0 Replies Latest reply on Feb 8, 2011 11:41 AM by stonent

    Need help understanding this log entry

      If I read this correctly is CCMEXEC.EXE somehow involved in the method of infection? We us Microsoft Configuration Manager (SCCM aka SMS) 2007 to manage updates and patches in our environment.  If I am reading this log incorrectly can you tell me how I should ready it?

       

      Our problem is our remote sales people who use the SCCM internet client in native mode have recently been getting infected and reinfected. We use VS 8.7 with HIPS 7.0.  Also we are repeatedly getting users with Win32.Trup.B on the their bootsector. Kaspersky detects and removes it but Mcafee doesn't.  We've sent samples but still no luck with mcafee adding it.

       

      (Our AV admin has been doing that for me)

       

      Anyway, on to the log:

       

      2/1/2011 6:04:38 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\612FMTUV\E001[2].exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:25:00 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\ali.exe Generic.dx!vnq (Trojan)

      2/1/2011 6:32:51 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\11070\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:07 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\GAO6MVST\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:08 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\GB6S0HEW\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:08 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\GBXZT6LD\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:09 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\GMY4QO35\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:12 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\GZWUWO2J\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:13 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\HOVPZ6KQ\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:14 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\HZ5N3ZV3\E001.exe Generic BackDoor!cvo (Trojan)

      2/1/2011 6:36:15 PM Deleted  NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\HZBGGYQX\E001.exe Generic BackDoor!cvo (Trojan)