TechSpot

!update.exe really stubborn Virus

By Matt Berg
Apr 1, 2007
  1. Hi, I'm relatively new to the forum but this is my first post. Thanks in advanced for looking.

    I have what looks like a Trojan which launches adds on IE (Generic3.QFH).

    So far I have done the following with no results.
    1. Deleted my system restore points
    2. Started in Safe mode
    3. Ran CC Clean
    4. Ran AVG

    Generic3.QFH still comes up every time I re-run AVG and says its in a file called !update.exe.


    I have attached my HJT and AVG logs.

    Thanks again for any help.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your system is infected with a variety of nasties.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Matt Berg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Matt Berg

    Matt Berg TS Rookie Topic Starter

    Initial Scans Complete

    Howard,

    Thank you again for all the help. I completed the tasks in your reply and have attached the logs (the AVG scan did not find anything so no log is attached). It looks like some of the items are still there in the logs though.

    Thanks again,

    Matt
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    What was the result of the AVG Antirootkit scan?

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ?hkntfs.exe
    ?vchost.exe<Not to be confused with svchost.exe.
    spoolsv.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [Isdppvp] "C:\WINDOWS\system32\?ecurity\?hkntfs.exe" 99001122

    O4 - HKCU\..\Run: [Anz] "C:\Program Files\Common Files\??stem32\?vchost.exe"

    O4 - HKCU\..\Run: [Iora] "C:\WINDOWS\system32\SKS~1\spoolsv.exe" -vt ndrv

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Common Files\??stem32<Delete the entire folder.
    C:\WINDOWS\system32\SKS~1<Delete the entire folder.
    C:\WINDOWS\system32\?ecurity<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Matt Berg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Matt Berg

    Matt Berg TS Rookie Topic Starter

    Is my system clean? Lots of processes running.

    I completed the cclean, SS&D, online virus scan and adware scan but seem to have an enormous amount of processes running.

    Could someone please take a look at my hijack this log and let me know if my system is clean?

    Thanks in advanced guys.

    Matt
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Threads merged. please continue to post in this thread, untill your malware problem is gone.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://access.ssgcorp.com/dana-na/auth/url_default/welcome.cgi

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O8 - Extra context menu item: Sphericall &Dial - C:\Program Files\Sphere\Dial.htm

    O16 - DPF: VIN.net Clients - http://app2.outtask.com/vinnet/clients/153.12/vin2-116.CAB

    O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://access.ssgcorp.com/dana-cached/setup/NeoterisSetup.cab

    Click on the fix checked button.

    Close HJT and reboot your system.

    Locate and delete the following bold files and/or directories(if there).

    C:\windows\ALCMTR.EXE

    Other than the above, your HJT log is clean.

    What were the results of the AVG Antirootkit scan?

    See this thread HERE for details of how to speed up your system.

    Regards Howard :)

    This thread is for the use of Matt Berg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.