Is this a virus?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi,

I'm running Windows XP, Firefox for my browser and Sygate Personal
Firwall. Over the past couple of days I've noticed a file called
47exmodulbk.exe is trying to access the internet. I've set Sygate to
block the file.

The firewall backtrace on the access attempt comes up with different
destination IP addresses but they all seem to be innocent, for example,
 64.233.163.27/Google.

The 47exmodulbk.exe file is located in the local settings\temp folder.
A number of files with similar names, for example 15exmodulbi.exe,
21exinjjaaf.exe etc are also in the temp folder.

Other than this the computer seems to be working normally.

A McAfee virusscan doesn't come up with anything and I can't find
anything in the virus databases that looks like this - though of course
if the file name is randomly generated it makes looking for information
about it difficult.

I'd appreciate any suggestions about what's going on here?

Thanks

Emmett


Re: Is this a virus?


| Hi,
|
| I'm running Windows XP, Firefox for my browser and Sygate Personal
| Firwall. Over the past couple of days I've noticed a file called
| 47exmodulbk.exe is trying to access the internet. I've set Sygate to
| block the file.
|
| The firewall backtrace on the access attempt comes up with different
| destination IP addresses but they all seem to be innocent, for example,
|  64.233.163.27/Google.
|
| The 47exmodulbk.exe file is located in the local settings\temp folder.
| A number of files with similar names, for example 15exmodulbi.exe,
| 21exinjjaaf.exe etc are also in the temp folder.
|
| Other than this the computer seems to be working normally.
|
| A McAfee virusscan doesn't come up with anything and I can't find
| anything in the virus databases that looks like this - though of course
| if the file name is randomly generated it makes looking for information
| about it difficult.
|
| I'd appreciate any suggestions about what's going on here?
|
| Thanks
|
| Emmett

An odd named file like "47exmodulbk.exe" executed from the TEMP folder is
certainly
suspicious and is likley to be malware.

Please submit a sample of "47exmodulbk.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

Generic removal instructions...


If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0.  There are vulnerabilities in them and they are actively being
exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
  http://www.lavasoft.de /
  http://www.lavasoftusa.com /
  http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
  http://security.kolla.de /
  http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
  http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser
Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
  http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.  http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * *   Please report back your results  * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Is this a virus?

On Thu, 13 Apr 2006 17:29:02 GMT, "David H. Lipman"

Somewhat OT :-)
Quoted text here. Click to load it
Rather strangely on my system the 'file selection' part of this
screen is obscured by an immoveable toolbar. This happens in both
IE and FF.

Re: Is this a virus?


Quoted text here. Click to load it
[snippage]

What did your anti-virus program say about the file?



Re: Is this a virus?

David/Sanjay,

Thanks for your help. I have to confess that I deleted the .exe files,
on the basis that they were almost certainly up to no good but if they
come back I will scan the files and come back to you. In the meantime I
came across two files sometimes associated with viruses and created on
my computer today.

smss.exe was created in the windows/system directory and nvsvcd.exe was
created in the   windows/system32 directory. I scanned these on
http://www.virustotal.com . The results were as follows:

File: nvsvcd.exe
-----------------------
Date: 04/13/2006 19:47:26 (CET)
AntiVir 6.34.0.24/20060413      found nothing
Avast   4.6.695.0/20060403      found nothing
AVG     386/20060413    found nothing
Avira   6.34.0.56/20060413      found nothing
BitDefender     7.2/20060413    found nothing
CAT-QuickHeal   8.00/20060413   found nothing
ClamAV  devel-20060202/20060413 found nothing
DrWeb    4.33/20060413  found nothing
eTrust-InoculateIT      23.71.128/20060412      found nothing
eTrust-Vet      12.4.2162/20060413      found nothing
Ewido   3.5/20060413    found nothing
Fortinet        2.71.0.0/20060412       found nothing
F-Prot  3.16c/20060413  found [W32/Methodbod.A - Packed]
Ikarus  0.2.59.0/20060413       found nothing
Kaspersky       4.0.2.24/20060413       found nothing
McAfee  4740/20060413   found nothing
NOD32v2 1.1487/20060413 found nothing
Norman  5.90.15/20060413        found nothing
Panda   9.0.0.4/20060413        found nothing
- Hide quoted text -
Sophos  4.04.0/20060413 found nothing
Symantec        8.0/20060413    found nothing
TheHacker       5.9.7.129/20060413      found nothing
UNA     1.83/20060413   found nothing
VBA32   3.10.5/20060413 found nothing

