Remove Trojan-Proxy.Win32.Horst.kp

Discussion in 'Software Q&A' started by Akshay, Oct 18, 2006.

Thread Status:
Not open for further replies.
  1. Akshay

    Akshay Active Member

    Joined:
    Aug 15, 2004
    Messages:
    1,121
    Likes Received:
    9
    Trophy Points:
    38
    Location:
    Pune
    My system has been infected wit foll. virus:

    Trojan-Proxy.Win32.Horst.kp

    I use kaspersky 6.0 on Win XP wit SP2

    Files infected are: \system\smss.exe & \system32\nvsvcd.exe

    Kaspersky gives me option of either delete or skip. It is not able to clean d virus. I have updated KAV till today...

    How do I get rid of d virus without deleting d above files?
     
  2. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    -nvsvcd.exe a backdoor trojan.
    -the legit smss.exe is situated in the system32 (NOT system) folder. hence ur's cud be the Flood.F Trojan

    so first scan with ur kaspersky in SAFE MODE.

    if that dznt help, i suggest u use any one of the following anti-trojans. the first 2 are freeware :
    avg anti-spyware (formerly ewido anti-malware)
    www.grisoft.com
    or
    a-squared anti-malware
    http://www.emsisoft.com/en/software/free/
    or
    trojan hunter
    http://www.misec.net/

    instal, update and scan in safe mode for best results.

    dont bother about repairing. just let ur av/anti-trojans delete these malwares.
     
  3. OP
    OP
    Akshay

    Akshay Active Member

    Joined:
    Aug 15, 2004
    Messages:
    1,121
    Likes Received:
    9
    Trophy Points:
    38
    Location:
    Pune
    So can I safely delete d smss.exe situated in \system folder?

    Tryin d safe mode option now... thnx...

    I hav spybot on a digit dvd/cd. So will it b helpful coz I my net speed is 2 slow 2 download frm net...
     
  4. aakash_mishra

    aakash_mishra :-o

    Joined:
    Aug 26, 2006
    Messages:
    239
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    sIn cItY
    WinTasks Process Library
    smss - smss.exe - Process Information

    Process File: smss or smss.exe
    Process Name: Session Manager Subsystem

    Description:
    smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

    Note: smss.exe is also a process which is registered as the Win32.Ladex.a Trojan, the PWSteal.Wowcraft.B Password stealer and the w23.sober.x mass mailing trojan. These Trojans allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
     
  5. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    the imp thing is WHERE is ur smss.exe situated. do u have one in ur system32 folder. Yes ofcourse..thats the legitimate microsoft process. u cud also be having a legit backup/one in ur/servicepackfiles/i386 something folder-this too is ok.

    a malware can be named ANYTHING ! so its quite posbl that the one in ur system folder cud b malware.

    just so to be safe, y dont u get THIS smss.exe file in ur system folder checked with multiple av at http://virusscan.jotti.org/ and/or http://www.virustotal.com/en/virustotalf.html ?

    this way u will be sure that :arrow: u can delete it then. u can use delete doctor or unlocker to delete it if u r unable to delete it otherwise.

    (i dont know if spybot identifies this. so i have suggested 3 anti-trojans. but u can try spybot)
     
  6. sree_shan

    sree_shan New Member

    Joined:
    Oct 19, 2006
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    0
    even i had also attacked by some trojans previously......
    do one of the following ..... (of course... i had used 2nd option)
    i hope this will also helpp u to remove the trojans

    option 1: Please download SmitfraudFix:
    http://siri.geekstogo.com/SmitfraudFix.php
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Next, please reboot your computer in Safe Mode by rebooting the computer,
    and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from the options listed.

    Once in Safe Mode, open the SmitfraudFix folder again and double-click
    smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press "Enter" to delete infected
    files.

    You will be prompted : "Registry cleaning - Do you want to clean the
    registry?" answer "Yes" by typing Y and press "Enter" in order to remove
    the Desktop background and clean registry keys associated with the
    infection.

    The tool will now check if wininet.dll is infected. You may be prompted to
    replace the infected file (if found); answer "Yes" by typing Y and press
    "Enter".

    The tool may need to restart your computer to finish the cleaning process;
    if it doesn't, please restart it into Normal Windows.
    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
    The report can also be found at the root of the system drive, usually at C:\rapport.txt



    option 2: Download roguescanfix_setup.
    http://users.telenet.be/Beamerke/tools/roguescanfix_setup.exe
    Doubleclick roguescanfix_setup to install it.
    After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.
    Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
    If your firewall gives an alert, allow it instead of blocking it.
    In case you still get the message BFU.exe is not present, download

    BFU.zip from here. http://www.merijn.org/files/bfu.zip
    Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.
    The tool will uninstall some programs and delete related files and registry keys.
    When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.

    Please make sure the uninstall of the programs are finished before you click Yes to reboot.

    A textfile will open. Place the contents of that file in your next reply, along with a new Hijackthis logfile.
    (The textfile can also be found at c:\program files\roguescanfix\task.txt)
     
Thread Status:
Not open for further replies.

Share This Page