I did a boot-scan and this is what came up:
C:\windows\system32\spool\drivers\setup.exe[UPX] is infected by Win32:Horst-GV [Trj]
Found the location on my computer, deleted it, did another boot-scan and found it somewhere else.
C:\system volume Information_restore{079945FA0F86-4538-9B5B-94B9C89AC71A}\RP69\A0012668.exe[UPX] is infected by Win32:Horst-GV [Trj]
I have no clue what to do. I have never even delt with a virus before… please help!
Thanks,
Tara
Firstly deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Because it was in one of the system folders windows has created a _restore point, you could send that to the chest, but before you do I would suggest you confirm the detection is good. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
If it is infected, basically that confirms the original detection, if not (e.g. avast is the only detection) then your deletion could be a problem (cross that bridge later). The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
Win XP-ME - How to disable System Restore
Edit: What is your operating system, I assume XP ?
I have XP Pro with SP2 and there is no file of that name in my C:\windows\system32\spool\drivers\setup.exe, so the file may have been infected.
Thanks for the reply, I will try disabling the system restore in a minute.
I just have one quick question, and maybe I should have asked this before :-\ When I first did the boot-scan I was going to move the item into the chest, but it warned me that it was in the windows file. So, I got scared and didn’t want to screw up my puter so I didn’t do that. But then when I located it on my computer I realized it was nothing important (or what I assumed wasn’t) and then deleted it. I’m just wondering; when it gives me that warning is it still safe to move to the chest or can I cause serious damage?
OK, turned off system restore and did boot-scan. Nothing came up. So, does this mean I’m cured? Or is there something else I should do?
Thanks again! 
It is safer to move it to the chest than to delete, from the chest it is possible to restore a file, having deleted it that option is no longer open to you, but avast has to warn.
I also said to check the file (with virustotal, etc.) in the _restore point before doing anything, now we will never know for sure about the files detection, but based on my files in that location even if a false detection it wouldn’t be a critical file. I didn’t expect to see anything come up after disabling system restore and rebooting as that effectively deletes every restore point, infected or otherwise.
Now you are showing clear (it would appear correct), enable system restore again and reboot.
You might want to change your avatar for another, resize or use this one. We try to keep avatars around 100 X 100 for those who don’t have high resolution monitors.
Well, I couldn’t even find the file the second time so I couldn’t check it with virustotal. I don’t know; this is all new to me so it’s a bit confusing. Anyways, do you think my computer should be cleared now?
I would think so. You could also use an on-line scanner to confirm, established connection to the on-line scanner of your choice and just before you do the scan, pause Standard Shield, enable after completion.
On-line Virus Scanners and other useful Links Security-Ops.eu.tt
I would avoid Panda’s on-line scanner as that places signature files in a folder it creates in the system32 folder. These signatures aren’t encrypted, so avast finds these and assums a valid detection.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
The virus came up again. It’s the same exact one as last time. I move it to the chest. I went to www.virustotal.com and scanned it. It comes up as no virus found. Everytime I scan it with Avast it comes up as a virus?! Now what do I do? ???
This one ‘C:\windows\system32\spool\drivers\setup.exe[UPX] is infected by Win32:Horst-GV [Trj]’ or the one in system volume information ?
When you say “I went to www.virustotal.com and scanned it. It comes up as no virus found.”
How did you upload it to virustotal as you can’t when it is in the chest, that ends up as a 0 byte file size and none of the scanners will detect anything.
If you uploaded it outside of the chest, are you saying none of the scanners detected anything (including avast) ?
Or only avast detected it on virustotal ?
The location was different, but the setup.exe[UPX] is infected by Win32:Horst-GV [Trj] part was the same.
But since getting that one I have got several more avast warnings. I’ve moved them all to the chest. Three were Win32:Horst-HA [Trj] and five were Win32:horst-GV [Trj]. There are too many to list the whole location.
If you uploaded it outside of the chest, are you saying none of the scanners detected anything (including avast) ?
Yes.
Interesting but not unusual with virustotal as it has happened previously that the user (you) have a more recent version of the VPS. So this may be an indication that a recent VPS update has triggered this detection and it is most likely a false positive.
These other detections i different locations did that happen to include the temp location you used to send to virustotal ?
You should also confirm the new detections at virustotal, if the results are the same for these then send them to avast also.
Send the samples to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Since copies are in the chest it would probably be easier to send them from there, see below.
