Remove Trojan-Proxy.Win32.Horst.kp

[Akshay]

My system has been infected wit foll. virus:

Trojan-Proxy.Win32.Horst.kp

I use kaspersky 6.0 on Win XP wit SP2

Files infected are: \system\smss.exe & \system32\nvsvcd.exe

Kaspersky gives me option of either delete or skip. It is not able to clean d virus. I have updated KAV till today...

How do I get rid of d virus without deleting d above files?

[anandk]

-nvsvcd.exe a backdoor trojan.
-the legit smss.exe is situated in the system32 (NOT system) folder. hence ur's cud be the Flood.F Trojan

so first scan with ur kaspersky in SAFE MODE.

if that dznt help, i suggest u use any one of the following anti-trojans. the first 2 are freeware :
avg anti-spyware (formerly ewido anti-malware)
www.grisoft.com
or
a-squared anti-malware
http://www.emsisoft.com/en/software/free/
or
trojan hunter
http://www.misec.net/

instal, update and scan in safe mode for best results.

dont bother about repairing. just let ur av/anti-trojans delete these malwares.

[Akshay]

So can I safely delete d smss.exe situated in \system folder?

Tryin d safe mode option now... thnx...

I hav spybot on a digit dvd/cd. So will it b helpful coz I my net speed is 2 slow 2 download frm net...

[aakash_mishra]

Quote:

Originally Posted by Akshay

So can I safely delete d smss.exe situated in \system folder?

WinTasks Process Library
smss - smss.exe - Process Information

Process File: smss or smss.exe
Process Name: Session Manager Subsystem

Description:
smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Note: smss.exe is also a process which is registered as the Win32.Ladex.a Trojan, the PWSteal.Wowcraft.B Password stealer and the w23.sober.x mass mailing trojan. These Trojans allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

[anandk]

the imp thing is WHERE is ur smss.exe situated. do u have one in ur system32 folder. Yes ofcourse..thats the legitimate microsoft process. u cud also be having a legit backup/one in ur/servicepackfiles/i386 something folder-this too is ok.

a malware can be named ANYTHING ! so its quite posbl that the one in ur system folder cud b malware.

just so to be safe, y dont u get THIS smss.exe file in ur system folder checked with multiple av at http://virusscan.jotti.org/ and/or http://www.virustotal.com/en/virustotalf.html ?

this way u will be sure that u can delete it then. u can use delete doctor or unlocker to delete it if u r unable to delete it otherwise.

(i dont know if spybot identifies this. so i have suggested 3 anti-trojans. but u can try spybot)

[sree_shan]

even i had also attacked by some trojans previously......
do one of the following ..... (of course... i had used 2nd option)
i hope this will also helpp u to remove the trojans

option 1: Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.

You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".

The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt



option 2: Download roguescanfix_setup.
http://users.telenet.be/Beamerke/too...nfix_setup.exe
Doubleclick roguescanfix_setup to install it.
After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.
Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download

BFU.zip from here. http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.
The tool will uninstall some programs and delete related files and registry keys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.

Please make sure the uninstall of the programs are finished before you click Yes to reboot.

A textfile will open. Place the contents of that file in your next reply, along with a new Hijackthis logfile.
(The textfile can also be found at c:\program files\roguescanfix\task.txt)