Re: Possible Virus - QetqDB1E.exe
 

Sorry but that is rediculous and I'm totally astounded that they'd remove an AV and not replace it with a backup.. We always had a policy that no company laptops ever left the building without nav corp on it and because they all were NAV clients we could check to see exactly who updated when and who was getting security alerts..

As said before the machine looks clean.. You really should though contact the IT department and specify that you've got a problem even if it's more a case of covering your back..

Re: Possible Virus - QetqDB1E.exe
 

Just browsing the net when I get a chance - I have no idea how this got on here.

And wow, the closest recover point is feb.

Re: Possible Virus - QetqDB1E.exe
 

is that your ITs fault also?

Re: Possible Virus - QetqDB1E.exe
 

It's a really old machine now too, they just have kind of left it to die.

---------- Post added at 12:08 ---------- Previous post was at 12:02 ----------

And that's a whole disk recover not files etc

Re: Possible Virus - QetqDB1E.exe
 

I don't like the look of this at all...

O4 - HKCU\..\Run: [\\BOB\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA IE.EXE /FU "C:\DOCUME~1\emsadmin.asl\LOCALS~1\Temp\E_S2.t mp" /EF "HKCU"

It may be quite innocent but I'm always extremely suspicious of anything that references a Temp folder.

Re: Possible Virus - QetqDB1E.exe
 

I did google that and have done in the past iirc and its been innocent. If the user has a epson printer I think it can be seen as ok

---------- Post added at 14:24 ---------- Previous post was at 14:22 ----------

http://www.bleepingcomputer.com/foru...p/t165554.html could see what virus total says its gonna have been scanned before but it will give an idea

Re: Possible Virus - QetqDB1E.exe
 

Printers reference temp folders a lot especially if the printre is networked on another machine and the drivers are being used from the other machine

Re: Possible Virus - QetqDB1E.exe
 

Ah yes. Didn't think of that. It seemed unlikely to me that drivers would be located in a Temp folder that could be cleaned at any time but it's the logical place to put work files that by nature are short-lived.

Thanks Kymmy.

Re: Possible Virus - QetqDB1E.exe
 

This looks and smells like a runtime viral infection, you can probably run as many av scanners as you wan`t while booted into the system but it will still probably come back. Possibly Emsisoft`s emergency USB stick ran in Safe-Mode http://www.emsisoft.com/en/software/download/ Deep scan.

Also download Avira`s rescue cd, boot into that and scan http://www.free-av.com/en/products/1...ue_system.html it`s free.

Only other thing is to go the Combofix/OLT route but your better of doing that via Bleeping. My guess is there`s a hidden root kit snuck somewhere...

Re: Possible Virus - QetqDB1E.exe
 

My thought as well.

Keyz, is there any way you can hook this drive up as a secondary on another machine? If it's rootkitted you'd be able to scan and zap it while it's not running and able to hide itself.

Re: Possible Virus - QetqDB1E.exe
 

Rootkits though normally show up in the reg section of HIJACKTHIS

Re: Possible Virus - QetqDB1E.exe
 

Agreed. Most of the time..

However I've seen reports of wscntfy being hijacked and I'm sure it's possible for other apparently legit files to go the same way.

Re: Possible Virus - QetqDB1E.exe
 

Give combofix a shot, it'll probably remove anything else that may be installed that you don't know about too . http://www.bleepingcomputer.com/comb...o-use-combofix

Re: Possible Virus - QetqDB1E.exe
 

I will try these today

Combofix I get an instant error report.

Re: Possible Virus - QetqDB1E.exe
 

combofix should not be run by the inexperienced