Or you can also send the file from the User Files (File, Add) section of the avast chest (right click the file, select email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
If it is indeed a false positive (virustotal results support this), pause Standard Shield, and restore the file from the chest (right click on the file, select restore).
Add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions)
Periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location.
When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Not a false positive, but tricky to upload.
I tried upload it to jotti, but another copy of it was causing the size 0 thing. I tricked it by renaming the setup.exe for “obaoba.vir” and uploaded it to jotti.org
I got the following report:
AntiVir Found TR/Proxy.Horst.XC
ArcaVir Found Trojan.Proxy.Horst.Xc
Avast Found Win32:Horst-GV
AVG Antivirus Found Proxy.KPV
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.18885
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Proxy.Win32.Horst.xc
Fortinet Found W32/Dloader.HF!tr
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Horst.xc
NOD32 Found Win32/Medbot.HF
Norman Virus Control Found W32/Horst.gen20
VirusBuster Found nothing
VBA32 Found Trojan-Proxy.Win32.Horst.xc
The question is. Where’s it coming from?
Sry about my poor english.
Mmm. i killed a “look a lot a nVidia service”, something like
“c:\windows\system32\nvdsvc32.exe”
's
Sorry about this second reply, but i did’t found any EDIT button. (i know, probably 'cause I’m a llama ;D). Whatever…
I found this extra information about it:
http://www.enciclopediavirus.com/virus/vervirus.php?id=3804
It’s in spanish. If you don’t understand just look for the files, services and registry entries. I suspect that it’s coming by a flaw exploit, cause the virus could not execute at my system.
Avast blocked it BEFORE infection I presume, good work!
I think he got detected exactly at file creation and blocked the execution! xD
I put this thread on my favourite! I will be looking frequently
Thx alwil by the good job! Can’t you create a firewall too? ;D
's
At the top right of each of your posts there are two buttons, Quote and Modify, use modify to edit a previous post.
I tried upload it to jotti, but another copy of it was causing the size 0 thing. I tricked it by renaming the setup.exe for "obaoba.vir" and uploaded it to jotti.org
Did the same thing and this is what I got:
Scan taken on 28 Feb 2007 19:55:46 (GMT)
AntiVir Found TR/Proxy.Horst.XC
ArcaVir Found Trojan.Proxy.Horst.Xc
Avast Found Win32:Horst-GV
AVG Antivirus Found Proxy.KPV
BitDefender Found Trojan.Proxy.Horst.XC
ClamAV Found Trojan.Proxy-147
Dr.Web Found Trojan.DownLoader.18885
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Proxy.Win32.Horst.xc
Fortinet Found W32/Dloader.HF!tr
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Horst.xc
NOD32 Found Win32/Medbot.HF
Norman Virus Control Found W32/Horst.gen20
VirusBuster Found Trojan.DL.Medbot.GO
VBA32 Found Trojan-Proxy.Win32.Horst.xc
NOW WHAT DO I DO?
Send the samples to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Since copies are in the chest it would probably be easier to send them from there, see below.
And I already did this. I did it before I went to jotti and did what PauloGurel said.
oops should have done it the other way around I suppose.
delete the file that you located in a temp location so you could upload it to virustotal, etc.
Disable system restore and reboot, do another avast scan and if clear enable system restore again, see my very first reply.
Hi Tara :
Since you appear to have a "trojan", have you tried using an
antiSPYWARE/antiTROJAN program, such as the Good & FREE
AVG Antispyware from www.ewido.net or the FREE version of
"SUPERantispyware" from www.superantispyware.com
to "deal" with it !?
Hello tryan21,
Here is the removal info:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=57036
polonus
Hello tryan21,Here is the removal info:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=57036polonus
I don’t really understand… do I just download one of the programs there? I’m am so new and stupid when it comes to viruses. Please bear with me
The removal instruction links at the top of the page is really relating to if you are using a CA antivirus product, you aren’t so this isn’t much help to you other than saying you need to disable system restore. That is why polonus’s link was under the cover of ‘Here is the removal info:’ effectively, use the information to check and remove manually.
The removal information on the page shows, other files that may be infected and their locations, check for the presence of any of these and add them to the User Files section of the avast chest if you find any.
The same is correct of the registry entries, they may or may not be present if they are exercise care if they are to be deleted, back up (export) the Key first.
I would suggest you print off the page information so you can follow it step by step when you are off-line.