Trojan-Proxy.Win32.Horst.bj

[jadinolf]

Avast 4.7.892 just found this Trojan. Is this an uncommon one since I can't seem to find but one mention of it on Google and nothing here?

WinXP

[polonus]

Hi jadinolf,

Removal is pretty simple, look here:
http://lists.grok.org.uk/pipermail/full-disclosure/2004-March/019549.html

polonus

[jadinolf]

Thanks for the reply.

Removal was not a problem, I simply deleted it using Avast.

[DavidR]

Finding information by virus name isn't always easy as there is no standardisation in the naming of viruses, etc.
So it could be called something else by a different AV, making it more difficult to find information. If you also do a search for the infected file name that often brings more information.

[jadinolf]

Thanks DavidR.

 

[jonthepain]

Avast just picked up win32: Horst-BJ in our morning boot-time scan, thank God.
It was in C: Docs and Sets\All Users\Application Data\CanonBJ\IJPrinter\CNMWindows\Canonip6600D\Installer\Inst2\helpkicker.exe

Was it from email or a web page?  We keep up to date, and are behind a router.

Thanks,
Jon

[FreewheelinFrank]

This looks like it might be a legitimate Canon file. I suggest you restore the file from the chest and submit it to VirusTotal just to be sure:

http://www.virustotal.com/en/indexf.html

[DavidR]

I have the (cannon Pixma iP4000 printer) helpkicker.exe file but in a different location C:\BJPrinter\CNMWINDOWS\Canon PIXMA iP4000 Installer\Inst2, this however isn't detected by avast (see image).

What avast! version and VPS file (virus database) number, e.g. 0630-2 (see about avast!) ?

Beside the link Frank gave you there is another you could try. Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

[FreewheelinFrank]

Jotti is permanently busy these days:



The bad guys were trying to take him down with DDoS attacks a while ago. I don't know if this is still the reason for the service load- maybe it's legitimate use.

VirusTotal is usually less busy, and has a queuing service/email submittal if demand is high.

[jadinolf]

I do, in fact, have an iP4200 on this computer but avast found two instances of the Trojan on this hard drive and I deleted them both. The printer still works fine, if that makes a difference.

I'll be more observant next time.

I appreciate all of the comments.

[DavidR]

Deletion is never a good first option, send to the chest and investigate. If it proves to be a false detection you can restore the file from the chest, which you can't if you deleted it.

Also when first reporting the detection, an infected file name and location are essential as we can determine a lot from that information alone.

This is the third detection I've seen in the forums that is/may related to a Cannon printer file and probably the helpkicker.exe file being detected as horst.bj.

[jadinolf]

Well, I'm learning and will follow your advice.

[spanky]

I too got this worm notification (name: helpkicker.exe, located in: documents and settings) on the 27th. I also have a Canon Pixma ip1600 but have had it since I got the compurter about 6 months ago. Avast never detected this before. Avast detected it again this morning (name: A0017988.exe, located in: System Voume Information). I moved both of them to chest and performed thorough scan. 

[jonthepain]

oops sorry i also deleted it.  i will send to chest from now on.  printer works fine.  haven't had time to find out what helpkicker does for the printer.  can probably live without it.

we run avast pro in boot time every am and this was the first time it picked it up-we have a computer in the office that used to be connected to the same printer that i will fire up later and see if avast picks up horstbj.  it currently runs norton and it didn't catch it-i'll uninstall norton and put avast on it. (we prefer avast anyway-norton doesn't play nice with our 3d architectural application.)

let me know if there's anything else i can do to help.

jon

*edit* 4.7.892  vps 0639-3

[jonthepain]

ok avast also picked it up as horstbj on the other machine so i sent it to the chest and emailed it to avast.

thanks for the help

jon