Coldfusion backdoor help :<

Question

Yeke 0 Newbie Poster

19 Years Ago

Had this wee beastie for a few days now and starting to think I may have to reformat to be rid off it :<

So desperation post Have read others posts on the same matter here and tried what was suggested and still wont budge it :/

Have run adaware se numerous times as well as giant adaware picks up nothing, giant pickes up 2 instances of the downloader "nic.tech.bm2".

I'm using pccillin 2002 latest updates etc and it has succsessfully removed it several times but once I reboot its back have removed several registry keys pertaining to this virus and blocked them from adding themselves to it again.

Each time I boot up I get around 8 or so cmd.exe running (theese are closed for my HJT log) upon closing the last of theese down It seems to trigger the reinstalation of the virus (I get pop ups from pcccillien saying it is detected and from giant saying it blocked dxsetu.exe from the registry)

anyway lots of waffleing but think that about covers it so can anyone give more info on this or spot anything in my hjt log?

Logfile of HijackThis v1.98.2
Scan saved at 13:25:05, on 14/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Vg\Vg.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\dslAgent.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: VirtuaGirl.lnk = C:\Program Files\Vg\Vg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE974878-A8B4-43EE-99C0-97CEEB82301C}: NameServer = 62.241.162.200 158.43.240.3

P.s think this enty is related to the virus fixing it dosnt help and it just reapears on next boot "F2 - REG:system.ini: Shell=Explorer.exe winsock.scr"

*edit just noticed the dxsetu.exe there on my hjt, seems giant is saying it blocked it but isnt :<

coldfusion windows-virus

3 Contributors
7 Replies
204 Views
1 Day Discussion Span
Latest Post 19 Years Ago Latest Post by Yeke

dlh6213 27 Posting Maven

19 Years Ago

Try the advice in post #2 of this thread:
http://www.daniweb.com/techtalkforums/post67267.html#post67267

suRoot 11 Posting Whiz in Training

19 Years Ago

hi how you doing, the following services sound suspect to me::

C:\WINDOWS\system32\dslagent.exe <------ is this one of those go-faster things? if so it's probably spyware or some virus type thing

C:\Program Files\Vg\Vg.exe <--------- what's VG

\program files\powerstrip\pstrip.exe <----- you play counter-strike don't you?

for the Registry entries i don't like the sound of:

HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe <--unless you know what it is

HKLM\..\Run: [GSICONEXE] gsicon.exe <------- again ^^

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB <--- hmm unless this is the usb drivers for you net?

HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent <--yes you play CS don't you!!

You may want to find out what those ones i brought up acctually are, if you don't know google the exe's and see what it says

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Yeke 0 Newbie Poster · Answer 1 · 2004-12-14T22:51:52+00:00

Try the advice in post #2 of this thread:
http://www.daniweb.com/techtalkforums/post67267.html#post67267

Thx missed that post :(

however I can only find some of those files and not the dxsetu.exe and yes have already enabled to see hidden files incedently also got it from the same place football manager 2005 crack :P

*Edit my bad only had show hidden files enabled will try again now :P

Yeke 0 Newbie Poster · Answer 2 · 2004-12-15T01:13:18+00:00

hi how you doing, the following services sound suspect to me::
C:\WINDOWS\system32\dslagent.exe <------ is this one of those go-faster things? if so it's probably spyware or some virus type thing
C:\Program Files\Vg\Vg.exe <--------- what's VG
\program files\powerstrip\pstrip.exe <----- you play counter-strike don't you?
for the Registry entries i don't like the sound of:
HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe <--unless you know what it is
HKLM\..\Run: [GSICONEXE] gsicon.exe <------- again ^^
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB <--- hmm unless this is the usb drivers for you net?
HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent <--yes you play CS don't you!!
You may want to find out what those ones i brought up acctually are, if you don't know google the exe's and see what it says

Yep still playing CS on the odd occasion still the best FPS online imho
both the dslagent are drivers for my adsl line gsicon ive forgotten (but sure its supposed to be there) VG is Virtual Girl pervy little prog that puts strippers on your desktop :o (registered version without any adware) and finally the dxsetu.exe is part of this virus, think everything else checks out ok had to go cook so not done anything else with it as yet but will report back later.

Yeke 0 Newbie Poster · Answer 3 · 2004-12-15T01:33:53+00:00

Looks very much like the solution worked for me doing virus scan now to remove the .dll's from the temp dir that are part of this trojan now but after deleting all those files and reboting none of the usuall cmd.exe proccesses were there and no popups from pccillin or giant \o/

Thanks very much for your assistance :D

dlh6213 27 Posting Maven Team Colleague · Answer 4 · 2004-12-15T21:25:46+00:00

After you've done your scans, you can post another log if you like, just to make sure.

To help protect your system, you should get SpywareBlaster and/or SpywareGaurd (links to both are in this thread: http://www.daniweb.com/techtalkforums/thread5690.html) and keep them updated.

Yeke 0 Newbie Poster · Answer 5 · 2004-12-16T02:17:43+00:00

looks clean to me but anyone spot anything out of place?

Logfile of HijackThis v1.98.2
Scan saved at 20:16:35, on 15/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Vg\Vg.exe
C:\Program Files\eMule\eMule.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - Startup: VirtuaGirl.lnk = C:\Program Files\Vg\Vg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE974878-A8B4-43EE-99C0-97CEEB82301C}: NameServer = 62.241.162.200 158.43.240.3