i have a problem...two files, setup and autorun show in my shared folders, and my antivirus kaspersky tells me i have this trojan Trojan-Proxy.Win32.Horst.av and despite i delete the files, they keep apearing...can someone help me?? thanks..[[]]

Hello radaan.Welcome to Techspot.

Go HERE follow the instructions,then post an HJT log as a .txt attachment into this thread.

first of all i can tell you the specific trojan thats infecting my pc.. his name is Trojan-Proxy.Win32.Horst.av.. the hijack file is in the attachment [[]]

Attached Files

hijackthis.log (4.1 KB, 5 views)

[B]Hello and welcome to Techspot.[/B]

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

Click on the fix checked button.

Close HJT.

Other than the above, your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

[color=red][b]This thread is for the use of[/color] radaan [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

thanks for the help..but the problem is still here..i made what you asked me but when i shared my documents folder the problem appeared in a matter of minutes..im going to send you the picture of the two files setup and autorun...

Attached Images

Sem título.JPG (85.6 KB, 7 views)

Ah.. i ran into this problem..

I believe that the setup file is about a few kb's? if you open the autorun.inf files with notepad it has a command that points to the setup.exe file

It hides itself as a Generic Host Process for Win32 Services when you double click on that file and it also copy itself to your other HDDs/partitions so do check for them. My firewall picked them up as "launched by program **exd**" (can't recall what it was exactly, but the first two are numbers).

Download Process Explorer, end the tasks on the bottom of the list, usualy a fake svchost.exe (not under the winlogon tree, which is genuine, but listed as a seperate app) or boot into safe mode. Also note that this file tries to load on startup as well, so unless you've let your firewall let it through than you cant disable it (as in finding the app launching it) from starting up.

Go and locate all those setup/autorun files on your HDDs and partitions (sometimes also found in the root folder eg C:\ ) and delete them all, and see if they reapear after a while.

Scan with Trendmicro Housecall and follow instructions as linked in Peddant's post. I believe there is a file you have to manualy delete depending on what trendmicro picks up but i forgot what or where.. so maybe howard can help you..

It could be this one HERE

Yep.. that looks like the one.. thanks for the link peddant

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

[b]Turn off system restore.(XP/ME only)[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial56.html[/url]

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial61.html[/url]

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial62.html[/url]

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

setup.exe

Close task manager.

Run a full system scan with your antivirus programme and delete whatever it finds.

Try and manually delete the setup.exe and autorun.inf files(if there).

Reboot into normal mode and turn system restore back on and rehide your protected OS files.

Please let us know the results.

Regards Howard

i have done what you said..the antivirus scan didnt find nothing...i erased all the files...but when i restarted the pc...it came back...

The next time your antivirus programme finds it, please post your antivirus log as an attachment.

We need to find out where it`s respawning from.

In the meantime, download the Ccleaner programme from [URL="http://www.filehippo.com/download_ccleaner/"]HERE[/URL]. Run the programme several times. also run the issues scan and fix whatever it finds. Do this until it no longer finds anything.

Regards Howard