what the hell is KB7218151.LOG?

TheMSsForum.com: The Microsoft Software Forum

Hi guys,

I found that every process running in my winxp system contains a
strange module with the name "KB7218151.LOG". the file is located
under "c:\windows" folder, instead of being a plain text file as the
name suggested, it's actually an executable module (start with the "MZ"
header). after some further investigation, i found that it's is loaded
by the following registry entry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
"AppInit_DLLs"="KB7218151.LOG"

that's why every process in the system is injected with this dll
module.

I dont think it's a patch released by MS as MS wouldnt use these kind
of misleading filename to hide their actual intention. i have searched
through the internet but cannot find anything about this
"KB7218151.LOG".

is there any guru here know what it is? i will mail the "KB7218151.LOG"
file to you if you need to examine it.
Top

Re: what the hell is KB7218151.LOG? by Malke

Malke
Thu Feb 02 06:59:59 CST 2006

Feng Li wrote:

> Hi guys,
>
> I found that every process running in my winxp system contains a
> strange module with the name "KB7218151.LOG". the file is located
> under "c:\windows" folder, instead of being a plain text file as the
> name suggested, it's actually an executable module (start with the
> "MZ"
> header). after some further investigation, i found that it's is
> loaded by the following registry entry.
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows]
> "AppInit_DLLs"="KB7218151.LOG"
>
> that's why every process in the system is injected with this dll
> module.
>
> I dont think it's a patch released by MS as MS wouldnt use these kind
> of misleading filename to hide their actual intention. i have searched
> through the internet but cannot find anything about this
> "KB7218151.LOG".
>
> is there any guru here know what it is? i will mail the
> "KB7218151.LOG" file to you if you need to examine it.

And the full-featured current version (not earlier than 2005) antivirus
you have installed says???

You can submit the file to VirusTotal:
http://www.virustotal.com/flash/index_en.html

While you wait for their response, it wouldn't hurt to do the normal
virus/malware scanning. See the following for suggested steps:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Top

Re: what the hell is KB7218151.LOG? by Michael

Michael
Thu Feb 02 08:23:24 CST 2006


Boot your system to safe mode and delete the entry from your registry. Then
reboot to safe mode and delete the file. Next, go out and purchase a new AV
license (upgrading the one that came with your machine is OK) and install
the latest AV version and signature files. Reboot and scan you entire
system.

Mike Ober.

"Feng Li" <fengli@gmail.com> wrote in message
news:1138867526.788520.113940@g49g2000cwa.googlegroups.com...
> Hi guys,
>
> I found that every process running in my winxp system contains a
> strange module with the name "KB7218151.LOG". the file is located
> under "c:\windows" folder, instead of being a plain text file as the
> name suggested, it's actually an executable module (start with the "MZ"
> header). after some further investigation, i found that it's is loaded
> by the following registry entry.
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows]
> "AppInit_DLLs"="KB7218151.LOG"
>
> that's why every process in the system is injected with this dll
> module.
>
> I dont think it's a patch released by MS as MS wouldnt use these kind
> of misleading filename to hide their actual intention. i have searched
> through the internet but cannot find anything about this
> "KB7218151.LOG".
>
> is there any guru here know what it is? i will mail the "KB7218151.LOG"
> file to you if you need to examine it.
>



Top

Re: what the hell is KB7218151.LOG? by Paul

Paul
Thu Feb 02 08:30:32 CST 2006

Installation programs for patches often create a log file with a name based
on the corresponding KB article number but, of course, this is not such a
file.

Not cool...

Paul

"Michael D. Ober" <obermd.@.alum.mit.edu.nospam> wrote in message
news:ODBRMRAKGHA.2300@TK2MSFTNGP15.phx.gbl...
>
> Boot your system to safe mode and delete the entry from your registry.
> Then
> reboot to safe mode and delete the file. Next, go out and purchase a new
> AV
> license (upgrading the one that came with your machine is OK) and install
> the latest AV version and signature files. Reboot and scan you entire
> system.
>
> Mike Ober.
>
> "Feng Li" <fengli@gmail.com> wrote in message
> news:1138867526.788520.113940@g49g2000cwa.googlegroups.com...
>> Hi guys,
>>
>> I found that every process running in my winxp system contains a
>> strange module with the name "KB7218151.LOG". the file is located
>> under "c:\windows" folder, instead of being a plain text file as the
>> name suggested, it's actually an executable module (start with the "MZ"
>> header). after some further investigation, i found that it's is loaded
>> by the following registry entry.
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Windows]
>> "AppInit_DLLs"="KB7218151.LOG"
>>
>> that's why every process in the system is injected with this dll
>> module.
>>
>> I dont think it's a patch released by MS as MS wouldnt use these kind
>> of misleading filename to hide their actual intention. i have searched
>> through the internet but cannot find anything about this
>> "KB7218151.LOG".
>>
>> is there any guru here know what it is? i will mail the "KB7218151.LOG"
>> file to you if you need to examine it.
>>
>
>
>


