HiJackThis Log For Anti-Malware Product Reviews

by malwarekilla on September 30, 2008

As I work on the F-Secure review I thought I’d introduce HiJackThis logs before and after.  Here is the current HijackThis Log for this (current) infected PC:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:31 AM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\wpopejyl.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\SystemDefender\SystemDefender.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\cjb\cjb8.exe
C:\Program Files\Ultimate Defender\UltimateDefender.exe
C:\WINDOWS\system32\lphca7uj0erdc.exe
C:\Program Files\rhce7uj0erdc\rhce7uj0erdc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe
C:\WINDOWS\system32\pphca7uj0erdc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getbackpage.com/?cm=540422&lt=1&it=2008-04-27%2016%3A09%3A32&dt=2008-07-13%2020%3A55%3A08&q=http://www.yahoo.com/?rs=1
F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 – BHO: (no name) – {01BA2111-5518-D0C8-A667-01E739079356} – C:\WINDOWS\system32\tnxqilzf.dll
O2 – BHO: (no name) – {182C7ED7-E56D-4509-9D9B-AC49318D9895} – C:\WINDOWS\System32\urqqrsr.dll
O2 – BHO: BhoApp Class – {32131238-5434-4234-4234-432432423432} – C:\Program Files\syscmd\mscmp32.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 – BHO: (no name) – {7C109800-A5D5-438F-9640-18D17E168B88} – C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 – BHO: e404 helper – {8F10DE2B-E923-4548-B524-4D9C5FA80777} – C:\Program Files\Helper\1208921198.dll
O2 – BHO: 717305 helper – {963916CD-6311-485D-93DC-3BD1B9E2D2CB} – (no file)
O2 – BHO: Mirar – {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} – C:\WINDOWS\System32\WinNB58.dll
O2 – BHO: iSecurity – {A8311E8F-E459-4D22-89B4-CB9DCF10A425} – C:\WINDOWS\System32\ISECUR~1.CPL
O2 – BHO: ContextProgram – {E4D1D56C-3EC9-2F5D-FAA3-4112CCDD61DC} – C:\Program Files\ContextProgram\ContextProgram-2.dll
O2 – BHO: cj helper – {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} – C:\Program Files\IE Extensions\cj.v2.dll
O3 – Toolbar: Mirar – {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} – C:\WINDOWS\System32\WinNB58.dll
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe”
O4 – HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 – HKLM\..\Run: [SystemDefender] “C:\Program Files\SystemDefender\SystemDefender.exe” hide
O4 – HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 – HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 – HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 – HKLM\..\Run: [wofgrqls] C:\WINDOWS\system32\wofgrqls.exe
O4 – HKLM\..\Run: [apadibub] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\apadibub.dll”
O4 – HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvboj.dll,startup
O4 – HKLM\..\Run: [cjb] C:\Program Files\cjb\cjb8.exe
O4 – HKLM\..\Run: [VirusHeat 4.3] “C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe” /h
O4 – HKLM\..\Run: [Ultimate Defender] “C:\Program Files\Ultimate Defender\UltimateDefender.exe” hide
O4 – HKLM\..\Run: [lphca7uj0erdc] C:\WINDOWS\system32\lphca7uj0erdc.exe
O4 – HKLM\..\Run: [SMrhce7uj0erdc] C:\Program Files\rhce7uj0erdc\rhce7uj0erdc.exe
O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 – HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 – HKLM\..\Policies\Explorer\Run: [rTwrdHqj21] C:\WINDOWS\wpopejyl.exe
O4 – HKLM\..\Policies\Explorer\Run: [J286hthVnp] C:\WINDOWS\wpopejyl.exe
O4 – HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 – Startup: .protected
O4 – Startup: findfast.exe
O4 – Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 – Global Startup: .protected
O4 – Global Startup: autorun.exe
O4 – Global Startup: svchost.exe
O7 – HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 – Extra button: (no name) – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.gateietool.com/redirect.php (file missing)
O9 – Extra ‘Tools’ menuitem: IE Anti-Spyware – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.gateietool.com/redirect.php (file missing)
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O15 – Trusted Zone: http://click.getmirar.com (HKLM)
O15 – Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 – Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 – Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 – DPF: {2F0E7094-51A2-ECEB-8CF6-EF32B5ECD15E} – http://virusremover2008.com/VRM_Free.exe
O16 – DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} (CLoader Object) – http://www.av-xp2008.com/tools/virusremover.dll
O16 – DPF: {C931FDF3-0319-0CAE-6DFD-8D061EABF08D} – http://virusremover2008.com/VRM_Free.exe
O20 – AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 – Winlogon Notify: urqqrsr – C:\WINDOWS\SYSTEM32\urqqrsr.dll
O20 – Winlogon Notify: wingvd32 – C:\WINDOWS\SYSTEM32\wingvd32.dll
O21 – SSODL: zip – {177ab526-6b94-4cc2-b303-c1b6a4070316} – C:\WINDOWS\Installer\{177ab526-6b94-4cc2-b303-c1b6a4070316}\zip.dll
O21 – SSODL: CheckMon – {b62df42a-0f78-46d6-81d0-3f0ae0d8dc6b} – C:\WINDOWS\Installer\{b62df42a-0f78-46d6-81d0-3f0ae0d8dc6b}\CheckMon.dll
O21 – SSODL: iSecurity – {A8311E8F-E459-4D22-89B4-CB9DCF10A425} – C:\WINDOWS\System32\ISECUR~1.CPL
O22 – SharedTaskScheduler: frowardness – {b0fdc513-46b9-46fc-8e70-d575ee546dae} – C:\WINDOWS\System32\zfaiqwr.dll
O23 – Service: VMware Descheduled Time Accounting Service (vmdesched) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\vmdesched.exe
O23 – Service: VMware Tools Service (VMTools) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\VMwareService.exe


End of file – 6816 bytes

Tagged as: f-secure, hijackthis, logs, reviews

{ 3 comments… read them below or add one }

robin September 30, 2008 at 4:36 pm

lol im not a proffesional log reader but even i can see bad stuff in there^^

Jonas September 30, 2008 at 6:35 pm

Nice, when will you upload your F-Secure review?

Yearn so much =)

Drpcfixit October 1, 2008 at 2:28 am

agg thats one infected pc lol

Virus Heat and Ultimate Defender is running in there >.<
and the evil mirar meh and alot of random vundo files

agg as I continue too read this log the computer seems worse and worse lol….. Looking forward to seeing your next review….

Leave a Comment

Previous post:

Next post: