Need help with Win32:Horst-HV [Trj]

[Akumasama]

Sorry to bother you all.
My father's computer got infected with this trojan a few days ago, and I can't seem to get rid of it.
I Tried full scan, full scan on startup but nothing.

I tried ewido but it doesn't reveal anything, I tried F-Secure Blacklight Rootkit remover (which really helped me 1 year ago when I had to remove a super bastard rootkit from the PC of a colleague at my office) but that too doesn't find anything. I downloaded the last available versions of course.
What's odd is that Avast's full scan on startup found an infected file in an Avast folder.
Other than that the files infected by Win32:Horst-HV [Trj] all seem to appear in the temporary folder, always with a different name.
Any suggestion?

I saved the result of RootKit Revealer, if they can be helpful for someone to tell me what to do (rootkit revealer only finds rootkits, doesn't remove them)

[FreewheelinFrank]

Hi Akumasama,

What is the name of the temporary files detected?

If they all have a name similar to the one below, you may find the following thread useful.

19exmodul32g.3.exe (Letters and numbers before and after exmodul vary.)

http://forum.avast.com/index.php?topic=26429.0

The advice for removal is found here:

http://www.commentcamarche.net/forum/affich-2090178-xxexmodulae-exe-inconu-du-web

(Scroll down till you come to the post in English by Rafael.)

[Akumasama]

Win32:Horst-GZ [Trj]
Win32:Horst-HW [Trj]

Yes, I think one of the files is called numberEXsomething (EXinjs, exhdda and many others)

The other one is always the same and is called
Temp\setup.exe\[UPX]

Gonna read posts now. I'm afraid that my father caught a reproducing worm/trojan/rootkit that "opened" the way for other worms to get in, and currently more than one are already active in this computer.
I really wonder how the hell he got infected...

[FreewheelinFrank]

I suspect that the files you mention may be similar to the exmodul files: certainly at least one other person has observed them alongside the exmodul file, which makes me think that the removal procedure described may still work.

The following executable files seems to load themselves to my \temp directory when I connect to internet with adsl:

12exinjs.f.exe
1exhdd.d.exe
26exmodul32e.exe

http://mybroadband.co.za/vb/showthread.php?t=55870

[FreewheelinFrank]

Could you post a HijackThis! log so we can help you identify any malware entries?

http://www.bleepingcomputer.com/tutorials/tutorial42.html

To check how the computer might have been infected (apart from the obvious route of somebody opening an infected file either attached to an e-mail or downloaded from the web) please scan the computer with Secunia Software Inspector which can identify out of date applications with security vulnerabilities allowing a computer to be infected.

http://secunia.com/software_inspector/

[Akumasama]

I'm moving around my father's computer right now, appearently everything is fine now.
I followed the instructions (in english) on that french board.

My opinion is that this worm isn't called xxEXMODULAx. or xxEXMODULx, but rather xxEXxxx.
None of ny files was named with the MODUL thing, only EXsomethingelse, and I followed step by step the instructions I found on that side, finding the files where they were supposed to be found.


I hope I can say this PC is clean now, thanks a lot for your help! Now what makes me wonder is how the hell did my father manage to infect this PC with that worm. Just by browsing on the internet? Or executing some files from Outlook Express? I wonder...


Thanks for your help anyway! (hoping I won't have to post again in 5 minutes, lol)

[FreewheelinFrank]

The name of the temp files created has obviously changed, but the avast! detection remains the same: Win:Horst. The fact that the disinfection routine worked also confirms that this is a minor variation on a theme.

Please run the Secunia scan ASAP to check for vulnerabilities on the computer to prevent further infection!!