Exmodulau.exe, Keeps Wanting To Access The Web

Andy2 · Joined: Jul 13, 2003 Posts: 58

[Related message threads merged by administrator. AG]

Running WindowsXP.

Recently, I have this .exe wanting to access the internet.
I know, ZA keeps asking.

I have no spyware, and not virus ( according to Avast ).

This exmodulau keeps wanting to access the net, each case, it has
a different number in the front of exmodulau.exe. IE: this time the number
might be 36, next time it might be 60, etc.

I've done a google, but nothing has come up.

Any feedback will be appreiciated.

Thanks very much. Smile

Morbius · Joined: Sep 05, 2005 Posts: 1712

Have you heard the joke? Insanity is doing the same thing over and over and expecting different results. :harhar:

WELL, I'm not sure it's a joke. I see it every day right here in these forums. People keep using the same ol' sick program and wonder why they stay infected.

If your AV or selected AS programs are not cleaning up your mess......then by God change programs!!!!

Instead of Avast, you should be using AVG 7.1 FREE and backing it up with a very good Trojan remover.
"Trojan Hunter" is excellent. For 30 days it's free.....that's all you need to clean up a "Dirty" PC.

I've posted the list that I use to keep myself and my hundreds of customers 100% virus and spyware FREE, at least a hundred times already......So here it is again.

**************************************************
These are the programs I use every day to keep my own PC spotlessly clean.
I suggest every person having any Virus or Spyware issues get these programs
and use them immediately.
Do check for updates to all your security software on a DAILY basis.

SPYWARE/Trojan BLOCKERS/REMOVERS:

Trojan Hunter, is a first class Trojan Horse Virus removal program.
The dowloaded version is a 30 day, Fully Functional, free trial.
Use the Free Trial to clean up a Dirty system or buy the retail license to have a year of
full service plus updates. Download "Trojan Hunter" here:
http://www.misec.net/trojanhunter/
From the web page, just click "Download Free Trial Version"
It's a 5.9 meg download.

Spybot Search & Destroy, a great anti Spyware program.
Can be downloaded from:
http://www.pcworld.com/downloads/file_desc...id,22262,00.asp
For instructions on how to set up Spybot for best operation,
See my Spybot Setup instructions on This Webpage.

AdAware SE/Personal. Another top notch anti Spyware program.
Can be downloaded from:
http://www.majorgeeks.com/download506.html

Spyware Blaster, a great Spyware Blocker.
Protects both I.E. and Mozilla Firefox.
Can be downloaded from:
http://www.majorgeeks.com/download2859.html

ANTI-VIRUS PROTECTION:

AVG 7 FREE:
World famous AVG will keep your computer free of viruses, trojans, dialers, etc.
By default, it updates and scans for viruses on a daily basis.
Can be downloaded from:
http://free.grisoft.com/freeweb.php/doc/2/
Save to your desktop and run the install from there.
Immediately get updates. More than one may be required.

Stinger: Stand Alone Virus Scanner
Check for new version, once a week.
Can be downloaded from:
http://vil.nai.com/vil/stinger/
Save to your Desktop and run from there.

vCleaner, Stand Alone Virus Checker from Grisoft.
Can be downloaded from:
http://www.infinitevelocity.com/tips/tips_vcleaner.htm
Save to your Desktop and run from there.

REGISTRY CLEANER:

Easy Cleaner, the best Registry Cleaner I've found so far.
Can be downloaded from:
http://personal.inet.fi/business/toniarts/ecleane.htm
Just scroll down to "Download & Installation" and click on the first floppy disk symbol.

FIREWALL:

The XP windows firewall is only a 50% firewall, blocking incoming hackers but doing nothing to stop any ET that's already on your PC from "Phoning Home". It seems like almost every program you install anymore, wants to "Phone Home". It's a good idea to NOT allow this activity. My suggested Firewall to prevent this activity is the FREE version of a world famous product called "Zone Alarm".
ZA can be downloaded from:
http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za

************************************************

If you do anything less than what I've outlined here.....you're just wasting your time and ours.

NO ONE program will ever protect you against Spyware. I run six different ones myself.

Go Get Em!

:cheers:

The Doctor :thumbup:

Andy2 · Joined: Jul 13, 2003 Posts: 58

Thanks very much for your reply.

