Help! Random Virus/ spyware/ what?!?

[Shooty*]

Guys,

Please help. My laptop is running Zone Alarm and Nod32 on Vista home premium 32. Zone Alarm keeps flashing up messages for a program that is trying to access the internet, as ZA is prone to do. The program says "TODO: <file description>", so no help there.

THe program is ALWAYS called "exhmrgml2_2" with a different number in front of it (i.e. 22exhmrgml2_2, 63exhmrgml2_2, etc) and is located in c:/users/(user)/app data/local/temp where you might find 10 files of essentially the same name, except the first two numbers as above.

Google returns no searches for exhmrgml. Adaware, Spybot, NOD32 do not pick up anything amiss. Due to it's replicating nature, I'm sure it's got to be malicious. The only reg entry I could find with those letters (not the numbers) was in Nod/Imon/ useragentlist along with loads of other valid progs.

Anyone else got anything like this at all?

[0iD]

All you can do is have ZA block access till you know what the process is. Tried cleaning your temp files? And give CCleaner a go too. It may be innocuous, it may be mailicious, but best to block it until you're certain.

[Sema4]

Do you have a 'yahoo' toolbar or yahoo messenger installed by any chance ?

[Shooty*]

*Splutter* Do you just want to call me a total moron and be done with it?

No, I do not. the very idea of any tool bar, yahoo, google, or otherwise, is utterly abhorent to me. I don't have Yahoo messenger either.

I can deny it access through ZA, true, but the problem is that due to the constant replication and the renaming through new numbers, it asks again and again and again and again and again and again and again, as it keeps registering as a new program for ZA purposes, see? And that gets really annoying.

Anyway, I think it was something to do with my wifes settings. I did a very thorough clean of both our settings, instead of just mine, and fingers crossed that has done the job. Also, she had something in her start up which was apparently worm related (give away: Nvidia control panel type name, on a laptop that has intel graphics).

Will try again tonight and and see what happens.Thanks for the help./

[Sema4]

LoL, didn't mean to offend... the only reason I suggested a bit of 'yahoo' related software is because I have seen their stuff report "TODO: <file description>" before my self, that's all... hope you found it !

[Shooty*]

Ah, gotcha

[Paul Adams]

Hmm, certainly sounds like strange behaviour - I would start by using Process Explorer to find out what the parent process of "xxexhmrgml2_2" is, to see if there is a clue there.
(Use the "tree" view to see which process spawned this unrecognised one.)

Process Explorer v11.02

The files in the user's temp folder, do they end with .exe?

Have you tried scanning these files using another AV product that is updated with the latest signatures?

[Shooty*]

Oooooh, that app looks like fun. Thank you.
Yep, they're .exe's.
NOD32 found nothing amiss.
Ran another online jobber as well, can't recall which. That didn't find anything either

[Twimfy]

I'm having the exact same problem.

Can't escape it at all, nothing has worked.

[this_is_gav]

First off disable System Restore, as if anything finds it and SR is still enabled, it's only going to come straight back.

Next, boot up into safe mode, then run your collection of nasty-beaters. Spybot S&D, Adaware, your virus-scanner and CCleaner are all recommended. Delete the temporary internet files and empty the temp folder (go to Start > Run and type &#37;temp%). Failing that I'd just bite the bullet, back everything up that you need and do a clean install.

[Fabula]

I've found trojan remover another good tool to run.

[this_is_gav]

You've also got the Microsoft Malicious Software Removal Tool, which doesn't run automatically (certainly not the in depth search anyway).

C:\WINDOWS\system32\MRT.exe

C:\WINDOWS\system32\MRT.exe /F to automatically run the extended scan but prompt if a threat is found.

C:\WINDOWS\system32\MRT.exe /F:Y to automatically run the extended scan and remove threats without prompting.

[kalniel]

Does it strike anyone else as odd that a company often abbreviated to MS should choose the wording Malicious Software for its spyware removal tool?

[usxhe190]

to add to this_is_gav's list of
Spybot S&D
Adaware
your virus-scanner
CCleaner

you should also try
AVG antispyware
Spyware terminator
panda rootkit scanner
ThreatFire (never used this though)

[godsdog]

SpywareBlaster, small and helps prevent getting the crap hooked in in the first place.

[Shooty*]

Thanks for that. Been using SWblaster for about 4 years now

Reinstalled in teh end.