February 12, 2011

How to Remove QQ/My Documamts.exe Virus in your PC?-Complete Guide

Last week, I was contacted by a Mall Manager here in Davao to troubleshoot their office computers and he was very worried because almost of the units are infected with virus..
The office secretary told me that her boss download a Chinese messenger apps called ”QQ”(works like YM) and the file includes a virus that spread fast then, infects other PCs. I have no idea what was the real name of the virus but I call it QQ virus / My Documamts.exe

There is no reference in the Internet that clearly talks about the QQ virus but I was surprise that a lot of people in the Internet encountered this type of threat. If you are one of us read further here I promise you can fix it now.

What is QQ Virus?
QQ is not a virus,(I just called it QQ Virus for reference) it’s was happened due to bad guys out there include a virus on the QQ setup files, so whenever someone will download QQ they will got infected. QQ virus could infect windows XP and Windows Server 2003 platforms and spread fast through autorun on USB devices.

Virus related files:

Autorun.inf-triggers the virus to run and spread fast .
My Documamts.exe – When Double Click Produce dangerous links that could intensify your system infections if click.
Gwsmvtena.exe –Runs on startup
VSPS.exe-Another related virus file that helps to edify the qq virus..
Exploner-A fake icon shortcut of IE that when user click it will opens  Chinese webpage and would run an active-x that can update the virus  and add more virus files on your system drive that could complicate the problems causing immediate system death if not solve fast.

-------------------------------------------------------------------------------------
QQ/My Documamts.exe is a Trojan/virus/worms that infects the following windows native apps: Registry, msconfig, explorer, safe mode, system restore, etc.
It also infects that System32 files, Internet Explorer Plugin, Startup programs, and spread through USB Drives.

When you see the My Documamts.exe file in your drive do not click it because it would add some annoying things in your desktop. First, it would add a Chinese links shortcuts in your desktop. Second, the virus would add more unknown directories in your system drive. Third, it would make your system so slow and even you can’t log on next time you open your PC.

There are two common processes that QQ virus was working:
#1.smss.exe
#2.explorer.exe

Both are windows important processes .To confirmed if that processes was infected by qq virus see the path below:
Normal Path:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\explorer.exe

 Infected path
C:\WINDOWS\System32\dfahpihpnd\smss.exe
C:\WINDOWS\System32\gkijtgrbkh\explorer.exe

How to stop and kill QQ virus?
QQ virus runs on system start up with this path: 
C:\My Documents and Settings \All Users\Start Menu\Programs\Startup\gwsmvtena.exe and you can’t just disable it on msconfig or else it will multiply on startup.

My Documamts,VSPS, Exploner and other Chinese shortcut links cannot be removed without stopping the processes that lock it.

Different Methods to Remove QQ virus.
*Safemode method:
 Safe mode gives you the opportunity to access you computer without loading some unnecessary service and processes that is being loaded on normal boot up. Meaning some processes that lock files which hinders you to remove that threat are having less control /powers in safe mode.

So what you gonna do is to backup your files first then restart your PC and hit the F8 key to access the Safe Mode booting. Once you are successful to enter the Safe mode, set your Explorer to reveal hidden system files by My Computer>Menu Bar>Tools>Folder Options>View:
Check Show Hidden Files and uncheck the Hide protected operating system files then navigate and delete  this path(C is the drive where OS was installed, please be careful):

•C:\WINDOWS\System32\dfahpihpnd\smss.exe
•C:\WINDOWS\System32\gkijtgrbkh\explorer.exe
•C:\My Documents and Settings \All Users\Start Menu\Programs\Startup\gwsmvtena.exe
•C:\Documents and Settings\All Users\Desktop√†Find the Chinese shortcuts/links then try deleting them all
•Find VSPS and My Documamts.exe on all Drives then delete

Try boot your system if it works…

*Using Hirens Disc Mini XP method (This only works on XP and not with Win NT or Server 2003):
  Booting up using the Mini XP mode hinders all maliciously processes strictly than Safe Mode. In Mini XP mode you can access the msconfig,regedit, and other native tools that can be access in Safemode. But Mini XP gives you an access to simply delete lock files without hindrances and spot other threats inside.

You will use the Hirens Disc Mini XP mode to accomplish the task given in Safe Mode just in case if you can access the option. When using Hirens Mini XP you can also find bundles of free tools to help you fix everthing. Remember, Hirens Tools also works best on normal windows booting up so you have an options.

The only disadvantage of using Hirens Disc is you will need to download and burn it as an ISO image before it can work which is time consuming except on my case because I have two updated copies.lol…

*Using a Combination of Tools
If the given methods above doesn’t work in your situation try patiently this method, I’m sure this would work because it fix mine.

#1.First download the following tools if you don’t have it:

#2.Backup everything and if you can access your System Restore option fire it up.

#3.Install & Run the Process Explorer and will see something like this:

#4.Install & Run Unlocker then navigateand delete all of this path(in order):

First-C: \My Documents and Settings \All Users\Start Menu\Programs\Startup\gwsmvtena.exe
Second-:C:\WINDOWS\System32\dfahpihpnd\smss.exe
Third-C:\WINDOWS\System32\gkijtgrbkh\explorer.exe
Fourth-•C:\Documents and Settings\All Users\Desktop√†Find the Chinese shortcuts/links then try deleting them all
Fifth-Find VSPS and My Documamts on all Drives then delete

#5. Install and Run USB Virus Scanner- Scan all drives to remove Autorun.inf  and go to FixSystem menu>Select all >Click apply to initially repair system native apps. USB Virus Scanner protect your PC get infected again from autorun virus  in your USB storage.

#6. Install and Run MalwareBytes and Avast- In my own case malwarebytes has detected  more unknown registry entries related to qq virus , the only problem with bytes because it would ask you to register your copy before it could fully work. Avast works best on XP Boot Time Scan, in fact running it finds more than 800 infected files in the system where QQ virus put a havoc but you will need another version compatible to windows server. Both Avast and Malwarebytes helps the system clean again..

#7. Lastly, after your computer is clean with qq virus do not forget to heal your infected system file by accessing the run window and type the sfc /scannow>insert your windows cd and every corrupt dll will be repaired. A Windows Repair by booting up is also a good option or use a registry repair and cleaner to make your PC whole again.