We know of those proggys that you listed and we use them as well.

We did a search here too as well as did a google, for the " exmodulau.exe " but no luck.

Does anybody happen to know where it comes from?
And what is does?

This information will be extremely useful.

Thanks a lot...

Edit: BTW, we find that Avast does a better job than AVG. We're not using that any more.
That's why there's Coke & Pepsi. People don't always have the same taste. Same goes
with Avast & avg. We have chosen Avast after trying avg.

Claymore · Joined: Mar 09, 2005 Posts: 2034

Any executable file that can't be found on the internet, and particularly one that can regenerate itself under different names, is surely an object of suspicion.

Suggest you download HiJackThis, run it in its own folder (and not a Temp folder), generate the text log file, and post the result in the Problem Solvers => HiJackThis section of these forums. One of the gurus will be along to take look.

Andy2 · Joined: Jul 13, 2003 Posts: 58

Thanks very much Claymore & Morbius.

Hijackthis done and posted.

Andy2 · Joined: Jul 13, 2003 Posts: 58

exmodulau keeps trying to access the net.
And it always changes a number in front of the .exe file.

File is below, thanks for any help and is greatly appreciated from you Geniuses !!

BTW, 36exmodulau.exe is listed.

Logfile of HijackThis v1.99.1
Scan saved at 12:26:36 PM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT4.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\DOCUME~1\Motnahp\LOCALS~1\Temp\36exmodulau.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Documents and Settings\Motnahp\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url=http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html]http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knbc.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.175.160.121:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ePrint 4.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT4.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Cookie Terminator.lnk = C:\Program Files\CookieT\CookieT.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - C:\WINDOWS\SYSTEM32\proxypal.exe
O9 - Extra 'Tools' menuitem: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - C:\WINDOWS\SYSTEM32\proxypal.exe
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra 'Tools' menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34260DAF-318A-4B5A-8778-A861CF2108A5} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

Claymore · Joined: Mar 09, 2005 Posts: 2034

Hello Andy,

I took a quick look at your log. Looks like you may have a trojan in there - see the last line of your log file. That 36exmodulau.exe is also in there.

Wait for the experts to guide you.

Andy2 · Joined: Jul 13, 2003 Posts: 58

Thanks Claymore, will wait.
I've had this for about 2 weeks now and have been patient.
Can be patient a while longer. Smile

BTW, did the housecall scan, and it didn't find anything. Go figure.

Rons · Joined: Dec 07, 2002 Posts: 5667

Hang in there Andy - a HJT pro will be able to help you.

I think most of us who saw your original post are interested in what 36exmodulau.exe is. Cool

Andy2 · Joined: Jul 13, 2003 Posts: 58

Cool, thanks very much Rons.

greyknight17 · Joined: Feb 03, 2003 Posts: 5058 Location: Brooklyn, NY

Have to mention this...we don't recommend using file sharing programs like eMule as they can only help contribute to spyware/virus infections. I suggest not using it....

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/forums/ind...showtutorial=61 ).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
Exit Ewido when it's done.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - Startup: PowerReg Scheduler.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

Locate and delete the following:

C:\WINDOWS\system\smss.exe - make sure you delete it in the SYSTEM folder ONLY and NOT system32 folder
C:\WINDOWS\system32\nvsvcd.exe

Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here.

Andy2 · Joined: Jul 13, 2003 Posts: 58

Thanks very much GreyKnight.

And your opinion about emule is noted. However, we only use this for "legal" purposes and
never download apps, movies, etc.

As in the movie "Poletergiest", when the short lady said: " This house is clean ",
the same is for my computer now.

Also, before, with this exmodulau problem, my automatic updates for XP would always be
turned off when rebooting the pc. Now after being cleaned, it's back to normal.

Any idea what that " exmodulau " is? what it's used for? and where it came from?

