Jump to content

Worm Prolaco


Recommended Posts

Several of our servers were hit with the prolaco worm, and all of our .exe files have been turned into win32 self extracting cab files. Here is the log off one of our servers.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 12:27:08 PM, on 10/22/2010

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Advanced Monitoring Agent\winagent.exe

C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4ADD0E8B\bomgar-scc.exe

C:\Program Files\HP\Cissesrv\cissesrv.exe

C:\WINDOWS\system32\cpqrcmc.exe

C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\system32\sysdown.exe

C:\hp\hpsmh\bin\smhstart.exe

C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe

C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe

C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe

C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe

C:\Program Files\TeamViewer\Version5\TeamViewer.exe

C:\hp\hpsmh\bin\hpsmhd.exe

C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe

C:\WINDOWS\system32\cmd.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\WINDOWS\system32\cmd.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\WINDOWS\System32\svchost.exe

C:\hp\hpsmh\bin\hpsmhd.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\WINDOWS\system32\cmd.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\WINDOWS\system32\cmd.exe

C:\hp\hpsmh\bin\rotatelogs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\HP\NCU\cpqteam.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Shift4\UTG2\Utg2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/softAdmin.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [CPQTEAM] C:\Program Files\HP\NCU\cpqteam.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Startup: UTG (v2) Stand Alone.lnk = C:\Shift4\UTG2\Utg2.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O15 - ESC Trusted Zone: http://rmd.atdmt.com

O15 - ESC Trusted Zone: http://view.atdmt.com

O15 - ESC Trusted Zone: http://log.enquisite.com

O15 - ESC Trusted Zone: http://www.google-analytics.com

O15 - ESC Trusted Zone: http://gfx6.hotmail.com

O15 - ESC Trusted Zone: http://help.live.com

O15 - ESC Trusted Zone: http://login.live.com

O15 - ESC Trusted Zone: http://sn140w.snt140.mail.live.com

O15 - ESC Trusted Zone: http://webmail.springermiller.com

O15 - ESC Trusted Zone: http://*.springermiller.com

O15 - ESC Trusted Zone: http://js.wlxrs.com

O15 - ESC Trusted IP range: http://65.55.75.167

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1255473590593

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1255473841546

O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = carneros.com

O17 - HKLM\Software\..\Telephony: DomainName = carneros.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{515D0343-449A-4373-939A-BB41FECA5080}: NameServer = 192.168.1.9,192.168.1.20

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = carneros.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{515D0343-449A-4373-939A-BB41FECA5080}: NameServer = 192.168.1.9,192.168.1.20

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = carneros.com

O17 - HKLM\System\CS2\Services\Tcpip\..\{515D0343-449A-4373-939A-BB41FECA5080}: NameServer = 192.168.1.9,192.168.1.20

O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\bin\hpapp.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Advanced Monitoring Agent - Remote Monitoring - C:\Program Files\Advanced Monitoring Agent\winagent.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe

O23 - Service: Bomgar Jump Client [1255981241-1255981288] (bomgar-ps-1255981241-1255981288) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4ADCC0B9\bomgar-scc.exe (file missing)

O23 - Service: Bomgar Jump Client [1256001163-1256001209] (bomgar-ps-1256001163-1256001209) - Bomgar Corporation - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4ADD0E8B\bomgar-scc.exe

O23 - Service: Bomgar Jump Client [1256001163-1260983366] (bomgar-ps-1256001163-1260983366) - Bomgar Corporation - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4ADD0E8B\bomgar-scc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe

O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe

O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe

O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe

O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe

O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe

O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Hewlett-Packard Company - C:\WINDOWS\system32\sysdown.exe

O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

--

End of file - 9489 bytes

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.