Hi all…my first post…please be kind…
My avast mail scanner has recently gone crazy, giving me warnings about suspicious emails trying to send, my email program(Eudora) isn’t even running…When this happens I see the following in the task list (win xp pro)
47exmodulag.exe
when I end the process the mail scanner stops and everything is fine. The 47exmodulag.exe will at times change to 6exmodulag or 61exmodulag.exe
I tried to google the process name with no luck…any suggestions??
Welcome to the forums, dad_of_3 
I have searched for this also and find nothing. From your description, it seems your have some type of mailer malware. This kind of malware has it’s own mailing program and does not need yours. Still, it is coming from your computer and probably using at least some of the addresses on your computer as well as some of it’s own.
Is there any more information that you can give us so that someone might recognize this malware?
Whoa, that has to be the fastest forum response ever…I don’t have much more info on my situation, other than to say the process starts up about every 10 - 20 minutes…The avast mail scanner goes nuts, I try to keep up by clicking don’t send…Then do a ctrl-alt-del, and end the process, then I’m good to go…
I have gone through this 4 or 5 times now…I have run spy bot and adaware, and A squared and found nothing…I am presently running a trend housecall scan to see if that finds anything…
Thanks for any help…
Hi dad_of_3
I don’t recognize that process but I would take these initial steps:
If you don’t have a 3rd party firewall installed download Zone Alarm or Kerio and block the outflow of mail (the Windows Firewall will not do this).
Download and install Ewido from
Schedule a boot time scan with avast! and reboot. Quarantine anything found.
Scan with Ewido and quarantine.
Post again with the results.
Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
Hi dad_of_3,
In the following thread you will find a beautiful removal instruction
by a Brazilian:
http://www.commentcamarche.net/forum/affich-2090178-xxexmodulae-exe-inconu-du-web
It starts where it describes "Check the procedures of Windows Task manager for exe.files with numbers etc. etc.
Good luck in removing the malware from Documents and Settings and the registry, and deleting smss.exe responsible for the returning updates.
polonus
Hello dad, 
In the link Polonus posted, you might also scroll down until you see this …
< 27 > - XXexmodulae.exe??? inconu du web???
Ajouté par Rafael (15/02/2006 à 16:09 GMT+1)
… as this is in English. This is, I believe, what Polonus was referring to. Notice the bold above as it is easier to see. What Polonus refers to is just below.
Thanks for finding that, Polonus! 
Wow…This is certainly the best help forum I have ever experienced!!!
Well, Trend’s on-line scan did find 3 Trojan’s…whew… I also checked out the Brazilian forum posted by polonus, and I did indeed find 8 of the files in my temp folder…GONE…The only instance of smss.exe was in my system32 folder so I guess I’m good to go…
Once again thanks for everyones help!!!
You are welcome, dad_of_3 … we are all glad to help when we can.
Please come back often, learn more, and maybe help others.
This is something to get used to on the avast forums ;D
A belated welcome to the forums.
hi
I have similar problem but with files exmodulau.exe exmodular.exe exmodulas.exe
and who knows what else can I get… 
I have already scan my computer by ewido anty maleware but it didn’t help. Althuogh it found some warms or sth. I also went to the web: http://www.commentcamarche.net/forum/affich-2090178-xxexmodulae-exe-inconu-du-web
but it’s unknown language 4 me and i don’t want to distroy anythink in my comp.
HELP ME PLEASE!!!
If something is in a foreign language then use an on-line translation service http://babelfish.altavista.com/ and translate the page from French to English, etc.
You could also check out my post above giving links to hijackthis, tutorials and on-line analysis sites. As the above link (commentcamarche.net/forum/affich-2090178-xxexmodulae-exe-inconu-du-web) is basically a collection of hijackthis log files and people helping to interpret them.
Thank you.
Everythink is ok again. And I hope for good.
You were very hellpfull to me.
THANK YOU AGAIN!!!
Glad we could help, welcome to the forums.
Had the same problem, found parts of the answer, but AustinWolfclaw’s blog has a solution to the problem
See posts under ##Exmodul??
The solution at http://austinwolfclaw.livejournal.com
seems to work, but be careful what you delete.
Plus I think this thing may open up access to your system, to other viruses and worms. AVG Free showed a Proxy.cei infection, but missed this completely.
AMD-64 2800+
Nvidia 5500
WinXP sp2
Hello there I was searching for a week for a solution for this virus with all the hard needed protection down and Kaspersky disabled. It is a very nasty Trojan-virus and virusscanners don’t recognize it. Only BitDefender did see the infections xxEXMODUL.32.exe and if you think I have deleted all it is comming right back!
The source of this virus is NVSVCD.exe in C\windows\system32 and watch out! do not delete NVSVCD32.exe because this is from NVidia. I have deleted it and didn’t get the virus back.
I think I going to use Bitdefender in the future because it was the only one that did see the infections.
Regards AatA.
Amsterdamned
But this is avast forums… Did you try avast in anytime? :
Hi Amsterdamned,
roj/IRCBot-FP is a backdoor Trojan for the Windows platform.
Troj/IRCBot-FP has the functionalities to:
When run Troj/IRCBot-FP copies itself to \smss.exe and creates the following files:
\netf.dll
\nvsvcd.exe
The file netf.dll and nvsvcd.exe is detected as Troj/IRCBot-FP.
Troj/IRCBot-FP sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc
\smss.exe /w
Troj/IRCBot-FP creates a service named “Windows Log” and sets registry entries under:
Here is some more information about this. Some of the text is in German but the general information is informative here:
http://virus-protect.org/artikel/dienste/nvsvcd.html
Above link was pre-scanned by Dr.Web (R) daemon for Linux v4.33
(4.33.0.09211) Copyright © Igor Daniloff, 1992-2005
Last update time: 2006-05-01,19:43:27
File size: 34562 bytes
nvsvcd.html - archive HTML
nvsvcd.html/Script.0 - OK
nvsvcd.html/Script.1 - OK
nvsvcd.html/JavaScript.2 - OK
nvsvcd.html/Script.3 - OK
nvsvcd.html - OK
Just a few steps closer to resolving this phenomenon.
polonus