trojan keeps returning

My PC caught an unknown trojan that attempts to contact an outside IP.

Scans with Ewido detect it as "proxy.Horst.ai" trojan

What happens is the trojan activates as soon as I connect to the internet, then it writes 3 .exe files to C\documents and settings\windows xp user \ local settings \ temp

the file names are 13exmdulbk.exe , 56exssd32a.exe and install.exe (the first 2 numbers change each time )

Ewido finds the XXexmdulbk.exe file and quarantines it, but it always returns after relogging in to the internet

deleting all 3 files does nothing either, they return also

Looking at the install.exe with notepad, this text string is apparent

Goggle searches on exmdulbke, proxy.horst.ai and exssd32a have been fruitless

I am hoping to find a way to truly remove this from my system

 

Hi cliffw & welcome to Wilders,

Best to do a full scan in Safe Mode (no internet), so Ewido can remove all of it.

See if that helps.

 

Thanks eldar

Since the post ... what I did find was a registry entry in HKEY_CURRENT_USER\RUN called .nvsvc was opening another file called smss.exe in the windows/system directory.

apparently there is also a legitimate windows smss.exe , but this one was part of the trojan

god willin' and the creek don't rise ... this one is gone

I was a bit surprised this one did not have more presence on the internet

One of the side effects was a several second lag when changing websites, that seems to be gone too

 

Hi,

This may of course have been a FP on Ewidos part ? But if it wasn't it needs eliminating quickly, as proxy.Horst is a nasty. But it sounds like the Run entry etc was very suspicious.

Is your FW set up to ask for permission out for Everything ? If not i would do that.

Reset your System Restore.

I would do some Free online scans here - http://www.kaspersky.com/downloads/kws/kavwebscan.html - http://www.bitdefender.com/scan8/ie.html - BD will delete as well as find.


StevieO

 

You're welcome cliffw.
Nobody wants to have some malware on his system, so I hope it's gone for good.

 

Hi
This is my first post...
Finally i'm find somebody on the internet that have the same problem that me. I have the same virus of cliffw, and my antivirus (symantec antivirus) detect it. I have a process running named "smss.exe" that i think is the problem. I tried with Mcafee virus scan and anti spyware, and they failed.
I hope that somebody know the solution of the problem.
Thank you.

StevieO: could you write what mean FP and FW? I don't understand your post (sorry my english).

Shunsho of Chile.

 

It might be legitimate:-

http://www.processlibrary.com/directory/files/smss/index.php

But you need to check the file path, in XP it should be:-

C:\WINDOWS\System32\smss.exe

If you can find it in Explorer you can upload the file to have it checked here:-

http://virusscan.jotti.org/

BTW - FP = False Positive

FW = Fire Wall