Following are the 2 log files:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:08:13 AM, 3/18/2006
+ Report-Checksum: D79311A6

+ Scan result:

HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Cleaned with backup
C:\WINDOWS\SYSTEM\smss.exe -> Backdoor.IRCBot.nw : Cleaned with backup
C:\WINDOWS\SYSTEM32\netf.dll -> Backdoor.IRCBot.nw : Cleaned with backup
C:\WINDOWS\SYSTEM32\nvsvcd.exe -> Backdoor.IRCBot.nw : Cleaned with backup
C:\WINDOWS\TEMP\IECookies\motnahp@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\Program Files\CoffeeCup Software\Working\index.ASP -> Dropper.Taorao : Cleaned with backup
C:\Program Files\Magic Waterfall Screensaver\MagicWaterfall.exe -> Adware.GAINNetwork : Cleaned with backup
C:\Program Files\Magic Waterfall Screensaver\MW1Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Magic Waterfall Screensaver\MW1Uninstaller.exe -> Adware.Gator : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@ehg-nokiafin.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@spylog[1].txt -> TrackingCookie.Spylog : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Motnahp\Local Settings\Temp\Cookies\motnahp@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Motnahp\Desktop\perl kit\codelifter 5 crack serial keygen.exe -> Backdoor.IRCBot.nw : Cleaned with backup
C:\Documents and Settings\Motnahp\Cookies\motnahp@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP179\A0061093.dll -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP181\A0061127.dll -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP181\A0061145.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP184\A0061224.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP185\A0061249.exe -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP185\A0062223.dll -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP185\A0062244.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP186\A0062265.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP186\A0062294.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP187\A0062317.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP187\A0063316.dll -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP187\A0063334.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP190\A0063390.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP195\A0063489.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP195\A0063509.dll -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP196\A0063543.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP198\A0063589.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP200\A0063626.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP201\A0063651.DLL -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP201\A0063712.exe -> Backdoor.IRCBot.nw : Cleaned with backup
C:\System Volume Information\_restore{387D09E8-7E4C-4731-9469-3B1D83FE5BA9}\RP201\A0063748.dll -> Backdoor.IRCBot.nw : Cleaned with backup

::Report End
=====================================================================

Logfile of HijackThis v1.99.1
Scan saved at 11:09:56 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Motnahp\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url=http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html]http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.175.160.121:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ePrint 4.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT4.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34260DAF-318A-4B5A-8778-A861CF2108A5} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: EPrint 4.0 Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint IV\Bin\LPSVS04n.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

====================================================================

Thanks again.

greyknight17 · Joined: Feb 03, 2003 Posts: 5058 Location: Brooklyn, NY

eMule....I see some crack tool used there that was detected and removed by Ewido...

Don't know what that exmodulau.exe file was for...most likely a trojan or spyware of some kind. We could examine that file earlier if it wasn't deleted....that's if you really wanted to know what it was doing :biggrin:

You don't keep automatic updates enabled? You should be able to disable it through the Security Center.

Fix these in HijackThis again:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - Startup: PowerReg Scheduler.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

Restart and post a new HijackThis log.

Andy2 · Joined: Jul 13, 2003 Posts: 58

Nope. No need to keep posting. Our system is clean and running well, thanks. Smile

BTW, if we wanted your opinion about our apps on our system we would have asked. Mad

The next time, just help, but keep your opinions TO YOURSELF !! understand? duh? :w00t:

Oh, and read the post carefully, we said: after the exmodulau deal started, the auto update
was AUTOMATICALLY turned off, so that had something to do with the rubber or something.

NOTHING WAS DELETED FROM THE ORIGINAL POST. :thumbdown:

there, now we feel better. Smile

carn3y · Joined: Mar 21, 2006 Posts: 1

I got it too, fellas it changes the number in the prefix ##exmodulau.exe
It also changes the letter in the suffix exmodulau##.exe (efvery time is is killed then launches on restart)

Currently mine is named "10exmodulbb.exe"

It generates in the temp folder, I changed my temp folder, and thing generating it is not hardcoded, it links to the windows default temp folder, whatever this is set to

It definetly came from emule downloaded file

here is what I found using process explorer, this is command line
Temp\10exmodulbb.exe http://out.catchonlife.com/nw/r2.txt?jacx-1_9892_1056

also access TCP/IP to various sites trying to mail things

I am newbie that's all I know, only string on google

the exe also uses abou 9,000 k mmemory in task mananger

Rons · Joined: Dec 07, 2002 Posts: 5667

greyknight17,

Thanks once again for your valuable assistant in helping another member in cleaning up their system. Good job my friend.

And you keep calling 'em like you see 'em! :thumbup: