obqhs.exe

[Will Denny]

Hi

Have you virus-checked your system with the latest definitions for your AV
program?

Also try the following programs to check for any spyware that might be on
your system:

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://www.spywareinfo.com/~merijn/downloads.html

Try SpyWareBlaster to stop intrusions:

http://www.javacoolsoftware.com/spywareblaster.html

Also see the following links:

http://aumha.org/a/parasite.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.microsoft.com/security/articles/spyware.asp

 

[Dave]

XP pro

Anyone know what obqhs.exe is? I can find no google refs at all. It's
appears in the list of processes on my son's PC. Sometimes there are
four separate processes with the same name, all taking around 9 MB of
memory. Mostly they take 0% or 1% of system resources, but occasionally
up to 99% without actually seeming to do anything. There's no reference
to obqhs in msconfig/startup or services tabs but they appear after
every reboot. If I end the processes one or more seems to reappear after
an interval. Is it adware/spyware/virus/trojan?

 

[Rick \Nutcase\ Rogers]

Hi Dave,

It's a trojan (virus) file. Follow these "relatively" simple removal steps:

Restart in Safe mode by hitting F8 as Windows first begins to load on boot.
Logon as administrator.

Start/search/files and folders, look for <filename> and delete it wherever
it is found.

Start/run regedit, expand the + signs to look under these keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Look in the right hand pane for the string or strings that load that file.
Delete just those strings that contain the reference. Do not delete other
strings or the keys from the left pane. Close the registry editor when
completed, make sure you check all strings.

Go to the Control Panel/System/System Restore tab. Check the box to "Turn
off system restore on all drives". Click apply/ok. This will remove all
restore points, however you don't want them back as some or all of them will
contain the virus depending upon how recently you got infected.

Restart the system normally. Go back to the Control Panel/System and restart
System Restore.

Update your antivirus software, run a full system scan.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Will Denny]

I looked in theose keys before and there's nothing there that shouldn't
be.

I discovered that it's part of Winamp cos the file itself contains a
Winamp icon. But Winamp doesn't start at boot up!

Hi Dave

I've got the latest version of Winamp installed here, but I can't find any
reference to that file on this partition.

 

[Dave]

Hi Dave,

It's a trojan (virus) file. Follow these "relatively" simple removal steps:

Restart in Safe mode by hitting F8 as Windows first begins to load on boot.
Logon as administrator.

Start/search/files and folders, look for <filename> and delete it wherever
it is found.

Start/run regedit, expand the + signs to look under these keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

I looked in theose keys before and there's nothing there that shouldn't be.

I discovered that it's part of Winamp cos the file itself contains a
Winamp icon. But Winamp doesn't start at boot up!

 

[Dave]

Hi Dave

I've got the latest version of Winamp installed here, but I can't find any
reference to that file on this partition.

Mmmm. I think it's a Trojan with a randomly generated .exe filename as
others have suggested. I've posted my hijackthis log file on 24 hour
helpdesk. Meanwhile I've deleted obqhs.exe and rebooted. No instances of
the process now reported