Top

Re: what the hell is KB7218151.LOG? by finalpatch

finalpatch
Thu Feb 02 08:42:56 CST 2006

Hi Malke,

Thanks for your reply. Symantec Antivirus (with the latest virus data
file of course) says nothing about it.

Currently I just deleted the AppInit_DLLs registry entry, reboot my
computer, and then removed that file from my windows dir. And now it
looks like my processes are free from this "KB7218151.LOG".

I'm just curious what this thing does and how bad it is. Since SAV does
not detect it and there's no disscusion about it on the internet, I
hope my post could make more people to be aware of it.

I'll follow your suggest and submit it to virustotal and post the
result when i'm done

Top

Re: what the hell is KB7218151.LOG? by finalpatch

finalpatch
Thu Feb 02 08:52:30 CST 2006

Here's the report from VirusTotal. So it's some kind of trojan horse
and Symantec seems not protecting me from it ... not cool ...

AntiVir 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
Avast 4.6.695.0 02.01.2006 no virus found
AVG 718 02.01.2006 PSW.Legendmir.BDL
Avira 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
BitDefender 7.2 02.02.2006 no virus found
CAT-QuickHeal 8.00 02.02.2006 TrojanPSW.Lmir.aqs
ClamAV devel-20060126 02.02.2006 no virus found
DrWeb 4.33 02.02.2006 Trojan.DownLoader.6595
eTrust-InoculateIT 23.71.66 02.02.2006 no virus found
eTrust-Vet 12.4.2063 02.02.2006 no virus found
Ewido 3.5 02.02.2006 Trojan.Lmir.aqs
Fortinet 2.54.0.0 02.02.2006 W32/LegMir.AQS!pws
F-Prot 3.16c 02.02.2006 no virus found
Ikarus 0.2.59.0 02.01.2006 no virus found
Kaspersky 4.0.2.24 02.02.2006 Trojan-PSW.Win32.Lmir.aqs
McAfee 4687 02.01.2006 PWS-LegMir
NOD32v2 1.1391 02.01.2006 no virus found
Norman 5.70.10 02.02.2006 no virus found
Panda 9.0.0.4 02.01.2006 Suspicious file
Sophos 4.02.0 02.02.2006 no virus found
Symantec 8.0 02.02.2006 no virus found
TheHacker 5.9.3.088 02.02.2006 Trojan/PSW.Lmir.aqs
UNA 1.83 02.01.2006 Trojan.PSW.Win32.Lmir
VBA32 3.10.5 02.01.2006 Trojan-PSW.Win32.Lmir.aqs

Top

Re: what the hell is KB7218151.LOG? by Paul

Paul
Thu Feb 02 08:57:26 CST 2006

Yes, not cool. I got Spyware in mid-December because of a GDI flaw.
Symtantec AntiVirus didn't notice it.

