Possible Virus - QetqDB1E.exe
 

Okay, so recently I have been getting some pop-ups in IE (I don't use IE, I use Flock) but pop-ups have been coming up inside IE.

I checked my Task manager processes to find a lot of 'QetqDB1E.exe'

I ended them all, and it seemed to stop for a while..

A little bit later the pop-ups came up again, and again, that process was there...

Anyone know what it is? I now have configured a little batch script to run every 5 minutes to end the process just incase, but do not want to keep this here..

One more thing - in my temp folder I have a file called;

'etilqs_PPMzlZyb9Q8XUPwXfUIE' which I cannot delete as it's being 'used'

I have already run Malware Bytes, which found a few things, but the process still comes back.

Help :(

Re: Possible Virus - QetqDB1E.exe
 

have you ran hijackthis?

Re: Possible Virus - QetqDB1E.exe
 

I'll do that now.

Re: Possible Virus - QetqDB1E.exe
 

It does sound like there is a virus drop file, removing it won't do you much good whilst the install package is still there as it'll just do a check and reinstate it or one with a similar name.

As Zing says HIJACKTHIS is your first port of call.

Re: Possible Virus - QetqDB1E.exe
 

Heres the log;

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:20:40, on 01/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Pharmagraph\enVigil\enVigilSec.exe
C:\Program Files\Pharmagraph\enVigil\enVigilServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Wakoopa\Wakoopa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Flock\flock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Notepad++\notepad++.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [\\CLAIRE\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA IE.EXE /P39 "\\CLAIRE\EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Wakoopa] C:\Program Files\Wakoopa\Wakoopa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\BOB\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA IE.EXE /FU "C:\DOCUME~1\emsadmin.asl\LOCALS~1\Temp\E_S2.t mp" /EF "HKCU"
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://pe2800-server/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1264180684539
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asl.local
O17 - HKLM\Software\..\Telephony: DomainName = asl.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asl.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: enVigil Security (enVigilSec) - Acquisition Systems Ltd - C:\Program Files\Pharmagraph\enVigil\enVigilSec.exe
O23 - Service: enVigil Server (enVigilSrv) - Acquisition Systems Ltd - C:\Program Files\Pharmagraph\enVigil\enVigilServer.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5815 bytes

Re: Possible Virus - QetqDB1E.exe
 

although we can have a look for you here I advise you post on the hijackthis forums as they have more experts in this line of work

---------- Post added at 11:35 ---------- Previous post was at 11:32 ----------

nothing jumping out at me and its a short log

had to google a couple of things I hadnt heard of before lol

---------- Post added at 11:38 ---------- Previous post was at 11:35 ----------

I assume you are running some security cams? enVigil googles to software for that?

Re: Possible Virus - QetqDB1E.exe
 

enVigil is software made by the company I work for - Pharmagraph

Re: Possible Virus - QetqDB1E.exe
 

have I missed your antivirus? what are you running?

Re: Possible Virus - QetqDB1E.exe
 

I'm wondering why MSIEXEC is running?? Are you installing something??

---------- Post added at 11:41 ---------- Previous post was at 11:40 ----------

AVG7 (free edition) by the look of it

Re: Possible Virus - QetqDB1E.exe
 

what process does that run as I cant see it anywhere . I thought AVG was upto version 8 now as well?

Re: Possible Virus - QetqDB1E.exe
 

As zing says though there's nothing major there that jumps out..

Re: Possible Virus - QetqDB1E.exe
 

It's not running now, so I probably was.

And it was McAfee - but my company disabled it as it went wrong.

And now this happens..

Re: Possible Virus - QetqDB1E.exe
 

Sorry my bad, was looking at two different HIJACKTHIS logs at the same time :D the other one was running AVG7 :rolleyes:

---------- Post added at 11:50 ---------- Previous post was at 11:49 ----------

So what does your company provide instead of McAfee?? And is your IT manager an idiot??

Re: Possible Virus - QetqDB1E.exe
 

They just used McAfee.

And as this one failed to install right, they just left it..

Re: Possible Virus - QetqDB1E.exe
 

There isnt an AV on there at all now then? but I do see you have true image get your IT to back up and reinstate to an image. Then give them a shake and ask them how they can call themselves IT and leave a system without an AV.

Are you doing things on a company machine you shouldnt btw? ;)

Re: Possible Virus - QetqDB1E.exe
 

Sorry but that is rediculous and I'm totally astounded that they'd remove an AV and not replace it with a backup.. We always had a policy that no company laptops ever left the building without nav corp on it and because they all were NAV clients we could check to see exactly who updated when and who was getting security alerts..

As said before the machine looks clean.. You really should though contact the IT department and specify that you've got a problem even if it's more a case of covering your back..

Re: Possible Virus - QetqDB1E.exe
 

Just browsing the net when I get a chance - I have no idea how this got on here.

And wow, the closest recover point is feb.

Re: Possible Virus - QetqDB1E.exe
 

is that your ITs fault also?

Re: Possible Virus - QetqDB1E.exe
 

It's a really old machine now too, they just have kind of left it to die.

---------- Post added at 12:08 ---------- Previous post was at 12:02 ----------

And that's a whole disk recover not files etc

Re: Possible Virus - QetqDB1E.exe
 

I don't like the look of this at all...

O4 - HKCU\..\Run: [\\BOB\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA IE.EXE /FU "C:\DOCUME~1\emsadmin.asl\LOCALS~1\Temp\E_S2.t mp" /EF "HKCU"

It may be quite innocent but I'm always extremely suspicious of anything that references a Temp folder.

Re: Possible Virus - QetqDB1E.exe
 

I did google that and have done in the past iirc and its been innocent. If the user has a epson printer I think it can be seen as ok

---------- Post added at 14:24 ---------- Previous post was at 14:22 ----------

http://www.bleepingcomputer.com/foru...p/t165554.html could see what virus total says its gonna have been scanned before but it will give an idea

Re: Possible Virus - QetqDB1E.exe
 

Printers reference temp folders a lot especially if the printre is networked on another machine and the drivers are being used from the other machine

Re: Possible Virus - QetqDB1E.exe
 

Ah yes. Didn't think of that. It seemed unlikely to me that drivers would be located in a Temp folder that could be cleaned at any time but it's the logical place to put work files that by nature are short-lived.

Thanks Kymmy.

Re: Possible Virus - QetqDB1E.exe
 

This looks and smells like a runtime viral infection, you can probably run as many av scanners as you wan`t while booted into the system but it will still probably come back. Possibly Emsisoft`s emergency USB stick ran in Safe-Mode http://www.emsisoft.com/en/software/download/ Deep scan.

Also download Avira`s rescue cd, boot into that and scan http://www.free-av.com/en/products/1...ue_system.html it`s free.

Only other thing is to go the Combofix/OLT route but your better of doing that via Bleeping. My guess is there`s a hidden root kit snuck somewhere...

Re: Possible Virus - QetqDB1E.exe
 

My thought as well.

Keyz, is there any way you can hook this drive up as a secondary on another machine? If it's rootkitted you'd be able to scan and zap it while it's not running and able to hide itself.

Re: Possible Virus - QetqDB1E.exe
 

Rootkits though normally show up in the reg section of HIJACKTHIS

Re: Possible Virus - QetqDB1E.exe
 

Agreed. Most of the time..

However I've seen reports of wscntfy being hijacked and I'm sure it's possible for other apparently legit files to go the same way.

Re: Possible Virus - QetqDB1E.exe
 

Give combofix a shot, it'll probably remove anything else that may be installed that you don't know about too . http://www.bleepingcomputer.com/comb...o-use-combofix

Re: Possible Virus - QetqDB1E.exe
 

I will try these today

Combofix I get an instant error report.

Re: Possible Virus - QetqDB1E.exe
 

combofix should not be run by the inexperienced

Re: Possible Virus - QetqDB1E.exe
 

Emsisoft just found it I think and just Quarentined it too.

:)

Re: Possible Virus - QetqDB1E.exe
 

Name of the offending content?