trojan keeps returning

[cliffw]

My PC caught an unknown trojan that attempts to contact an outside IP.

Scans with Ewido detect it as "proxy.Horst.ai" trojan

What happens is the trojan activates as soon as I connect to the internet, then it writes 3 .exe files to C\documents and settings\windows xp user \ local settings \ temp

the file names are 13exmdulbk.exe , 56exssd32a.exe and install.exe (the first 2 numbers change each time )

Ewido finds the XXexmdulbk.exe file and quarantines it, but it always returns after relogging in to the internet

deleting all 3 files does nothing either, they return also

Looking at the install.exe with notepad, this text string is apparent

Quote:

KERNEL32.DLL PSAPI.DLL WS2_32.DLL WININET.DLL ADVAPI32.DLL LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess GetModuleInformation InternetOpenA

Goggle searches on exmdulbke, proxy.horst.ai and exssd32a have been fruitless

I am hoping to find a way to truly remove this from my system

[Eldar]

Hi cliffw & welcome to Wilders,

Quote:

Originally Posted by cliffw

My PC caught an unknown trojan that attempts to contact an outside IP.

I am hoping to find a way to truly remove this from my system

Best to do a full scan in Safe Mode (no internet), so Ewido can remove all of it.

See if that helps.

[cliffw]

Thanks eldar

Since the post ... what I did find was a registry entry in HKEY_CURRENT_USER\RUN called .nvsvc was opening another file called smss.exe in the windows/system directory.

apparently there is also a legitimate windows smss.exe , but this one was part of the trojan

god willin' and the creek don't rise ... this one is gone

I was a bit surprised this one did not have more presence on the internet

One of the side effects was a several second lag when changing websites, that seems to be gone too

[StevieO]

Hi,

This may of course have been a FP on Ewidos part ? But if it wasn't it needs eliminating quickly, as proxy.Horst is a nasty. But it sounds like the Run entry etc was very suspicious.

Is your FW set up to ask for permission out for Everything ? If not i would do that.

Reset your System Restore.

I would do some Free online scans here - http://www.kaspersky.com/downloads/kws/kavwebscan.html - http://www.bitdefender.com/scan8/ie.html - BD will delete as well as find.


StevieO

[Eldar]

Quote:

Originally Posted by cliffw

god willin' and the creek don't rise ... this one is gone

You're welcome cliffw.
Nobody wants to have some malware on his system, so I hope it's gone for good.

[shunsho]

Hi
This is my first post...
Finally i'm find somebody on the internet that have the same problem that me. I have the same virus of cliffw, and my antivirus (symantec antivirus) detect it. I have a process running named "smss.exe" that i think is the problem. I tried with Mcafee virus scan and anti spyware, and they failed.
I hope that somebody know the solution of the problem.
Thank you.

Quote:

Hi,

This may of course have been a FP on Ewidos part ? But if it wasn't it needs eliminating quickly, as proxy.Horst is a nasty. But it sounds like the Run entry etc was very suspicious.

Is your FW set up to ask for permission out for Everything ? If not i would do that.

Reset your System Restore.

I would do some Free online scans here - http://www.kaspersky.com/downloads/kws/kavwebscan.html - http://www.bitdefender.com/scan8/ie.html - BD will delete as well as find.


StevieO

StevieO: could you write what mean FP and FW? I don't understand your post (sorry my english).

Shunsho of Chile.

[TopperID]

Quote:

I have a process running named "smss.exe" that i think is the problem.

It might be legitimate:-

http://www.processlibrary.com/direct...smss/index.php

But you need to check the file path, in XP it should be:-

C:\WINDOWS\System32\smss.exe

If you can find it in Explorer you can upload the file to have it checked here:-

http://virusscan.jotti.org/

BTW - FP = False Positive

FW = Fire Wall