4/27/2006

How to Get Rid of the "XXexmodulae.exe" Virus/ Trojan.

This is a particularly nasty mass-mailing worm that not only disables certain antivirus and antimalware software (the very software you would need to delete it) but it also does some VERY NASTY masquerading as Windows System files! The text below is from a Brazilian poster on a French BBS - the only guy I found who got it right! I've edited and numbered it to make it easier to read in English.

Hello, I live in Brazil and I was having the same problem described above, and I found a solution (I´m sorry for posting in english, I can´t write in French, had to use Babelfish do translate your messages above). This was the sequence of actions I used to get rid of these damn files:

1) Check the processes of Windows Task Manager for .exe files with numbers followed by "exmodula" plus a letter, for example: 46exmodulag.exe
As above, this name varies, in my computer I had several different files, some using "exmodulaf" and "exmodulag". End the process.

2) Next, go to your
C:\Documents and Settings\<Username>\Local Settings\Temp\
where "<UserName>" varies according to the username on your computer.
You´ll find several files that follow the format described above. (**exmodula*.exe). Delete them.

3) Now perform a search on your registry for the "exmodula" word you´ll probably find references to it in the
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
key.

In this key you´ll find something like this:

C:\DOCUME~1\Rafael\LOCALS~1\Temp\46exmodulag.exe:*:Enabled:Microsoft Update

What this key does is to create a fake entry for Windows Firewall under the name "Windows Update" for each new **exmodula*.exe file it creates. Remove this entry from the registry.

4) Look in C:\WINDOWS\system\ folder if you find the file smss.exe (file responsible for automatic windows updates) running in the C:\WINDOWS\system\ folder, that is wrong.
This file is responsible for generating the **exmodula*.exe files. Delete it!

NOTICE: the smss.exe file running under C:\WINDOWS\system32\ is the real, legal file, do not touch it!

5) Now search your registry for smss.exe and you´ll find references to it under these keys, delete them.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS...\Software\Microsoft\Windows\ShellNoRoam\MUICache

Congratulations, YOU ARE CLEAN.