| 
	
	
		
	
	
	
		|  02-25-2009, 09:11 PM | #1 |  
	| Franchise Player 
				 
				Join Date: Nov 2006 Location: Supporting Urban Sprawl      | 
				 QUFF.exe  (not quiff) 
 
			
			Monday I booted up my computer and it was running really rough, I didnt really need to use it much till today and it was driving me crazy so I looked at what was running and I see QUFF.exe which is using in excess of 700 megs of RAM.
 Of course I assume I have some sort of virus or malware, close the process and then proceed to Google the process name. Nothing comes up. I can't remember the last time I Googled a process name and there were zero relevant results. So now I am paranoid, and am coming to the great CP oracle to see if anyone has heard about anything like this before.
 
 I am running 64 bit Vista, and have Nod32 for virus protection.
 
				__________________"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
 
				 Last edited by Rathji; 02-26-2009 at 09:30 PM.
 |  
	|   |   |  
	
		
	
	
	
		|  02-25-2009, 09:44 PM | #2 |  
	| Threadkiller 
				 
				Join Date: Oct 2003 Location: 51.0544° N, 114.0669° W      | 
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 08:36 AM | #3 |  
	| Franchise Player 
				 
				Join Date: Nov 2006 Location: Supporting Urban Sprawl      | 
 
			
			So this morning I boot my laptop up, and it says boot manager  cannot load, so I assume I have a boot virus. I run some diagnostics and fiddle with boot order and on the 4th reboot it actually loads for me.
 I find it odd that if it was a virus it would actually end up loading, since I really did nothing that should have fixed it. QUFF.exe is back in processes, and it cycling between 0 and 97% CPU usage, and appears to be connected to a remote server and is emailing what appears to be the contents of my hard drive to it.
 
 I am going to see IT here on campus and see what they can do, but I wanted to let people know what this is doing, seeing as this thread is the first thing that comes up on a search in google.
 
				__________________"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 08:47 AM | #4 |  
	| Franchise Player 
				 
				Join Date: Jul 2005 Location: in your blind spot.      | 
 
			
			Kill that process. There are a bunch of viruses that will create files/processes with random names to attempt to avoid detection.
 This will already have skimmed your entire email account, grabbing your address book and all the to/from/CC addresses, and will be parsing for any personal info you have. You should NOT connect or allow it to connect to the internet until this is fixed (although it is probably already too late).
 
				__________________"The problem with any ideology is that it gives the answer before you look at the evidence."
 —Bill Clinton
 "The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
 —Daniel J. Boorstin, historian, former Librarian of Congress
 "But the Senator, while insisting he was not intoxicated, could not explain his nudity"
 —WKRP in Cincinatti
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 09:28 AM | #5 |  
	| Nostradamus 
				 
				Join Date: Jul 2003 Location: London Ont.      | 
 
			
			Did a quick search and QuFF with an accent over the "u" seems to be a popular name in POwerPoint and Word docs.  They come back scrambled, but if you open the links and d/l them, they open up.  I opened a Department of Homeland Security presentation on Bioterrorism.
 Probaby doesn't help, but interesting nonetheless.
 
				__________________agggghhhhhh!!!
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 09:57 AM | #6 |  
	| Franchise Player 
				 
				Join Date: Nov 2006 Location: Supporting Urban Sprawl      | 
 
			
			It was a key logger that also took screenshots every 10 mins. I have just spent the last hour and a half ensuring it is removed and changing all my passwords. 
 Fun times.
 
 And yes, it is way to late. I noticed the system hit on Monday morning but didn't think much of it till yesterday, so they probably got everything they needed.
 
 It is actually embarrassing for me, because I am really careful about what I do online and I should be way smarter than to fall for whatever it was that I fell for.
 
				__________________"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 10:47 AM | #7 |  
	| The new goggles also do nothing. 
				 
				Join Date: Oct 2001 Location: Calgary      | 
 
			
			My friend got hit by something similar, had is WoW account (of all things) ravaged, all his stuff sharded and sold, etc..
 They restored it eventually, but it was a big hassle.
 
				__________________Uncertainty is an uncomfortable position.
 But certainty is an absurd one.
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 10:58 AM | #8 |  
	| Franchise Player 
				 
				Join Date: Jul 2005 Location: in your blind spot.      | 
 
			
			
	Quote: 
	
		| 
					Originally Posted by photon  My friend got hit by something similar, had is WoW account (of all things) ravaged, all his stuff sharded and sold, etc..
 They restored it eventually, but it was a big hassle.
 |  
Yeah, that is where many of the gold sellers get the gold. Although Blizzard seems to have done a good job getting rid of most of the in-game gold seller spam.
 
I know a few guilds won't allow bank privileges if you don't own the Wow security dongle thingy.
		 
