Kaj je 11EXMODUL32?!?

First thing I did this morning when i woke up was get rid of a worm McAfee or Lavasoft did not detect....the only thing McAfee did was let me know of worm activity. After pressing CTRL-ALT-DEL i found a proccess called 73exmodul32.exe I closed it and stopped the email the process was trying to send.

Then I searched the web for a solution on how to remove this pecker.....73exmodul32.exe didn't pop up any resutls, i think exmodul did the trick, cuz it gave me a link to completely remove the worm.

I'm gonna give you the steps on how to remove this, so listen up..
..
Check the processes of Windows Task Manager for .exe files with numbers followed by "exmodula"* plus a letter, for example:

46exmodulag.exe (mine was 73exmodul.exe)
*this variation that i had on my comp did not have a letter at the end, it was simply ##exmodul##.

As it was written above, this name varies, in my computer I hadseveral different files, some using "exmodulaf" and "exmodulag". End the process.

Next, go to your

C:\Documents and Settings\Austin Wolfclaw\Local Settings\Temp\

**MAKE SURE SHOW HIDDEN FILES AND SYSTEM FILES ARE SHOWING!! (though i dont think you have to touch your C:/Windows folder)**

where "Austin Wolfclaw" varies according to the username on your computer.You´ll find several files that follow the format described above.(**exmodula*.exe or **exmodula**.exe). Delete them.

Now perform a search on your registry for the "exmodul" word you´ll probably find references to it in the
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List key. In this key you´ll find something like this:

C:\DOCUME~1\AUSTIN~1\LOCALS~1\Temp\46exmodulag.exe:*:Enabled:Microsoft Update

Again, look for any variation of exmodul in that tag.

What this key does is to create a fake entry on Windows Firewall under the name "Windows Update" for each new **exmodula*.exe or **exmodul** file it creates. Remove this entry from the registry.

I thought this was enough, but no, those damn files kept coming back after a while!

So I ran HijackThis 1.99.1 (wonderful little program by the way) and it found the file smss.exe (file responsible for automatic windows updates) running in the C:\WINDOWS\system\ folder, wich is wrong. Thisfile is responsible for generating the **exmodula*.exe files. Deleteit.

NOTICE: the smss.exe file running under C:\WINDOWS\system32\ **IS** a legal file, DO NOT TOUCH IT!!

Now search your registry for smss.exe and you´ll find references to it under these keys, delete them.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_USERS\...\Software\Microsoft\Windows\ShellNoRoam\MUICache

(if there is no entry for C:\WINDOWS\system\smss.exe in the MUICache dont worry about it. you probably have a variation of it that doesnt put an entry in there)

And that's it! I'm gonna post an FYI in the Avast! forum about the variation...and the French forum where I found the solution.

Good luck.

UPDATE: Check you C:\WINDOWS\temp folder for exmodul and ex something else..... delete those 2. They create the processes that send the emails.

I hope this will help you.