Participant

Question

Process "911.exe" in folder "coldfusion\SERVER-INF\temp\wwwroot-tmp"

Forum|Forum|13 years ago
March 13, 2013
3 replies
5628 views

Hi All,

Our couldfusion application stopped working a few times last week due to the process "911.exe" which costed 99% CPU. Once we kill that process, everything back to normal again. The problem is process "911.exe" should be in C: root, but we found it in "ColdFusion8\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\neotmp56746.tmp" and been recognized as a virus. We kill it, it will appear again and again. Does anyone have the similar problem? How can I fix it?

I think this folder "temp\wwwroot-tmp" is used to store chached files, uploaded files. Does that mean someone uploaded some files with the virus?

Thanks in advance.

Wei

This topic has been closed for replies.

D

DaCFMastered

Participant

We have seen this as well on our CF9 servers running Server 2008. The files seem to reappear about once a week and cause a tremendous amount of network load. That being said, I have run Sofos on the server, deleted every instance of the files (which always reside at the system root) and stopped the services. We're currently patching our CF instances to the latest patch and we'll see if that corrects the issue.

A

Anonymous

Do you have any scheduled tasks or cfm files which are not from your application. Anything which is unwanted.

E

efirkey

Participant

I too have been hit by this.

zz.exe

zzz.exe

winacp.exe

911.exe

all in C:\

I installed Norton Symantec and the only item that keeps coming up is 911.exe at random times. I believe it to be sending out emails because when it pops up Norton is killing it and also killing my POP3 program mepops.exe (mailenable). Norton was also killing coldfusion executables but I updated and patched coldfusion to version 9.02 and secured the CFIDE directories and it hasn't killed coldfusion since.

I am very close to creating a whole new server if there isn't a solution to totally eradicate this soon.

My gut feeling is that this was caused by some weakness in coldfusion.

Is symantec aware of this situation?

Eric Firkey www on-queue dot com

A

Anonymous

Hi,

The antiviurs "Sophos" detect any possible viruses zz.exe 911.exe and family, etc.

Sophos does not destroy any service process as coldfusion, mdaemon, etc.

Sophos controls infection by detecting the virus in the coldfusion temporal zone and destroying it.

Possibly be resolved with an update, but I do not know if 9.0.1 and 9.0.2 updates resolve it.

A

Anonymous

I think it is a worm that filters through port 443.

I ran the file at ThreatReport.com

http://www.threatexpert.com/report.aspx?md5=02c8e8bf1cd56d95667ee870e4b14f1b

and

http://www.threatexpert.com/report.aspx?md5=6afb7109b50c86fe598c38e6ad73181e

Sophos online scanner detected this:

2013-03-11 11:28:06 The following items will be cleaned up:

2013-03-11 11:28:06 Troj/Agent-AAPB

2013-03-11 11:28:06 Mal/IRCBot-A

A

Anonymous

I had the same problem. I also received the following viruses:

zz.exe

zzz.exe

winacp.exe

911.exe

The only solution I've found is to install antivirus "Sophos", here's the link:

(It is compatible with Windows Server)

http://www.filecluster.com/downloads/Sophos-Anti-Virus.html

You install it as usual.

The antivirus will ask the user's name and password of the administrator.

Then you need to find the latest virus updates, is in the following link:

http://www.sophos.com/downloads/ide/

You select the ZIP version updates. Then you have to manually unzip in the folder anitivus "Sophos":

c:\Program Files (x86)\Sophos\Sophos Anti-virus

Then you realize overall scanning. The antivirus will protect the windows against possible virus entry suspects.

(Sorry for the bad English).

R

rici2002Author

Participant

I think we already installed sophos. We will update sophos to the latest version and run the scan again.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded