Possible Virus - QetqDB1E.exe

Keyz333 · 01-07-2010, 11:13

Okay, so recently I have been getting some pop-ups in IE (I don't use IE, I use Flock) but pop-ups have been coming up inside IE.

I checked my Task manager processes to find a lot of 'QetqDB1E.exe'

I ended them all, and it seemed to stop for a while..

A little bit later the pop-ups came up again, and again, that process was there...

Anyone know what it is? I now have configured a little batch script to run every 5 minutes to end the process just incase, but do not want to keep this here..

One more thing - in my temp folder I have a file called;

'etilqs_PPMzlZyb9Q8XUPwXfUIE' which I cannot delete as it's being 'used'

I have already run Malware Bytes, which found a few things, but the process still comes back.

Help

01-07-2010, 11:15

have you ran hijackthis?

Keyz333 · 01-07-2010, 11:17

I'll do that now.

Kymmy · 01-07-2010, 11:23

It does sound like there is a virus drop file, removing it won't do you much good whilst the install package is still there as it'll just do a check and reinstate it or one with a similar name.

As Zing says HIJACKTHIS is your first port of call.

Keyz333 · 01-07-2010, 11:30

Heres the log;

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:20:40, on 01/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Pharmagraph\enVigil\enVigilSec.exe
C:\Program Files\Pharmagraph\enVigil\enVigilServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Wakoopa\Wakoopa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Flock\flock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Notepad++\notepad++.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [\\CLAIRE\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA IE.EXE /P39 "\\CLAIRE\EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Wakoopa] C:\Program Files\Wakoopa\Wakoopa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\BOB\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA IE.EXE /FU "C:\DOCUME~1\emsadmin.asl\LOCALS~1\Temp\E_S2.t mp" /EF "HKCU"
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://pe2800-server/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1264180684539
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asl.local
O17 - HKLM\Software\..\Telephony: DomainName = asl.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asl.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: enVigil Security (enVigilSec) - Acquisition Systems Ltd - C:\Program Files\Pharmagraph\enVigil\enVigilSec.exe
O23 - Service: enVigil Server (enVigilSrv) - Acquisition Systems Ltd - C:\Program Files\Pharmagraph\enVigil\enVigilServer.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5815 bytes

01-07-2010, 11:38

although we can have a look for you here I advise you post on the hijackthis forums as they have more experts in this line of work

---------- Post added at 11:35 ---------- Previous post was at 11:32 ----------

nothing jumping out at me and its a short log

had to google a couple of things I hadnt heard of before lol

---------- Post added at 11:38 ---------- Previous post was at 11:35 ----------

I assume you are running some security cams? enVigil googles to software for that?

Keyz333 · 01-07-2010, 11:39

enVigil is software made by the company I work for - Pharmagraph

01-07-2010, 11:40

have I missed your antivirus? what are you running?

Kymmy · 01-07-2010, 11:41

I'm wondering why MSIEXEC is running?? Are you installing something??

---------- Post added at 11:41 ---------- Previous post was at 11:40 ----------

Quote:

Originally Posted by zing

have I missed your antivirus? what are you running?

AVG7 (free edition) by the look of it

01-07-2010, 11:46

what process does that run as I cant see it anywhere . I thought AVG was upto version 8 now as well?

Kymmy · 01-07-2010, 11:46

As zing says though there's nothing major there that jumps out..

Keyz333 · 01-07-2010, 11:47

Quote:

Originally Posted by zing

have I missed your antivirus? what are you running?

Quote:

Originally Posted by Kymmy

I'm wondering why MSIEXEC is running?? Are you installing something??[COLOR="Silver"]

It's not running now, so I probably was.

And it was McAfee - but my company disabled it as it went wrong.

And now this happens..

Kymmy · 01-07-2010, 11:50

Sorry my bad, was looking at two different HIJACKTHIS logs at the same time

the other one was running AVG7

---------- Post added at 11:50 ---------- Previous post was at 11:49 ----------

So what does your company provide instead of McAfee?? And is your IT manager an idiot??

Keyz333 · 01-07-2010, 11:54

They just used McAfee.

And as this one failed to install right, they just left it..

01-07-2010, 11:55

There isnt an AV on there at all now then? but I do see you have true image get your IT to back up and reinstate to an image. Then give them a shake and ask them how they can call themselves IT and leave a system without an AV.

Are you doing things on a company machine you shouldnt btw?