Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scanner Reporting Backdoor Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 VirusHunter

VirusHunter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 26 October 2007 - 09:23 AM

I'm using the latest version of AntiVir, all updated.

The active guard popped up this morning warning me of a detection of file "CPQsetVer.exe" in directory "C:\Program Files\hpq\Default Settings".

I have never seen this before! I almost panicked because I'm meticulous about what I put onto my machine, but I know that things sometimes slip through. As I thought about it though, I looks like it's a tool for my HP computer (not sure what tool though). I did a scan with VirusTotal and it found the following:

CpqsetVer.exe received on 10.26.2007 14:40:10 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.10.26.1 2007.10.26 -
AntiVir 7.6.0.27 2007.10.26 BDS/Agent.ahj.32
Authentium 4.93.8 2007.10.25 -
Avast 4.7.1074.0 2007.10.25 -
AVG 7.5.0.503 2007.10.26 -
BitDefender 7.2 2007.10.26 Backdoor.Agent.AHJ
CAT-QuickHeal 9.00 2007.10.25 -
ClamAV 0.91.2 2007.10.26 -
DrWeb 4.44.0.09170 2007.10.26 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.26 -
FileAdvisor 1 2007.10.26 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.25 -
F-Secure 6.70.13030.0 2007.10.26 -
Ikarus T3.1.1.12 2007.10.26 Backdoor.Agent.AHJ
Kaspersky 7.0.0.125 2007.10.26 -
McAfee 5149 2007.10.25 -
Microsoft 1.2908 2007.10.26 -
NOD32v2 2619 2007.10.26 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.26 -
Prevx1 V2 2007.10.26 -
Rising 19.46.42.00 2007.10.26 -
Sophos 4.22.0 2007.10.26 -
Sunbelt 2.2.907.0 2007.10.26 -
Symantec 10 2007.10.26 -
TheHacker 6.2.9.107 2007.10.25 -
VBA32 3.12.2.4 2007.10.26 Backdoor.Win32.Agent.ahj
VirusBuster 4.3.26:9 2007.10.25 -
Webwasher-Gateway 6.6.1 2007.10.26 Trojan.Agent.ahj.32


If it was just AntiVir that popped up I would feel ok, but it concerns me seeing other scanners picking this up. I have moved it to the quarantine.

I'm going to post a HiJackThis log later.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 PM

Posted 26 October 2007 - 10:01 AM

Everything I'm finding on CPQsetVer.exe is in French so the discussions are hard to follow along with. I did note that Bit Defender scans were flagging it as infected. Now there are four move vendors flagging it after your file submission which decreases the possibility of a false positive.

Yes, leave it in quarantine where its not a threat.

Hewlett-Packard HPQ is related to stock market news. I don't know what software they use that would have created that folder in your program files. Did you install any of their software? If so, do the dates match that of the folder with the suspicious file. If it is HP related, then you should report your findings to them.

If it is a confirmed Backdoor Trojans, please note that they are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

As a precaution, if your computer was used for online banking, has credit card information or other sensitive data on it, you should change all passwords to include those used for banking, email, eBay and forums.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 VirusHunter

VirusHunter
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 26 October 2007 - 08:47 PM

Thanks for your reply. The folder containing the file in question could have been installed from the HP recovery CD. That's the only HP related stuff I would have installed.

The timestamp must reset, because when I moved it back from the quarantine it had today's date. :thumbsup:

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:05:08 PM

Posted 26 October 2007 - 09:09 PM

VirusHunter,

I see you have an open HJT log posted in the HijackThis Logs and Malware Removal forum.
You shouldn't make any changes to your system, while your HJT log is posted, as that could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users