Can't get rid of TROJ_HORST virus

Status
Not open for further replies.

DB2801

Posts: 6   +0
I can not get rid of a TROJ_HORST virus. Attached is my hijackthis log. Please help.
 

Attachments

  • hijackthis.log
    15.2 KB · Views: 5
Hello and welcome to Techspot.

Before deciding whether your computer needs cleaning or reformatting, I need to ask you some questions.

Do you use your computer for any of the following. Online banking/Business purposes/storing sensitive or very personal information?

If the answer to any of those questions is yes, then you should immediately disconnect your computer from the net and do a complete format and reinstall.

This is because you computer is infected with backdoor trojans. These will have sent your info to a third party who may use that info for their own purposes. If you use online banking, then your should contact your bank and arrange to have your password changed immediately. You should also, change any other passwords you use as these may have also been compromised.

Even if we cleaned the infections, it wouldn`t help to recover the info that may have been gleaned from your system.

If you only use your computer for music/games etc, then cleaning it of infections, is possibly a better option to a reformat.

Please let me know what you want to do in your next post.

See these two links before you decide what you want to do.

http://www.dslreports.com/faq/10063
http://www.dslreports.com/faq/10451


Regards Howard :wave: :wave:

This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I do have sensitive data on this device and use it for business purposes as well as personal banking. Is there any to determine who/where personal data has been sent, if at all?
 
No, unfortunately you can`t determine where the data may have gone. Even if you could, I doubt that it`d help you very much.

What you now need to do is disconnect from the internet and reformat your system. Don`t reconnect to the net until you have installed your firewall software. Then, install any drivers needed and install antivirus software.

You should change all passwords and contact any institutions such as banks creditcard companies etc and alert them to the fact that your computer system has been compromised. This will enable them to protect your accounts before they can be used by any of the scumbags.

Once your system is up and running again, you might want to take a look at this thread HERE. It will show you some ways you can keep your computer system more secure.

Regards Howard :)

This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I do have Ewido/AVG installed as well as a corporate version of Trend Micro, which both detect and delete all variants of the TROJ_HORST trojan. However, I have not been successful in preventing the virus from reappearing. Would this backdoor trojan allow someone access to files on my device, or just keystrokes? As I can not format my device until after the holidays, is there anything I can do now to clean the virus off my device?
 
The trojan may well have already stolen your info, but yes we can attempt to clean your machine for now. I still recommend, that after cleaning you change all passwords etc.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :)


This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Your system is still heavily infected. I can`t stress how important it is to completely reformat and reinstall from scatch.

However, if you still insist on trying to clean your system, do the following.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

I also want to see an AVG Antispyware log as per the instructions in this thread HERE.

To recap, I need to see a Combofix log, an AVG Antispyware log and a fresh HJT log after you`ve run the above.

Regards Howard :)

This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Sorry for the delay in getting back to you.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O14 - IERESET.INF: START_PAGE_URL=http://crmprdweb.com/my/start.swe?SWECmd=Start

O15 - Trusted IP range: 10.160.8.172 (HKLM)

O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) -

http://crmprdweb.com/callcenter/16279/applets/siebelhtml.cab
O16 - DPF: {472AD19B-8B7E-425C-ABCF-9DB605C4B96D} (AllowPopup.Action) - file://\\tahoe\revtools\winintel\allowpopup.dll

O16 - DPF: {6507C0E5-5621-49FE-8AEB-03B3F490F468} (UTCStub.Action) - file://\\tahoe\revtools\winintel\utcstub.dll

O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://crmprdweb.com/callcenter/16279/applets/SiebelOptionPack.cab

O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://crmprdweb.com/callcenter/16279/applets/SiebExtMailClient.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.net

O17 - HKLM\Software\..\Telephony: DomainName = northamerica.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = northamerica.net

Only fix the above 017 entries if you don`t recognise the domain.

Click on the fix checked button.

Close HJT and reboot your computer.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of DB2801 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
All seems well...

Everything in your previous thread, that you wanted me to clean, I recognized. I did not clean anything further and have not seen an incident of the virus propagating further.

I'm not sure which of the *fixes* actually did the trick, but the virus has not infected my system for days. Previously it would appear, then be detected/cleaned numerous times/day.

Thank you!!!
 
Status
Not open for further replies.
Back