Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chinavent Aka Qqvnet.exe


  • Please log in to reply
5 replies to this topic

#1 UKJess

UKJess

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 10 July 2008 - 04:51 PM

I am trying to clean up a computer for a friend whose children have infected it with a host of nasties.

I think I've got rid of everything except qqvnet.exe. I followed the instructions in your database and now Hijackthis shows qqvnet as a 023 entry but it ends
"file missing" - does this mean I've killed it and left a harmless shell behind?

It's an XP machine, SP3 and I've run Spybot, superspyware, killbox and autoruns and this is all that's left and it's bugging the hell out of me.

Please help, my rep as the "person who knows" is at stake! :thumbsup:

TIA

Jess

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:49 AM

Posted 10 July 2008 - 05:17 PM

file missing means you did an incomplete job of killing it, the registry still refers to the infected file

http://www.sophos.com/security/analyses/vi...2autoruncu.html

with an infection this new I would run some more scans

Try MBAM

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#3 UKJess

UKJess
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 10 July 2008 - 05:23 PM

I've done that already, sorry I should have mentioned that. Didn't touch it.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:49 AM

Posted 10 July 2008 - 06:03 PM

Use HJT this to remove the entry, it's definitely malware related, as a general rule it's best to use a program to remove all components of an infection, but nothing always works perfectly

autoruns uses a similar technique to remove orphaned registy entries

The real danger is using regedit w/o a backup

Even HJT has a restore feature

In September of 2002, Merijn Bellekom, a member at Spywareinfo, came up with the first version of StartupList that essentially acted the same as StartUp Log, but with running processes and extra startup locations enumerated, as well as verification of the location of Explorer.exe. It worked in Windows 2000 and XP! The 'dark ages' were over and a new era of malware detection began.


long ago and far away

It seems a lot longer ago than that
Chewy

No. Try not. Do... or do not. There is no try.

#5 UKJess

UKJess
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 10 July 2008 - 07:05 PM

Unfortunately, HiJackthis leaves it untouched. I put a tick in the tick box, press fix and the bloody thing is still there afterwards.

Do you wonder I'm tearing my hair out?

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:49 AM

Posted 10 July 2008 - 08:19 PM

http://www.bleepingcomputer.com/forums/ind...st&p=857433

Try safe mode for SAS, post the log please

"person who knows"

you are disabling teatimer?

Edited by DaChew, 10 July 2008 - 08:24 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users