QUFF.exe (not quiff)

[Rathji]

Monday I booted up my computer and it was running really rough, I didnt really need to use it much till today and it was driving me crazy so I looked at what was running and I see QUFF.exe which is using in excess of 700 megs of RAM.

Of course I assume I have some sort of virus or malware, close the process and then proceed to Google the process name. Nothing comes up. I can't remember the last time I Googled a process name and there were zero relevant results. So now I am paranoid, and am coming to the great CP oracle to see if anyone has heard about anything like this before.

I am running 64 bit Vista, and have Nod32 for virus protection.

[ricosuave]

see if this is of any help...

http://technet.microsoft.com/en-us/s.../bb896653.aspx

[Rathji]

So this morning I boot my laptop up, and it says boot manager cannot load, so I assume I have a boot virus. I run some diagnostics and fiddle with boot order and on the 4th reboot it actually loads for me.

I find it odd that if it was a virus it would actually end up loading, since I really did nothing that should have fixed it. QUFF.exe is back in processes, and it cycling between 0 and 97% CPU usage, and appears to be connected to a remote server and is emailing what appears to be the contents of my hard drive to it.

I am going to see IT here on campus and see what they can do, but I wanted to let people know what this is doing, seeing as this thread is the first thing that comes up on a search in google.

[Bobblehead]

Kill that process. There are a bunch of viruses that will create files/processes with random names to attempt to avoid detection.

This will already have skimmed your entire email account, grabbing your address book and all the to/from/CC addresses, and will be parsing for any personal info you have. You should NOT connect or allow it to connect to the internet until this is fixed (although it is probably already too late).

[zukes]

Did a quick search and QuFF with an accent over the "u" seems to be a popular name in POwerPoint and Word docs. They come back scrambled, but if you open the links and d/l them, they open up. I opened a Department of Homeland Security presentation on Bioterrorism.

Probaby doesn't help, but interesting nonetheless.

[Rathji]

It was a key logger that also took screenshots every 10 mins. I have just spent the last hour and a half ensuring it is removed and changing all my passwords.

Fun times.

And yes, it is way to late. I noticed the system hit on Monday morning but didn't think much of it till yesterday, so they probably got everything they needed.

It is actually embarrassing for me, because I am really careful about what I do online and I should be way smarter than to fall for whatever it was that I fell for.

[photon]

My friend got hit by something similar, had is WoW account (of all things) ravaged, all his stuff sharded and sold, etc..

They restored it eventually, but it was a big hassle.

[Bobblehead]

Quote:

Originally Posted by photon

My friend got hit by something similar, had is WoW account (of all things) ravaged, all his stuff sharded and sold, etc..

They restored it eventually, but it was a big hassle.

Yeah, that is where many of the gold sellers get the gold. Although Blizzard seems to have done a good job getting rid of most of the in-game gold seller spam.

I know a few guilds won't allow bank privileges if you don't own the Wow security dongle thingy.

[REDVAN]

Quote:

Originally Posted by Rathji

It was a key logger that also took screenshots every 10 mins. I have just spent the last hour and a half ensuring it is removed and changing all my passwords.

Fun times.

And yes, it is way to late. I noticed the system hit on Monday morning but didn't think much of it till yesterday, so they probably got everything they needed.

It is actually embarrassing for me, because I am really careful about what I do online and I should be way smarter than to fall for whatever it was that I fell for.

Once I got a virus. The first thing I did was unplug my internet connection. (I have a desktop).

Then, I reformatted everything from the get-go. To be honest, if that happened right now, I'd just get a new computer.

Good to hear you're fixing it, but that really sucks.

[4X4]

Quote:

Originally Posted by fotze

hehehehe quiff.exe

F'n hell! I saw this thread at the top of the list again and I went in here to say "does anyone else read quiff when they see this thread title?"

[Rathji]

Once I realized that it was sending out STMP packets, I disabled wireless connection. The funny thing is, if he had been using TCP packets I probably would not have noticed it as quickly.

[sclitheroe]

Quote:

Originally Posted by Rathji

It is actually embarrassing for me, because I am really careful about what I do online and I should be way smarter than to fall for whatever it was that I fell for.

Really? I'm more than willing to bet you didn't get a keylogger from legally purchased software or downloads from reputable music sites like iTunes or Amazon.

So were you actually being careful? Doesn't sound like it.

And now, potentially, you are going to have hack attempts on your bank accounts, other online services, etc.

Edit: Not to sound like a total donkey about it, its just that I hear this excuse almost daily at work, and its never true. Lesson learned here - if you venture into the dark alleys of the internet, expect to get beat up and rolled for your shoes every once in a while. Who knows how much personal info has been divulged at this point.

Edit2: If you like rolling down the dark allerys of the internet, you should seriously consider setting up a virtual machine that you use exclusively for those trips. You can set up a virtual machine so that it has a non-persistent virtual disk. Use it, if it gets infected, who cares - when you power it off, no changes are saved, and when you power it back on, it comes up pristine. This still isn't a foolproof solution because its on the network inside your home network, but its better than nothing

[sclitheroe]

Quote:

Originally Posted by Rathji

Once I realized that it was sending out STMP packets, I disabled wireless connection. The funny thing is, if he had been using TCP packets I probably would not have noticed it as quickly.

SMTP packets are TCP packets.

[The Fonz]

Wow, I read the thread title multiple times and made it to post #5 before realizing that you were saying QUFF.exe and not QUIFF.exe



Sorry I can't help though.

[Rathji]

Quote:

Originally Posted by sclitheroe

SMTP packets are TCP packets.

However, TCP packets are not SMTP packets and I assumed that it would be obvious what I meant. I guess it was not.

Not that it is any business of yours but my 'back alley of the internet' usage is not what caused this problem. I am pretty sure it was the original source though, since there was another person who I exchange files with who was struck with the same logger. The files were clearly not downloaded from iTunes as you pointed out so it is not like I am innocent of all wrong doing. It does go to show that just because the guy giving the files to me isn't a faceless internet entity on the other side of a bit torrent app, doesn't mean I shouldn't be careful.

Edit: It turns out that it was not the game files I traded with my buddy that gave it to me, since what he has is apparently something totally different.