W32/Horst.gen - What now?

What shall I do? Is this a false positive?

Norman found trojan in two locations, and put it in quarantine:

C:\Programfiles\Buypass\Smartcard (filename:SendMail.exe) and

C:\system volume information\_restore{---- license key cencored----f128d8b0df89}\rp404 (filename:a0058193.exe)

Date and size: aug 14 14:47 2003 48kb

Diagnoze: W32/Horst.gen

Can someone please help? Do I need to do anything at all?

 

have you tried scanning those files with online scanners?

http://virusscan.jotti.org/
http://housecall.trendmicro.com/

 

No. Is it possible to scan the files while in quarantine? How?

 

The second finding is in your System Restore points, so don't worry about that yet.

I don't know where Norman keeps Quarantined files, but it could be something like:-

C:/Program Files/Norman/Quarantine

In which case it should be easy to find the encrypted file and submit it here:-

http://virusscan.jotti.org/

If you suspect a fp then it should also be safe to restore the file from Quarantine and then submit it, if need be. You can always re-quarantine it again should it be bad.

 

tepe2 you could go to your quarantine in Norman GUI and then choose restore the file to your desktop. (I hope you have this feature)
Then go to VirusTotal and scan it there.

 

I already tried to find the files in C:\program files\Norman etc.. but did not find them. I also asked for "show hidden files".

I restored the files last night, but Norman put them back to quarantine after a few seconds. There was no option to where I could restore them to, but there is a choice like: save file as...

Anyway, today Norman updated as soon as i turned my pc on. I restored the files from quarantine, but this time Norman was quiet. I then tried to scan one of the files with Norman, but nothing found. Also tried jotti and virustotal, but server too busy there. I will try again later.

I believe this was a false positive, but I will try jotti and different online-scanners.

Thanks to all of you for answering!

(I posted in Norman forum first. At this point of time 17 people have read my post, and no answers. I love Wilders Security Forums)

 

In these situations you would need to temporarily disable the realtime scanning of your AV Guard. Of course you would only do that where it is safe to do so - ie the file will not be run, or is in an archive, and is likely to be a fp etc.

This one looks to be a definite fp.

 

I think they wehere FPs.