Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

QSP Files????

Created: 22 Mar 2010 | 6 comments

Hi people,

I am running SEP ver 11.0.4000.2295.
In the main manager page (Home) I seem to be getting a number of infected files with a .qsp extension.

I have run SEP in safe and normal mode. I have run Malwarebytes, Hitman Pro and Trend Micro online scan and found nothing.

But every now and then SEP flags up this odd .qsp file and quarantines it!!!!

Any ideas?

For example:

C:/WINDOWS/Temp/4ba21b55.qsp

Comments 6 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

I think there some file that is re-creating these files and that file is not detected by SEP yet..
Try this

Delete everything from
 %temp%
C:\Windows\Temp
and 
Delete Browsing data from your Internet Explorer..
Then check if they get re-created again.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Rafeeq's picture

i think its a trojan and symantec is finding and quarantines it.

timbo's picture

Rafeeq,

I have no idea whats causing it but if Malwarebytes, Trend Micro and Hitman Pro cant find it I doubt that it is a Trojan.

Would it be that this file isnt added by default to the ignore ext list. Is it safe to do this?.

WC's picture

We were experiencing the same symptoms with about a dozen different PCs. Some were infected with different trojans. After cleaning the PCs, from time to time, these .qsp files would randomly appear in %windows%/temp. Scanning again would flag these files and quarantines or deletes them. Then we ran multiple scans from different products and nothing else would be found. A short while later, these .qsp files would appear again.

So our investigation led us to use procmon to capture what was going on. It turns out that it appears that Rtvscan was actually using the quarantined files (.VBN) in the quarantine folder and placing them in the %windows%/temp folder. After deleting everything in the quarantine folder (all users/application data/symantec....../quarantine), we never experienced the .qsp files anymore.

We're not sure what exactly is happening, but again it appears this way using procmon

Rtvscan.exe
ReadFile C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F80000\4CF96039.VBN
WriteFile C:\WINDOWS\Temp\4C5B0FAA.qsp

AravindKM's picture

That files may not be virus,still try with this once
Online Virus and Behavioural Scan Engines

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Mick2009's picture

Hi Timbo,

Just judging by the names of the files (which is not always a good indicator) the following thread may be of interest to you: Trojan.FakeAV!gen24

The advice there also applies to your case: the next step is to determine what process is creating those files so that we can get it submitted to Security Response, examined and defences prepared against it.

Thanks and best regards,

Mick

With thanks and best regards,

Mick