				__________________"The problem with any ideology is that it gives the answer before you look at the evidence."
 —Bill Clinton
 "The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
 —Daniel J. Boorstin, historian, former Librarian of Congress
 "But the Senator, while insisting he was not intoxicated, could not explain his nudity"
 —WKRP in Cincinatti
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 11:57 AM | #9 |  
	| Franchise Player 
				 
				Join Date: Mar 2004 Location: Calgary      | 
 
			
			
	Quote: 
	
		| 
					Originally Posted by Rathji  It was a key logger that also took screenshots every 10 mins. I have just spent the last hour and a half ensuring it is removed and changing all my passwords. 
 Fun times.
 
 And yes, it is way to late. I noticed the system hit on Monday morning but didn't think much of it till yesterday, so they probably got everything they needed.
 
 It is actually embarrassing for me, because I am really careful about what I do online and I should be way smarter than to fall for whatever it was that I fell for.
 |  
Once I got a virus. The first thing I did was unplug my internet connection. (I have a desktop).
 
Then, I reformatted everything from the get-go. To be honest, if that happened right now, I'd just get a new computer.
 
Good to hear you're fixing it, but that really sucks.
		 
				__________________REDVAN!
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 12:48 PM | #10 |  
	| One of the Nine | 
 
			
			
	Quote: 
	
		| 
					Originally Posted by fotze  hehehehe quiff.exe |  
F'n hell! I saw this thread at the top of the list again and I went in here to say "does anyone else read quiff when they see this thread title?"   |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 12:50 PM | #11 |  
	| Franchise Player 
				 
				Join Date: Nov 2006 Location: Supporting Urban Sprawl      | 
 
			
			Once I realized that it was sending out STMP packets, I disabled wireless connection. The funny thing is, if he had been using TCP packets I probably would not have noticed it as quickly.
		 
				__________________"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 06:47 PM | #12 |  
	| #1 Goaltender | 
				  
 
			
			
	Quote: 
	
		| 
					Originally Posted by Rathji  It is actually embarrassing for me, because I am really careful about what I do online and I should be way smarter than to fall for whatever it was that I fell for. |  
Really?  I'm more than willing to bet you didn't get a keylogger from legally purchased software or downloads from reputable music sites like iTunes or Amazon.
 
So were you actually being careful?  Doesn't sound like it.
 
And now, potentially, you are going to have hack attempts on your bank accounts, other online services, etc.
 
Edit: Not to sound like a total donkey about it, its just that I hear this excuse almost daily at work, and its never true.  Lesson learned here - if you venture into the dark alleys of the internet, expect to get beat up and rolled for your shoes every once in a while.  Who knows how much personal info has been divulged at this point.
 
Edit2:  If you like rolling down the dark allerys of the internet, you should seriously consider setting up a virtual machine that you use exclusively for those trips.  You can set up a virtual machine so that it has a non-persistent virtual disk.  Use it, if it gets infected, who cares - when you power it off, no changes are saved, and when you power it back on, it comes up pristine.  This still isn't a foolproof solution because its on the network inside your home network, but its better than nothing
		 
				__________________-Scott
 
				 Last edited by sclitheroe; 02-26-2009 at 06:53 PM.
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 06:53 PM | #13 |  
	| #1 Goaltender | 
 
			
			
	Quote: 
	
		| 
					Originally Posted by Rathji  Once I realized that it was sending out STMP packets, I disabled wireless connection. The funny thing is, if he had been using TCP packets I probably would not have noticed it as quickly. |  
SMTP packets are TCP packets.
		 
				__________________-Scott
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 07:13 PM | #14 |  
	| Our Jessica Fletcher | 
 
			
			Wow, I read the thread title multiple times and made it to post #5 before realizing that you were saying QUFF.exe and not QUIFF.exe
 
 
 Sorry I can't help though.
 |  
	|   |   |  
	
		
	
	
	
		|  02-26-2009, 09:28 PM | #15 |  
	| Franchise Player 
				 
				Join Date: Nov 2006 Location: Supporting Urban Sprawl      | 
 
			
			
	Quote: 
	
		| 
					Originally Posted by sclitheroe  SMTP packets are TCP packets. |  
 However, TCP packets are not SMTP packets and I assumed that it would be obvious what I meant. I guess it was not.
Not that it is any business of yours but my 'back alley of the internet' usage is not what caused this problem. I am pretty sure it was the original source though, since there was another person who I exchange files with who was struck with the same logger. The files were clearly not downloaded from iTunes as you pointed out so it is not like I am innocent of all wrong doing. It does go to show that just because the guy giving the files to me isn't a faceless internet entity on the other side of a bit torrent app, doesn't mean I shouldn't be careful. 
Edit: It turns out that it was not the game files I traded with my buddy that gave it to me, since what he has is apparently something totally different.
		 
				__________________"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
 
				 Last edited by Rathji; 02-26-2009 at 11:14 PM.
 |  
	|   |   |  
	
		
	
	
	
	
	| Thread Tools | Search this Thread |  
	|  |  |  
	| 
	|  Posting Rules |  
	| 
		
		You may not post new threads You may not post replies You may not post attachments You may not edit your posts 
 HTML code is Off 
 |  |  |  All times are GMT -6. The time now is 11:33 AM. | 
 
 
 |