File: smss.exe
---------------------
Date: 04/13/2006 19:45:20 (CET)
AntiVir 6.34.0.24/20060413      found [Worm/Caimbot]
Avast   4.6.695.0/20060403      found nothing
AVG     386/20060413    found nothing
Avira   6.34.0.56/20060413      found [Worm/Caimbot]
BitDefender     7.2/20060413    found nothing
CAT-QuickHeal   8.00/20060413   found nothing
ClamAV  devel-20060202/20060413 found nothing
DrWeb    4.33/20060413  found [DLOADER.Trojan]
eTrust-InoculateIT      23.71.128/20060412      found nothing
eTrust-Vet      12.4.2162/20060413      found nothing
Ewido   3.5/20060413    found nothing
Fortinet        2.71.0.0/20060412       found nothing
F-Prot  3.16c/20060413  found [W32/Methodbod.A@dr - Packed]
Ikarus  0.2.59.0/20060413       found nothing
Kaspersky       4.0.2.24/20060413       found nothing
McAfee  4740/20060413   found nothing
NOD32v2 1.1487/20060413 found [a variant of Win32/Agent.TV]
Norman  5.90.15/20060413        found nothing
Panda   9.0.0.4/20060413        found [Suspicious file]
Sophos  4.04.0/20060413 found nothing
Symantec        8.0/20060413    found nothing
TheHacker       5.9.7.129/20060413      found nothing
UNA     1.83/20060413   found nothing
VBA32   3.10.5/20060413 found nothing

Should I be deleting these two files?

Thanks

Emmett


Re: Is this a virus?


| David/Sanjay,
|
| Thanks for your help. I have to confess that I deleted the .exe files,
| on the basis that they were almost certainly up to no good but if they
| come back I will scan the files and come back to you. In the meantime I
| came across two files sometimes associated with viruses and created on
| my computer today.
|
| smss.exe was created in the windows/system directory and nvsvcd.exe was
| created in the   windows/system32 directory. I scanned these on
| http://www.virustotal.com . The results were as follows:
|
| File: nvsvcd.exe
| -----------------------

< snip >

| F-Prot  3.16c/20060413  found [W32/Methodbod.A - Packed]

< snip >

|
| File: smss.exe
| ---------------------
< snip >

| F-Prot  3.16c/20060413  found [W32/Methodbod.A@dr - Packed]

< snip >

|
| Should I be deleting these two files?
|
| Thanks
|
| Emmett

They are definitely new and based upon the fact that F-prot is calling them both
the same
base name W32/Methodbod they are certainly related and should be removed.  What
kind of
hooks they have into the OS is unknown.

Since it is new, could it be possible that you could ZIP the two EXE files into
a password
protected ZIP file (password = infected) and then send the ZIP attachment to the
AV
companies ?

http://www.ik-cs.com/suspicious-files.htm


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Is this a virus?

Dave,

Will do. I've done a bit more digging and the behaviour is also
reported together with Hijack This logs at:

http://help.lockergnome.com/lofiversion/index.php/t44706.html and at
http://www.bullguard.com/forum/5/Exmodulau_28948.html

The startup process reference was changed from
C:\WINDOWS\system32\smss.exe to C:\WINDOWS\system\smss.exe

Regards

Emmett


Re: Is this a virus?


| Dave,
|
| Will do. I've done a bit more digging and the behaviour is also
| reported together with Hijack This logs at:
|
| http://help.lockergnome.com/lofiversion/index.php/t44706.html and at
| http://www.bullguard.com/forum/5/Exmodulau_28948.html
|
| The startup process reference was changed from
| C:\WINDOWS\system32\smss.exe to C:\WINDOWS\system\smss.exe
|
| Regards
|
| Emmett

Yes, I see...

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

I came across something similar within the past week related to a new IRCBot
http://www.sophos.com/virusinfo/analyses/trojircbothf.html
http://www.sophos.com/virusinfo/analyses/trojircbotgz.html

Sophos found nothing in the posted Virus Total reports so this may be a new
variant of the
above.

You may want to use the following to see if there are "other" Trojans on the PC.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.  http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * *   Please report back your results  * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Is this a virus?

AVERT WebImmune has reported  a new malware.j Trojan on the smss.exe
file.


Re: Is this a virus?


| AVERT WebImmune has reported  a new malware.j Trojan on the smss.exe
| file.

That's a heuristic detection.  http://vil.nai.com/vil/content/v_134073.htm

Virus Total doesn't scan submitted files heuristically.  However, the Multi AV
Scanning
Tool's McAfee module is programmed to scan heuristically so it can be used on
your PC.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Is this a virus?

OK,

Reporting back on this problem. I submitted the files to the major
vendor virus scanners using
http://www.virustotal.com/flash/index_en.html .

The NVSVCD.EXE file was determined to be malicious by over half of the
scanners. Aliases included W32/Methodbod.A - Packed,
Trojan-Proxy.Win32.Horst.aj and BackDoor-CMQ.

The good news is that (fingers crossed) deleting the offending files
seems to have solved the problem.

Thanks David and the others for the help.

Emmett


Site Timeline