ETRE.EXE trying to access the internet

Hello all!

A friend of mine had an unwelcome visitor a week or so ago. It was something which opened a window in IE, related to "belgiandip" ...... ...... or something, I don't remember exactly.
The only scanner to pick it up was Trend Micro's online virus scan. None of the others and there was no removal tool.
I managed to remove it but told him that I believed that it had been too easy and that he should expect it to pop up again. I also told him to block any request to connect in the firewall.

Now, C:\Documents and Settings\<username>\Application Data\ETRE.EXE has requested permission to connect to the internet, which was denied.

I went Google on ETRE.EXE and had a nice lecture on the french language but no useful information pertaining to ETRE.EXE.

Anyone out there with something on this?

Thanks for Your time,
Christer

 

Hi Newt!

Here's his hijackthis log:

For me, it's all in a foreign language ...... ...... probably geek.

Christer

 

It seems like it's loading from the registry but I don't understand what it is.

Christer

 

Newt,

My friend tried but the file couldn´t be deleted. He managed to rename it and it no longer bothers him which means that he found a "cure" for the symptom but not for the disease.
If the executable has been renamed, then it can't get started from the registry and shouldn't appear in TaskManager. I wonder if it can be deleted now (rhetorical question)?

The entry in the registry must be removed though and HJT does that, right?

I found the same comment on that entry at ANSWERS THAT WORK, in TASK LIST. I believe that it was put there by his ISP.

Lonny,

Well, me and my teflon coated memory ...... ...... but if it does serve me correctly, Trend Micro found TROJ_A "something ". Some 40 files were infected, most of which in System Volume Information. Disabling System Restore removed all but 5 files.
A Google search for belgiandip, gave a number of possible file names and locations but the date and size of a file in the right location could give it away as "the same but a different name ". Among other things, there was a file in Windows Media Player which actually had replaced the correct executable.

When I prepared to go back to Trend for a renewed scan, I checked the firewall and removed all program entries with "permit all" setting but the ones automatically configured by Norton were left as they were.

As soon as I connected to the internet the firewall popped up with a request from an executable to connect. The file name was random letters and digits. I said "no way" and went to find it and deleted it.

Since then, no more belgiandip and no more strange attempts to connect to the internet ...... ...... until now by ETRE.EXE.

It's possible that there is no connection between belgiandip and ETRE.EXE but I don´t know.

Christer

 

Nothing better for the memory than head hitting pillow to get some sleep.

It was TROJ_REVOP.A

Christer

 

Johanna,
I don't use the Google Toolbar but I have used other online translaters ...... ...... and they can be rather amusing!
I suppose that You used it on the HJT log.

Deleting from safe mode is an option to try. I think that getting rid of the file itself is desirable, even if the registry entries that trigger it are gone.

Lonny,

Well, it seems like it's gone.

When this occurred two weeks ago, next to each entry in scan results, Trend insisted that it was not removable. On the Trend web page, dealing with TROJ_REVOP.A, the reader was urged to download the latest reference file to get rid of it but nothing worked, even with System Destroy (sorry - Restore) disabled.

I was there, guided by what I found on the web on belgiandip that evening but found no such reg-keys.
It is strange that nothing "pup" or "over" was to be found whatsoever but all symptoms matched.

I don't know. I haven't been at my friends home for this ETRE.EXE issue. There have only been a few e-mails sent forth and back.

This morning, he left on a trip that will last at least two weeks and unless I can continue this with his son, the answer to that question will have to wait.

I'll be back!

Christer

 

My friend was at home for for a few days and last evening I payed him a quick visit.

No sign of etre.exe in Windows Explorer. I didn't think of checking the registry.

In C:\Documents and Settings\ "username "\Application Data, where I expected to find etre.exe, I instead found channelup.txt.
channelup.txt is the file that by his son was renamed from channelup.exe. The son confirmed this but had no explanation.

As You may understand, there was a lot of confusion when I had that phonecall two weeks ago.

Nevertheless, I went google on channelup.exe and found this on Symantecs site.

There was nothing on my friends computer, other than channelup.exe but not in the location indicated by Symantec.

I'm totally ...... ...... but will pay him another visit when he gets back from the next trip to find out if the registry entry for etre.exe is gone too.

I believe that some of You think that I'm on the verge of being taken to the nearest lunatic asylum but to prove that I haven't lost it ...... ...... check out the screen shot of the firewall alert .

Christer

 

Hi Lonny,

There are no SYMPTOMS but that's different from it being HEALTHY!

Maybe, I will do a proper cleaning as soon as my friend stays at home for more than a few hours. Another thing that makes it more complicated is that his son tries to help too or at least I think so. I found the registry editor nicely parked where the "channelup" key was supposed to be but he has not admitted to anything but renaming from exe to txt.

I'm not sure that "channelup" and "etre" are connected, it's all very confusing!
When I did the first cleaning, the "exe" that tried to connect to the internet was an "eight letters/digits file name ".exe which fits Your description of the typical winpup files. I myself have never seen etre.exe and all other files associated with a winpup were not present but a number of others were.

I have always told my friend that he lives dangerously, with only a single HDD and no backups. I have volunteered my assistance to install a new HDD and set it up according to my preferences, enabling the use of Ghost and backing up to the old one.

Until recently he has said "thanks but no-thanks ", he was worried that I would s*c*r*e*w it up for him but now there has been a change of tune.
He has asked me to buy a new HDD and a mobile rack for him. The old HDD is to go in the rack to sit powered off with his Images and backups.

The probable outcome of all this is a fresh installation but I think that I'm curious enough to try to find out what has happened. There is, however, the time factor and fixing something that is going to be wiped out doesn't make much sense. That's the reason I said "Maybe, I will do a proper cleaning ... "

Thanks for Your assistance, all of You!

Christer

 

To elaborate:

I think that the "eight letters/digits file name ".exe was connected to "belgiandip" but I don't think that there is a connection to "cannelup.exe ".

I have no idea whatsoever where "etre.exe" came from and where it went.

As I said earlier, the son doesn't volunteer any information on what he's been up to.

Christer