Possible Virus - QetqDB1E.exe

[Kymmy]

Sorry but that is rediculous and I'm totally astounded that they'd remove an AV and not replace it with a backup.. We always had a policy that no company laptops ever left the building without nav corp on it and because they all were NAV clients we could check to see exactly who updated when and who was getting security alerts..

As said before the machine looks clean.. You really should though contact the IT department and specify that you've got a problem even if it's more a case of covering your back..

[Keyz333]

Just browsing the net when I get a chance - I have no idea how this got on here.

And wow, the closest recover point is feb.

is that your ITs fault also?

[Keyz333]

It's a really old machine now too, they just have kind of left it to die.

---------- Post added at 12:08 ---------- Previous post was at 12:02 ----------

And that's a whole disk recover not files etc

[Dai]

I don't like the look of this at all...

O4 - HKCU\..\Run: [\\BOB\EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA IE.EXE /FU "C:\DOCUME~1\emsadmin.asl\LOCALS~1\Temp\E_S2.t mp" /EF "HKCU"

It may be quite innocent but I'm always extremely suspicious of anything that references a Temp folder.

I did google that and have done in the past iirc and its been innocent. If the user has a epson printer I think it can be seen as ok

---------- Post added at 14:24 ---------- Previous post was at 14:22 ----------

http://www.bleepingcomputer.com/foru...p/t165554.html could see what virus total says its gonna have been scanned before but it will give an idea

[Kymmy]

Printers reference temp folders a lot especially if the printre is networked on another machine and the drivers are being used from the other machine

[Dai]

Quote:

Originally Posted by Kymmy

Printers reference temp folders a lot especially if the printre is networked on another machine and the drivers are being used from the other machine

Ah yes. Didn't think of that. It seemed unlikely to me that drivers would be located in a Temp folder that could be cleaned at any time but it's the logical place to put work files that by nature are short-lived.

Thanks Kymmy.

[Matty_]

This looks and smells like a runtime viral infection, you can probably run as many av scanners as you wan`t while booted into the system but it will still probably come back. Possibly Emsisoft`s emergency USB stick ran in Safe-Mode http://www.emsisoft.com/en/software/download/ Deep scan.

Also download Avira`s rescue cd, boot into that and scan http://www.free-av.com/en/products/1...ue_system.html it`s free.

Only other thing is to go the Combofix/OLT route but your better of doing that via Bleeping. My guess is there`s a hidden root kit snuck somewhere...

[Dai]

Quote:

Originally Posted by Matty_

My guess is there`s a hidden root kit snuck somewhere...

My thought as well.

Keyz, is there any way you can hook this drive up as a secondary on another machine? If it's rootkitted you'd be able to scan and zap it while it's not running and able to hide itself.

[Kymmy]

Rootkits though normally show up in the reg section of HIJACKTHIS

[Dai]

Quote:

Originally Posted by Kymmy

Rootkits though normally show up in the reg section of HIJACKTHIS

Agreed. Most of the time..

However I've seen reports of wscntfy being hijacked and I'm sure it's possible for other apparently legit files to go the same way.

[Horace]

Give combofix a shot, it'll probably remove anything else that may be installed that you don't know about too . http://www.bleepingcomputer.com/comb...o-use-combofix

[Keyz333]

I will try these today

Combofix I get an instant error report.

combofix should not be run by the inexperienced