My PC caught an unknown trojan that attempts to contact an outside IP.

Scans with Ewido detect it as "proxy.Horst.ai" trojan

What happens is the trojan activates as soon as I connect to the internet, then it writes 3 .exe files to C\documents and settings\windows xp user \ local settings \ temp

the file names are 13exmdulbk.exe , 56exssd32a.exe and install.exe (the first 2 numbers change each time )

Ewido finds the XXexmdulbk.exe file and quarantines it, but it always returns after relogging in to the internet

deleting all 3 files does nothing either, they return also

Looking at the install.exe with notepad, this text string is apparent

-{ Quote: "KERNEL32.DLL PSAPI.DLL WS2_32.DLL WININET.DLL ADVAPI32.DLL LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess GetModuleInformation InternetOpenA " }-

Goggle searches on exmdulbke, proxy.horst.ai and exssd32a have been fruitless

I am hoping to find a way to truly remove this from my system

Hi cliffw & welcome to Wilders, :D -{ Quote: "My PC caught an unknown trojan that attempts to contact an outside IP.

I am hoping to find a way to truly remove this from my system" }-Best to do a full scan in Safe Mode (no internet), so Ewido can remove all of it.

See if that helps. ;)

Thanks eldar :)

Since the post ... what I did find was a registry entry in HKEY_CURRENT_USER\RUN called .nvsvc was opening another file called smss.exe in the windows/system directory.

apparently there is also a legitimate windows smss.exe , but this one was part of the trojan

god willin' and the creek don't rise ... this one is gone

I was a bit surprised this one did not have more presence on the internet

One of the side effects was a several second lag when changing websites, that seems to be gone too :thumb:

Hi,

This may of course have been a FP on Ewidos part ? But if it wasn't it needs eliminating quickly, as proxy.Horst is a nasty. But it sounds like the Run entry etc was very suspicious.

Is your FW set up to ask for permission out for Everything ? If not i would do that.

Reset your System Restore.

I would do some Free online scans here - http://www.kaspersky.com/downloads/kws/kavwebscan.html - http://www.bitdefender.com/scan8/ie.html - BD will delete as well as find.


StevieO

-{ Quote: "god willin' and the creek don't rise ... this one is gone " }-You're welcome cliffw. ;)
Nobody wants to have some malware on his system, so I hope it's gone for good. ???

Hi
This is my first post...
Finally i'm find somebody on the internet that have the same problem that me. I have the same virus of cliffw, and my antivirus (symantec antivirus) detect it. I have a process running named "smss.exe" that i think is the problem. I tried with Mcafee virus scan and anti spyware, and they failed.
I hope that somebody know the solution of the problem.
Thank you.

-{ Quote: "Hi,

This may of course have been a FP on Ewidos part ? But if it wasn't it needs eliminating quickly, as proxy.Horst is a nasty. But it sounds like the Run entry etc was very suspicious.

Is your FW set up to ask for permission out for Everything ? If not i would do that.

Reset your System Restore.

I would do some Free online scans here - http://www.kaspersky.com/downloads/kws/kavwebscan.html - http://www.bitdefender.com/scan8/ie.html - BD will delete as well as find.


StevieO" }-

StevieO: could you write what mean FP and FW? I don't understand your post (sorry my english).

Shunsho of Chile.

-{ Quote: "I have a process running named "smss.exe" that i think is the problem." }-
It might be legitimate:-

http://www.processlibrary.com/directory/files/smss/index.php

But you need to check the file path, in XP it should be:-

C:\WINDOWS\System32\smss.exe

If you can find it in Explorer you can upload the file to have it checked here:-

http://virusscan.jotti.org/

BTW - FP = False Positive

FW = Fire Wall