Strange worm type virus

[eddiescott]

The following executable files seems to load themselves to my \temp directory when I connect to internet with adsl:

12exinjs.f.exe
1exhdd.d.exe
26exmodul32e.exe

these files have companion files looking as follows:

injs.i.exe.conf
hdd.d.exe.conf
modul32e.f.exe.conf

If left to run they slow my pc down and and use up my internet bandwidth so that it becomes impossible to surf the net.

I have solved the problem by installing ZoneAlarm firewall. I also use Trend Officescan antivirus. The files are identified by Officesan as a virus of unkown origin.

The problem is that these files reload themselves when I connect to the internet again under a slightly modified name:
32exinjs.g.exe
34exhdd.f.exe
6exmodul32e.exe

Can anyone tell me more about these nasty's.

 

[noswal]

If you look though these forums in internet security you will find recommendations and links of various programs to run, like hijackthis, avg, ad-aware, rootkitrevealer etc. seems you should have had a firewall before you ever connected.

 

[eddiescott]

Thanks for the reply

 

[BTTB]

It may sound unrelated, but what connection do you use to connect to the internet?
Referring back to Noswal's comment about a Firewall, I am curious to see if you perhaps are connecting using a 56K Modem or ISDN?

 

[bekdik]

Do a google on the file names

 

[eddiescott]

I use Telkom ADSL 512

 

[eddiescott]

A search on Google using *exinjs* reveals several references to this virus mostly in languages other than english, which Google translates. One interesting discussion mentions a French utility called CCleaner that apparently also works well to remove any references in the registry.

 

[BTTB]

I use Telkom ADSL 512

Ok.
That is good.
Your Router is also like a Firewall.

I was thinking of the time I set-up a friends Windows XP Machine with Service Pack 1, where the firewall is disabled by default. They use a 56K Modem at home, so I set-up the machine with all the dial-up connection and plugged it into the phone socket.
I was astonished to discover that the machine had a worm within a couple of minutes, just being exposed to the internet using a 56k modem.

But this is not the case with your set-up as you have a router?
Perhaps you can try HijackThis to see what is running.
See this thread where I give the links to the program.

Hope this helps.

 

[The_Unbeliever]

Aw cr*p man...

I hate this cr*p... more and more problems...

My other WinXP PC exhibits the same symptoms, and I'm on 64k ISDN... gotta have a peek and see if this is the same nasty... *sigh*

A pox on all virus/trojan writers - may their tollies shrivel up and fall off!

///edit : Did you, by any chance, browse a pr0n site or watched some pr0n movies? Some sites does funny things to their movies and you end up with an infected system anyway... had a client who used to download pr0n clips at office and view them at home - both PC's was nuked... which was interesting, given the fact that his home PC never connected to pr0n sites, but to the Internet for general (non pr0n) browsing (can we say spousal unit?) and only to view said clips...

 

[nocilah]

The following executable files seems to load themselves to my \temp directory when I connect to internet with adsl:

12exinjs.f.exe
1exhdd.d.exe
26exmodul32e.exe

these files have companion files looking as follows:

injs.i.exe.conf
hdd.d.exe.conf
modul32e.f.exe.conf

If left to run they slow my pc down and and use up my internet bandwidth so that it becomes impossible to surf the net.

I have solved the problem by installing ZoneAlarm firewall. I also use Trend Officescan antivirus. The files are identified by Officesan as a virus of unkown origin.

The problem is that these files reload themselves when I connect to the internet again under a slightly modified name:
32exinjs.g.exe
34exhdd.f.exe
6exmodul32e.exe

Can anyone tell me more about these nasty's.

sounds like a polymorphic virus (ie changes each time) those are pretty killa to remove. but yeah searching on google usually leads to fixes.

any ideas how u picked them up?

 

[eddiescott]

I am not sure how I picked them up - Im not into porn - my interests are mostly into news - curent affairs and finance as well as computer related sites. I teach computer studies - may have picked it up from a learner's flash drive. Before ZonaAlarm I used Xp service pack 2's firewall.

 

[cyberarmy]

I don't think it's polymorphic virus since it's downloaded from internet not morph itself everytime it infect another file.
It looks more like adware/spyware or what ever downloaders from your description, lots of online virus scan options from various antivirus vendors and also CureIT! from doctor web (greate tool for malware removal for free), try them and tell us what you find......

 

[Beta]

Something could of crawled in bound to a freeware app, installed when launching a freeware installer for a mp4 encoder or the likes, binding is rather popular.
I'm not on windows but you should find the top malware apps and scan your PC, get a rootkit detector and scan, and get a good antivirus package such as Kaspersky and autoupdate your definitions with a automatic daily scan. And, remember that porn is defo not the only way to grab nasties, 2 months back a million users where loaded when visiting myspace whose server had been comprimized by by a WMF exploit in an add banner, no warnings just transparent infection.

 

[PurpleHaze12]

The answer (I hope)

I also had the same problem (no AntiVirus I've tried solve it for me) so here is the solution that worked for me:

- I 've found that file smss.exe was at system and at system32 directory.
- I 've checked the file length and saw that only the file at system32 directory was a valid Microsoft Windows file.
- I deleted smss.exe from system directory and everything is fine since then.

- There was also a registry entry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
.nvsvc that run this file, so I delete it too (if the file doesn't exist there is no problem but just to keep things in oreder).

I hope that will work for you too.

 

[PurpleHaze12]

The answer (I hope) - 2

I forgot to mention that:

-If you run the task manager (Alt + Ctrl + Del) and sort by file name the first thing you will find is (for example) 15xxx.. ect. You should terminate first this too.
-Then go to Local\ect directory and delete the annoying files from there too.
- Then do what I 've told you before.

... just to be sure.