HiJackThis Log After FULL Kaspersky Scan

by malwarekilla on May 13, 2008

Here is the hijackthis log taken right after the Kaspersky scan. Unfortunately there seems to be alot of malware left on the pc. You can see where Kaspersky removed malware (it’ll say (file missing) ) and where it left malware, for example the entry below has been left intact by kaspersky even though it’s a vundo trojan.

O2 – BHO: (no name) – {01BA2111-5518-D0C8-A667-01E739079356} – C:\WINDOWS\system32\tnxqilzf.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:51 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 – BHO: (no name) – {01BA2111-5518-D0C8-A667-01E739079356} – C:\WINDOWS\system32\tnxqilzf.dll
O2 – BHO: (no name) – {182C7ED7-E56D-4509-9D9B-AC49318D9895} – C:\WINDOWS\System32\urqqrsr.dll (file missing)
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 – BHO: (no name) – {7C109800-A5D5-438F-9640-18D17E168B88} – C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 – BHO: 717305 helper – {963916CD-6311-485D-93DC-3BD1B9E2D2CB} – (no file)
O2 – BHO: iSecurity – {A8311E8F-E459-4D22-89B4-CB9DCF10A425} – C:\WINDOWS\System32\ISECUR~1.CPL (file missing)
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe”
O4 – HKLM\..\Run: [SystemDefender] “C:\Program Files\SystemDefender\SystemDefender.exe” hide
O4 – HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 – HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 – HKLM\..\Run: [wofgrqls] C:\WINDOWS\system32\wofgrqls.exe
O4 – HKLM\..\Run: [apadibub] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\apadibub.dll”
O4 – HKLM\..\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”
O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 – HKLM\..\Policies\Explorer\Run: [rTwrdHqj21] C:\WINDOWS\wpopejyl.exe
O4 – HKLM\..\Policies\Explorer\Run: [J286hthVnp] C:\WINDOWS\wpopejyl.exe
O4 – HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 – Startup: .protected
O4 – Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 – Global Startup: .protected
O7 – HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 – Extra button: Web Anti-Virus statistics – {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} – C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 – Extra button: (no name) – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.gateietool.com/redirect.php (file missing)
O9 – Extra ‘Tools’ menuitem: IE Anti-Spyware – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.gateietool.com/redirect.php (file missing)
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O15 – Trusted Zone: http://click.getmirar.com (HKLM)
O15 – Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 – Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 – Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 – Winlogon Notify: urqqrsr – C:\WINDOWS\
O20 – Winlogon Notify: wingvd32 – C:\WINDOWS\
O21 – SSODL: iSecurity – {A8311E8F-E459-4D22-89B4-CB9DCF10A425} – C:\WINDOWS\System32\ISECUR~1.CPL (file missing)
O23 – Service: Kaspersky Anti-Virus 7.0 (AVP) – Kaspersky Lab – C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 – Service: VMware Descheduled Time Accounting Service (vmdesched) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\vmdesched.exe
O23 – Service: VMware Tools Service (VMTools) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\VMwareService.exe


End of file – 4481 bytes

Here is the log after I removed the remaining malware with HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:17 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe”
O4 – HKLM\..\Run: [SystemDefender] “C:\Program Files\SystemDefender\SystemDefender.exe” hide
O4 – HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 – HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 – HKLM\..\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”
O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O7 – HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 – Extra button: Web Anti-Virus statistics – {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} – C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O23 – Service: Kaspersky Anti-Virus 7.0 (AVP) – Kaspersky Lab – C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 – Service: VMware Descheduled Time Accounting Service (vmdesched) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\vmdesched.exe
O23 – Service: VMware Tools Service (VMTools) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\VMwareService.exe


End of file – 2718 bytes

Tagged as: bho, hijackthis, kaspersky, kav, review, vundo

{ 2 comments… read them below or add one }

Alan February 26, 2009 at 9:32 am

Kaspersky 7 cant defete Kaspersky 2009

evgeny July 13, 2009 at 4:21 am

uh matt you misssed System Defender in both HiJackThis Logs

Leave a Comment

Previous post:

Next post: