http://blogphotohost.com/imgt/372F37cC52daA7632bfdb31GYe2fc679.jpg

The picture displays a heapload of virusses of the same kind, Although Avast can find them, the program is unable to remove it.

Even Avast customer support let me down,i tried to (i don’t have a local isp provider e-mail) send the chested zip files to Virus@Avast.com, however when you make a zip called virus.zip, hotmail blocks off that its being send, gmail also blocks off i mailed about this to riley@avast.com Adam Riley(Technical Support) and i never heard anything back.

Why can’t Avast auto-upload the new virusses that it finds to Avast headquarters server?

Its so annoying, and Avast can’t get rid of this virus on my computer =( Anyway back to the virus.

If you zoom in on the pictures, you can see an e-mail adress, but it isn’t mine, its automatically generated by this virus, the moment you open up your hotmail or gmail, you will find that gmail is already logged in with a to you totally unknown mail adress. That’s seemingly what the virus does. Removing the exe’s from the temporary directory is useless , they seem to be generated (from what i’ve seen) from a file called setup.exe, on deleting that same file, it will just be generated back there next time you restart your computer.

it goes under a wide range of number-character executables like 58exgmtxt.1.exe or 37exinjs.a9.exe.

What is this and how do i get rid of it? Kind reminder is that doing a boot scan, and moving them into quarantine does not help. Avast at this moment is unable to remove this virus as it seems to be stuck in the running memory, windows wil not allow this file to be deleted.

People will blame, even due to privacy, if files from your computer are sent to avast, infected or false positive.
You can ‘add’ the file to Chest and send it from there.

If a virus is replicant (coming and coming again), you should:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).

5. Use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

I mean it would be nice if the option to upload was there (disabled by default) but your right about the privacy issues that you declared.

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

Currently im up to step 3

Will report back asap.

Hi Darketernal,

This may well be a variation on this virus:

http://forum.avast.com/index.php?topic=27976.0

Subsitute xxexgmregxx.exe for *exmodula.exe and the clean up instructions may work.

Or try AVG Anti-spyware or SuperAntiSpyware as Tech suggested.

followed up till step 3, made bootscan, to no avail (virus persisted)

• Tried Frog clean, to no avail (virus persisted)
• did search on exgmreg in registry and on the entire computer, it does not exist.

http://blogphotohost.com/imgt/9fc64Fd117Cb3634A3024G5c33aZ8bdb.jpg

Unbelievable (not joking) within 1 second after install startup AVG makes immediate notice about 25exinjs.a9.exe. And informs that unknowingly by its user that the computer is being used as a bot to attack other computers. risk = high , name Proxy.Horst.sv

http://blogphotohost.com/imgt/307bFc6c41Cc569Aa00a841G3d39Bce3.jpg

Consequently it found another Trojan.Small.edz after scanning the local harddisks

I was a Lavasoft Spyware user, but have stepped today over into using AVG as i already was wondering why no one mentioned it ,probably due to the inferiority compared to AVG.

Now lets see if my computer is clean again.

Right now, avgas is much better than Lavasoft for sure…

Actually it was mentioned in Tech’s very first response. It’s a pretty common reccommendation around here

My computer didn’t come back clean, even after several AVG scans, when rebooting, the problem resurrects fo

AGV deleted the small edz ,however the Proxy.Horst.sv stays mighty persistant in the temporary even after AVG -reboot- removals.

I assume (maby wrongfully) that this has the Meaning that the virus still resides somewhere else on my computer.

Am currently downloading superantispyware. WIll post results asap.

AVG did a good deal of work, a noticable increase of computerspeed could be felt when working with the computer again.

Did you follow steps 1 and 2?
Maybe you’re infected with rootkits. Try AVG antirootkit and Panda antirootkit.
Rootkit is a ‘hidden’ malware.

After the rootkit scans please post a HijackThis log.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

http://blogphotohost.com/imgt/dfe3Fee8C15fe08A825Zcf4b6e890A0f.jpg

-SUPERAntiSpyware detected these infected items that AVG did not.

• at this moment im having trouble typing, a (program?) is stealing the focus of my cursor making this wepssss sorry will post back later im having trouble.

• http://forum.avast.com died on me.

• Lost internet connection.

After running SUPERAntiSpyware again after reboot, my computer was to no avail still infected.

I was up to step 3, i thank you all for your kind support. Please notify that im doing all the actions of your recommendations as soon as possible. The scans unfortunatly take some time , and because the problem persists even after the scans it takes even more time to push thru the solution given in here.

I will get a hijack this log for you people available as soon as possible along with all the other recommendated solutions.

Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:20 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\ANTI INTERNET\Avast\aswUpdSv.exe
D:\ANTI INTERNET\Avast\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\ANTIIN~1\Avast\ashDisp.exe
D:\WINDOWS\system32\RunDLL32.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\WINDOWS\system32\svchost.exe
D:\ANTI INTERNET\AVG Anti-Spyware 7.5\avgas.exe
D:\ANTI INTERNET\SUPERAntiSpyware.exe
D:\WINDOWS\system32\devldr32.exe
D:\ANTI INTERNET\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\ANTI INTERNET\Avast\ashMaiSv.exe
D:\ANTI INTERNET\Avast\ashWebSv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\ANTI INTERNET\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 124.2.62.2:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {4228DD80-1480-4191-AD71-F4172DC30B73} - D:\WINDOWS\system32\pjgwfsuc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - G:\MASSDO~1\MDHELPER.DLL
O4 - HKLM\..\Run: [avast!] D:\ANTIIN~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [.nvsvc] D:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\ANTI INTERNET\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\ANTI INTERNET\SUPERAntiSpyware.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - G:\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - G:\Mass Downloader\Add_All.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - G:\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - G:\Mass Downloader\massdown.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - D:\Documents and Settings\'\Menu Start\Programma's\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\yahoo bah\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\yahoo bah\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159664718311
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159664707218
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\ANTI INTERNET\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\ANTI INTERNET\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\ANTI INTERNET\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\ANTI INTERNET\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\ANTI INTERNET\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\ANTI INTERNET\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\ANTI INTERNET\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\ANTI INTERNET\Avast\ashWebSv.exe" /service (file missing)

Avast Service files missing? at first glance, that can’t be a good thing. I put all my spyware programs in my special ANTI INTERNET folder anyway hope this log can show you some interesting features.

HJT beta 2.0 resolves the missing file as it doesn’t show the /service but you need to ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1. Hijackthis is searching for ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service’ (including double quotes and ‘/service’ parameter) as a file, this causes ‘file missing’, because only present is ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe’.

-70exgmtxt.exe horse tries to load itself in the temp, but so

far AVG disallows it.

-D/d WindowsCare , see what it does.

http://blogphotohost.com/show.php?id=eedF671cC50c52eA93B097a6F903f25e

Windows Care solved(that is if its really true what it says) 32 000 problems ,patience is a virtue i guess.

http://blogphotohost.com/imgt/cF3de7c7C3e217AfedfB3137Yf17142d.jpg

-Rebooted, virus is still in my system.
-d/l spyware terminator didn’t seem to do much , the virus remains.
-did a square deep scan, wonder what will showup.
-a-square is a program that i am(even tho its free) unfortunatly not satisfied with, it asks information at start-up before you can use it (asif your not having enough trouble with the virus already) and it traces and delcares directories of stuff that i use as problems.
-At first glance the most satisfying programs where AVG + Superantispyware + Windows Care,however non of them where able to get fully rid of the virus.

This completes up step 1 to 5.

-The above where the downsides,on a positive note even tho the virus persisted, my system has become insanly fast. I experienced a significant lag in my computer, even my moms laptop was faster then my highspeed hand build computer. I can say with certainty that that no longer is the case.

It may be that there is something that is hiding it or restoring it so this might be worth checking out.

See, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.

• BlackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/
• PANDA ROOTKIT CLEANER - Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip also see http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx or http://www.pandasoftware.com/.
• AVG ANTI-ROOTKIT - AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.

Used Rafaels solution.

This was the sequence of actions I used to get rid of these damn files: 

Check the processes of Windows Task Manager for .exe files with numbers followed by "exmodula" plus a letter, for example: 

46exmodulag.exe 

As it was written above, this name varies, in my computer I had several different files, some using "exmodulaf" and "exmodulag". End the process. 

Next, go to your 

C:\Documents and Settings\Rafael\Local Settings\Temp\ 

where "Rafael" varies according to the username on your computer. You´ll find several files that follow the format described above. (**exmodula*.exe). Delete them. 

Now perform a search on your registry for the "exmodula" word you´ll probably find references to it in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List key. In this key you´ll find something like this: 

C:\DOCUME~1\Rafael\LOCALS~1\Temp\46exmodulag.exe:*:Enabled:Microsoft Update 

What this key does is to create a fake entry on Windos Firewall under the name "Windows Update" for each new **exmodula*.exe file it creates. Remove this entry from the registry. 

I thought this was enough, but no, those damn files kept coming back after a while! 

So I ran HijackThis 1.99.1 (wonderful little program by the way) and it found the file smss.exe (file responsible for automatic windows updates) running in the C:\WINDOWS\system\ folder, wich is wrong. This file is responsible for generating the **exmodula*.exe files. Delete it. 

NOTICE: the smss.exe file running under C:\WINDOWS\system32\ is a legal file, do not touch it! 

Now search your registry for smss.exe and you´ll find references to it under these keys, delete them. 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

HKEY_USERS\...\Software\Microsoft\Windows\ShellNoRoam\MUICache 

Congratulations, it´s done. I hope Google will find this answer, the only reference to this trojan was made here. :)

Going to do restart to see if it works

PROBLEM SOLVED! , working method = rafaels method.

Why Avast, and all the other scanners are unable to ditch this virus is beyond me.

Honestly people, thank you so much for your effort and time

http://forums.offtopic.com/images/smilies/bowdown.gif

http://forums.offtopic.com/images/smilies/bowdown.gif

http://forums.offtopic.com/images/smilies/bowdown.gif

http://forums.offtopic.com/images/smilies/bowdown.gif

I hope Avast reads the forum and includes an option for auto-upload virusses on selection = yes.

I mean , sadly this thread wasn’t much about avast at all, it was an enormous cocktail of spybot downloads and manual override. But it was worth it

You guys rock!!!

Thanks for the follow up