trojan keeps returning

Discussion in 'ewido anti-spyware forum' started by cliffw, Apr 17, 2006.

Thread Status:
Not open for further replies.
  1. cliffw

    cliffw Registered Member

    Joined:
    Apr 17, 2006
    Posts:
    2
    My PC caught an unknown trojan that attempts to contact an outside IP.

    Scans with Ewido detect it as "proxy.Horst.ai" trojan

    What happens is the trojan activates as soon as I connect to the internet, then it writes 3 .exe files to C\documents and settings\windows xp user \ local settings \ temp

    the file names are 13exmdulbk.exe , 56exssd32a.exe and install.exe (the first 2 numbers change each time )

    Ewido finds the XXexmdulbk.exe file and quarantines it, but it always returns after relogging in to the internet

    deleting all 3 files does nothing either, they return also

    Looking at the install.exe with notepad, this text string is apparent

    Goggle searches on exmdulbke, proxy.horst.ai and exssd32a have been fruitless

    I am hoping to find a way to truly remove this from my system
     
  2. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
    Hi cliffw & welcome to Wilders, :D
    Best to do a full scan in Safe Mode (no internet), so Ewido can remove all of it.

    See if that helps. ;)
     
  3. cliffw

    cliffw Registered Member

    Joined:
    Apr 17, 2006
    Posts:
    2
    Thanks eldar :)

    Since the post ... what I did find was a registry entry in HKEY_CURRENT_USER\RUN called .nvsvc was opening another file called smss.exe in the windows/system directory.

    apparently there is also a legitimate windows smss.exe , but this one was part of the trojan

    god willin' and the creek don't rise ... this one is gone

    I was a bit surprised this one did not have more presence on the internet

    One of the side effects was a several second lag when changing websites, that seems to be gone too :thumb:
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi,

    This may of course have been a FP on Ewidos part ? But if it wasn't it needs eliminating quickly, as proxy.Horst is a nasty. But it sounds like the Run entry etc was very suspicious.

    Is your FW set up to ask for permission out for Everything ? If not i would do that.

    Reset your System Restore.

    I would do some Free online scans here - http://www.kaspersky.com/downloads/kws/kavwebscan.html - http://www.bitdefender.com/scan8/ie.html - BD will delete as well as find.


    StevieO
     
  5. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
    You're welcome cliffw. ;)
    Nobody wants to have some malware on his system, so I hope it's gone for good. o_O
     
  6. shunsho

    shunsho Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    1
    Hi
    This is my first post...
    Finally i'm find somebody on the internet that have the same problem that me. I have the same virus of cliffw, and my antivirus (symantec antivirus) detect it. I have a process running named "smss.exe" that i think is the problem. I tried with Mcafee virus scan and anti spyware, and they failed.
    I hope that somebody know the solution of the problem.
    Thank you.

    StevieO: could you write what mean FP and FW? I don't understand your post (sorry my english).

    Shunsho of Chile.
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
Thread Status:
Not open for further replies.