TechSpot

Can't get rid of TROJ_HORST virus

By DB2801
Dec 23, 2006
Topic Status:
Not open for further replies.
  1. I can not get rid of a TROJ_HORST virus. Attached is my hijackthis log. Please help.

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Before deciding whether your computer needs cleaning or reformatting, I need to ask you some questions.

    Do you use your computer for any of the following. Online banking/Business purposes/storing sensitive or very personal information?

    If the answer to any of those questions is yes, then you should immediately disconnect your computer from the net and do a complete format and reinstall.

    This is because you computer is infected with backdoor trojans. These will have sent your info to a third party who may use that info for their own purposes. If you use online banking, then your should contact your bank and arrange to have your password changed immediately. You should also, change any other passwords you use as these may have also been compromised.

    Even if we cleaned the infections, it wouldn`t help to recover the info that may have been gleaned from your system.

    If you only use your computer for music/games etc, then cleaning it of infections, is possibly a better option to a reformat.

    Please let me know what you want to do in your next post.

    See these two links before you decide what you want to do.

    http://www.dslreports.com/faq/10063
    http://www.dslreports.com/faq/10451


    Regards Howard :wave: :wave:

    This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. DB2801

    DB2801 Newcomer, in training Topic Starter

    I do have sensitive data on this device and use it for business purposes as well as personal banking. Is there any to determine who/where personal data has been sent, if at all?
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    No, unfortunately you can`t determine where the data may have gone. Even if you could, I doubt that it`d help you very much.

    What you now need to do is disconnect from the internet and reformat your system. Don`t reconnect to the net until you have installed your firewall software. Then, install any drivers needed and install antivirus software.

    You should change all passwords and contact any institutions such as banks creditcard companies etc and alert them to the fact that your computer system has been compromised. This will enable them to protect your accounts before they can be used by any of the scumbags.

    Once your system is up and running again, you might want to take a look at this thread HERE. It will show you some ways you can keep your computer system more secure.

    Regards Howard :)

    This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. DB2801

    DB2801 Newcomer, in training Topic Starter

    I do have Ewido/AVG installed as well as a corporate version of Trend Micro, which both detect and delete all variants of the TROJ_HORST trojan. However, I have not been successful in preventing the virus from reappearing. Would this backdoor trojan allow someone access to files on my device, or just keystrokes? As I can not format my device until after the holidays, is there anything I can do now to clean the virus off my device?
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The trojan may well have already stolen your info, but yes we can attempt to clean your machine for now. I still recommend, that after cleaning you change all passwords etc.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :)


    This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. DB2801

    DB2801 Newcomer, in training Topic Starter

    New hijackthis log

    Cleaned as advised and new hijackthis log posted. Thanks!
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your system is still heavily infected. I can`t stress how important it is to completely reformat and reinstall from scatch.

    However, if you still insist on trying to clean your system, do the following.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    I also want to see an AVG Antispyware log as per the instructions in this thread HERE.

    To recap, I need to see a Combofix log, an AVG Antispyware log and a fresh HJT log after you`ve run the above.

    Regards Howard :)

    This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. DB2801

    DB2801 Newcomer, in training Topic Starter

    Requested logs attached.
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Sorry for the delay in getting back to you.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O14 - IERESET.INF: START_PAGE_URL=http://crmprdweb.com/my/start.swe?SWECmd=Start

    O15 - Trusted IP range: 10.160.8.172 (HKLM)

    O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) -

    http://crmprdweb.com/callcenter/16279/applets/siebelhtml.cab
    O16 - DPF: {472AD19B-8B7E-425C-ABCF-9DB605C4B96D} (AllowPopup.Action) - file://\\tahoe\revtools\winintel\allowpopup.dll

    O16 - DPF: {6507C0E5-5621-49FE-8AEB-03B3F490F468} (UTCStub.Action) - file://\\tahoe\revtools\winintel\utcstub.dll

    O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://crmprdweb.com/callcenter/16279/applets/SiebelOptionPack.cab

    O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://crmprdweb.com/callcenter/16279/applets/SiebExtMailClient.cab

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.net

    O17 - HKLM\Software\..\Telephony: DomainName = northamerica.net

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.net

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = northamerica.net

    Only fix the above 017 entries if you don`t recognise the domain.

    Click on the fix checked button.

    Close HJT and reboot your computer.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. DB2801

    DB2801 Newcomer, in training Topic Starter

    All seems well...

    Everything in your previous thread, that you wanted me to clean, I recognized. I did not clean anything further and have not seen an incident of the virus propagating further.

    I'm not sure which of the *fixes* actually did the trick, but the virus has not infected my system for days. Previously it would appear, then be detected/cleaned numerous times/day.

    Thank you!!!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.