Hello all,
This is my first time on your forums, so hello to everyone…
I have a problem with Win32:Horst-GZ which has been found on my PC.
Avast found it originally and I stored it in the chest, like recommended.
Since then Avast keeps alarming me that it has found the virus again and again.
It states the original location, of which I have even tried to remove the files manually, but to no avail it just keeps replicating itself over and over.
Can someone help me to eradicate this altogether please?
Thank you in advance
Hi Dawnstead,
What’s the name and location of the file detected as Win32:Horst-GZ?
I would suggest a quick combofix run for this and see what we get
Download ComboFix from Here or Here to your Desktop.
[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
Hiya, thank you for replying to my post.
All contain virus = Win32:Horst-GZ [Trj]
Chest File Log:
Name > Original Location > Last Changed
79exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 17:37:08
60exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 10:44:12
10exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 11:23:06
24exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 12:51:22
67exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 14:05:58
42exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 14:40:01
60exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 15:34:22
98exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 17:13:02
97exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 17:50:19
Hope that helps, thank you again
The general cleaning process includes:
-
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
-
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
-
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
-
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
-
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.
-
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
This is a form of attack we see regularly: avast! detects the temp files created by the malware, but not the actual file spawning them. There are some working removal instructions in this thread:
http://forum.avast.com/index.php?topic=28403.0
The direct link to the removal instructions is here- scroll down to the section by Rafael in English:
http://www.commentcamarche.net/forum/affich-2090178-xxexmodulae-exe-inconu-du-web
The instructions involve stopping the 79exhdda.9.exe and similar processes in task manager, deleting the files, then removing a start-up entry for a malware process called smss.exe found in the wrong folder.
We really need a HijackThis! scan to help you with this:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
Have a look at the removal instructions and post the log, and ask if you need any clarification of what to do.
Hi Dawnstead,
There exists a remarkable Brazilian solution for this particular type of malware, and we solved the mystery of the exmodulag virus before, so read this thread here on our avast webforum:
http://forum.avast.com/index.php?topic=19474.0
Searching our own forum can lead to immediate results. You are the fourth person with this particular infection.
polonus
Dawnstead, if you need translation of a particular solution into English, just let me know… 8)