

Seems like I found a solution on some french forum:
C:\WINDOWS\system\smss.exe - was corrupted
Seems to be something new - scanned with Trend, Microsoft tools - nothing.
I someone is interested - I can send .rar it to study.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:09 AM

Posted 29 April 2006 - 07:49 AM

Hello,

C:\WINDOWS\system\smss.exe is not a legit file, because the legit one is present in your system32-folder and not system-folder. :thumbsup:
That file is also related with BackDoor-CXT

I guess you already deleted that file?

Also check next leftover in hijackthis:

O4 - HKLM\..\Run: [.nvsvc] E:\WINDOWS\system\smss.exe /w

Did you also delete next file? E:\WINDOWS\system32\nvsvcd.exe, because as I read from your previous post, you only fixed it in hijackthis.
In this case, hijackthis only stops and disables the service, but doesn't delete the related file.
So I suggest you also delete the related service by performing next command in start > run:

sc delete "Windows Log"

Strange McAfee didn't deal with it, and you had to deal with it manually. Normally McAfee is able to find and remove though.

Yes, please send the rar to next address: miekiemoesATmalware-research.co.uk (replace AT with @)

By the way, how are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Klyack

Klyack
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 29 April 2006 - 10:52 AM

Ups... I haven't deleted anything. I just replaced smss.exe with original from Windows CD and restarted.
Now system is OK (after 12 hours running).
Thanks for help.
P.S. I did research on Internet - and found only 3-4 complains on "exmodul" on some spanish and italian forums, but no solutions (except this KESAKO).

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:09 AM

Posted 29 April 2006 - 11:03 AM

Hi,

I just replaced smss.exe with original from Windows CD and restarted


Well, actually that was not needed though.. the bad smss.exe is present in the system-folder. The good one is present in the system32-folder. So the one in the system folder needs to go and not replaced. In any way, if you replaced the bad one present in the system folder, with the legit one which is also present in the system32 folder, you should be ok now.

But it is important you delete next file as well: E:\WINDOWS\system32\nvsvcd.exe

This is what you were dealing with: http://vil.nai.com/vil/content/v_138575.htm

Edited by miekiemoes, 29 April 2006 - 11:04 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:09 AM

Posted 29 April 2006 - 11:11 AM

Thanks for the file by the way.

Some do recognise it... this is a report from Virustotal:
http://www.virustotal.com/en/indexf.html

AntiVir 6.34.0.24 04.20.2006 Worm/Caimbot
Avast 4.6.695.0 04.28.2006 no virus found
AVG 386 04.28.2006 no virus found
Avira 6.34.1.58 04.29.2006 Worm/Caimbot
BitDefender 7.2 04.29.2006 no virus found
CAT-QuickHeal 8.00 04.28.2006 (Suspicious) - DNAScan
ClamAV devel-20060202 04.27.2006 no virus found
DrWeb 4.33 04.29.2006 DLOADER.Trojan
eTrust-InoculateIT 23.71.142 04.29.2006 no virus found
eTrust-Vet 12.4.2184 04.28.2006 no virus found
Ewido 3.5 04.29.2006 no virus found
Fortinet 2.71.0.0 04.29.2006 suspicious
F-Prot 3.16c 04.29.2006 W32/Methodbod.A@dr - Packed
Ikarus 0.2.59.0 04.29.2006 Backdoor.Win32.Hupigon.BV

Kaspersky 4.0.2.24 04.29.2006 Trojan-Proxy.Win32.Horst.aj
McAfee 4751 04.28.2006 no virus found
Microsoft 1.1372 04.29.2006 no virus found
NOD32v2 1.1513 04.29.2006 a variant of Win32/Agent.TV
Norman 5.90.17 04.28.2006 no virus found
Panda 9.0.0.4 04.29.2006 Suspicious file
Sophos 4.05.0 04.28.2006 no virus found
Symantec 8.0 04.29.2006 no virus found
TheHacker 5.9.7.136 04.29.2006 no virus found
UNA 1.83 04.28.2006 no virus found
VBA32 3.11.0 04.28.2006 suspected of Malware.Agent.52 (paranoid heuristics)

McAfee did indeed a bad job and didn't recognise it, even when it has the full description on above site in my previous post. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:09 AM

Posted 05 May 2006 - 02:17 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users