FH1.exe - virus help
highchronicles
Toronto, On Canada
So i just got my computer reformatted and lost EVERYTHING to my dismay. I look on the bright side and said hey i can have a fresh start.
So i'm web surfing as usual and i'll admit i'm not 100% on the safety of every site. i'm going about as usual and i get this really messed up porn pop up and it starts trying to play a video without my consent or anything.
the pop up says (it stayed open regardless of the window being closed) you need flash HD to view this video click ok to d/l i hit the X closer button but it still starts a d/l right away so i immediately scan with AVG (the file was "clean") and then I proceed to delete the file. i am looking at my task manager and there is a task FH1.EXE and i can't find the file through searching it with my search utility and found nothing.
I run a full system scan with AVG and its coming up with 20 infected files.
it would read as follows
C:windows\system32 - file a1 (for example)
C:windows\system32 - file a1 [8768564] (so it is the same file but with random numbers in brackets)
at the end when i went to clean them up it says 10 of 20 files have been fixed but i look up the record and it says the file was fixed because it cannot be found. the files it couldn't find the files. i realized that the files that couldn't be found were the copy files but the original still existed with the infection.
So i had this task FH1.EXE (i hope someone has heard of this) and it is using about 20% of my processing power. it seems ok when i end the task but i would rather not have to close the task every time i start my comp.
Any help is appreciated, if you know a free antivirus that can get rid of this for me it would be greatly appreciated.
So i'm web surfing as usual and i'll admit i'm not 100% on the safety of every site. i'm going about as usual and i get this really messed up porn pop up and it starts trying to play a video without my consent or anything.
the pop up says (it stayed open regardless of the window being closed) you need flash HD to view this video click ok to d/l i hit the X closer button but it still starts a d/l right away so i immediately scan with AVG (the file was "clean") and then I proceed to delete the file. i am looking at my task manager and there is a task FH1.EXE and i can't find the file through searching it with my search utility and found nothing.
I run a full system scan with AVG and its coming up with 20 infected files.
it would read as follows
C:windows\system32 - file a1 (for example)
C:windows\system32 - file a1 [8768564] (so it is the same file but with random numbers in brackets)
at the end when i went to clean them up it says 10 of 20 files have been fixed but i look up the record and it says the file was fixed because it cannot be found. the files it couldn't find the files. i realized that the files that couldn't be found were the copy files but the original still existed with the infection.
So i had this task FH1.EXE (i hope someone has heard of this) and it is using about 20% of my processing power. it seems ok when i end the task but i would rather not have to close the task every time i start my comp.
Any help is appreciated, if you know a free antivirus that can get rid of this for me it would be greatly appreciated.
0
Comments
First off get rid of AVG & STOP using Internet Explorer...
If going to use free antivirus then get a copy of Avast.
MalwareBytes AntiMalware wil get rid of you problem...
Also Superantispyware will as well, get both.
http://www.avast.com/free-antivirus-download
http://www.malwarebytes.org/
http://www.superantispyware.com/download.html
Malwarebytes will install in safe mode if required to clean off the virus.
Good Luck!
I ran a scan with superantivirus and it didn't find anything so i got rid of that and right now i'm using google chrome.
If you want a verison of chrome that's not as nosy as Google's then SRWare Iron is the one to get, they took chrome and peeled out all the privacy concerns.
http://www.srware.net/en/software_srware_iron.php
This morning i did another scan it and comes up with 20 infected files.
This is what it came up with
C:\windows\temp\g317k3.tmp - Infected (infection type win32/alureon)
it comes up 10 times, i looked for this file and it doesn't actually exist.
of the ten 1 came up as object is inaccessible. i hit "remove selected infections" and each time i did one of those files just came up as "object is inaccessible"
Other files infected are
C:windows\system32\wuacuclt.exe(720)
C:windows\system32\cfmon.exe(1208)
C:Windows\explorer.exe(2392)
So on so forth.
Why do the files have the numbered brackets around them?
You can also get it from CNet, that's where they send you to download anyway.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pm
Also you can give ComboFix a try:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(Do NOT download ComboFix from anywhere else)
Just run it and you don't have to install the Recovery Console Option. It runs through 50 Stages and should find your Hidden rootkit / virus that's causing you trouble.
*win32/alureon you mentioned above is probably loading at driver level. (atapi.sys I'd say)
The top ten most commonly-targeted driver files are the following:
atapi.sys
iastor.sys
iastorv.sys
idechndr.sys
nvata.sys
nvatabus.sys
nvgts.sys
nvstor.sys
nvstor32.sys
sisraid.sys
You just cant delete these as they are needed to boot the system. And since the virus is in the driver you'll not find the files it mentions as it injects code into explorer.exe etc... (It's creating a wild goose chase for AV programs and you with bogus file names.)
Give ComboFix a run and see what happens.
http://www.prevx.com/filenames/781187308193234030-X1/SHAPROC.EXE.html
After the last time i'm def not trusting sites that immediately d/l. My AVG has run two scheduled scans and everything has come up clean.
What is combofix exactly?
The link he gave you for combofix was a direct link and is safe to download. Combofix is a rootkit detection and removal tool all in one. I love it! I've used it to fix computers many times in the past that appeared hosed. It isn't hard to run at all, just follow the instructions.
Here is the main site for ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As Tushon confirmed, it's an excellent rootkit detector and cleaner.