Paul

"finalpatch" <fengli@gmail.com> wrote in message
news:1138891949.984123.231840@g14g2000cwa.googlegroups.com...
> Here's the report from VirusTotal. So it's some kind of trojan horse
> and Symantec seems not protecting me from it ... not cool ...
>
> AntiVir 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
> Avast 4.6.695.0 02.01.2006 no virus found
> AVG 718 02.01.2006 PSW.Legendmir.BDL
> Avira 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
> BitDefender 7.2 02.02.2006 no virus found
> CAT-QuickHeal 8.00 02.02.2006 TrojanPSW.Lmir.aqs
> ClamAV devel-20060126 02.02.2006 no virus found
> DrWeb 4.33 02.02.2006 Trojan.DownLoader.6595
> eTrust-InoculateIT 23.71.66 02.02.2006 no virus found
> eTrust-Vet 12.4.2063 02.02.2006 no virus found
> Ewido 3.5 02.02.2006 Trojan.Lmir.aqs
> Fortinet 2.54.0.0 02.02.2006 W32/LegMir.AQS!pws
> F-Prot 3.16c 02.02.2006 no virus found
> Ikarus 0.2.59.0 02.01.2006 no virus found
> Kaspersky 4.0.2.24 02.02.2006 Trojan-PSW.Win32.Lmir.aqs
> McAfee 4687 02.01.2006 PWS-LegMir
> NOD32v2 1.1391 02.01.2006 no virus found
> Norman 5.70.10 02.02.2006 no virus found
> Panda 9.0.0.4 02.01.2006 Suspicious file
> Sophos 4.02.0 02.02.2006 no virus found
> Symantec 8.0 02.02.2006 no virus found
> TheHacker 5.9.3.088 02.02.2006 Trojan/PSW.Lmir.aqs
> UNA 1.83 02.01.2006 Trojan.PSW.Win32.Lmir
> VBA32 3.10.5 02.01.2006 Trojan-PSW.Win32.Lmir.aqs
>


Top

Re: what the hell is KB7218151.LOG? by Michael

Michael
Thu Feb 02 09:41:48 CST 2006


That's why I don't Symantec.

Mike Ober.

"Paul Baker" <paulb@online.rochester.rr.com> wrote in message
news:e4AnQkAKGHA.3504@TK2MSFTNGP10.phx.gbl...
> Yes, not cool. I got Spyware in mid-December because of a GDI flaw.
> Symtantec AntiVirus didn't notice it.
>
> Paul
>
> "finalpatch" <fengli@gmail.com> wrote in message
> news:1138891949.984123.231840@g14g2000cwa.googlegroups.com...
> > Here's the report from VirusTotal. So it's some kind of trojan horse
> > and Symantec seems not protecting me from it ... not cool ...
> >
> > AntiVir 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
> > Avast 4.6.695.0 02.01.2006 no virus found
> > AVG 718 02.01.2006 PSW.Legendmir.BDL
> > Avira 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
> > BitDefender 7.2 02.02.2006 no virus found
> > CAT-QuickHeal 8.00 02.02.2006 TrojanPSW.Lmir.aqs
> > ClamAV devel-20060126 02.02.2006 no virus found
> > DrWeb 4.33 02.02.2006 Trojan.DownLoader.6595
> > eTrust-InoculateIT 23.71.66 02.02.2006 no virus found
> > eTrust-Vet 12.4.2063 02.02.2006 no virus found
> > Ewido 3.5 02.02.2006 Trojan.Lmir.aqs
> > Fortinet 2.54.0.0 02.02.2006 W32/LegMir.AQS!pws
> > F-Prot 3.16c 02.02.2006 no virus found
> > Ikarus 0.2.59.0 02.01.2006 no virus found
> > Kaspersky 4.0.2.24 02.02.2006 Trojan-PSW.Win32.Lmir.aqs
> > McAfee 4687 02.01.2006 PWS-LegMir
> > NOD32v2 1.1391 02.01.2006 no virus found
> > Norman 5.70.10 02.02.2006 no virus found
> > Panda 9.0.0.4 02.01.2006 Suspicious file
> > Sophos 4.02.0 02.02.2006 no virus found
> > Symantec 8.0 02.02.2006 no virus found
> > TheHacker 5.9.3.088 02.02.2006 Trojan/PSW.Lmir.aqs
> > UNA 1.83 02.01.2006 Trojan.PSW.Win32.Lmir
> > VBA32 3.10.5 02.01.2006 Trojan-PSW.Win32.Lmir.aqs
> >
>
>



Top

Re: what the hell is KB7218151.LOG? by Malke

Malke
Thu Feb 02 10:37:45 CST 2006

finalpatch wrote:

> Here's the report from VirusTotal. So it's some kind of trojan horse
> and Symantec seems not protecting me from it ... not cool ...
>
> AntiVir 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
> Avast 4.6.695.0 02.01.2006 no virus found
> AVG 718 02.01.2006 PSW.Legendmir.BDL
> Avira 6.33.0.81 02.02.2006 TR/PSW.Lmir.aqs
> BitDefender 7.2 02.02.2006 no virus found
> CAT-QuickHeal 8.00 02.02.2006 TrojanPSW.Lmir.aqs
> ClamAV devel-20060126 02.02.2006 no virus found
> DrWeb 4.33 02.02.2006 Trojan.DownLoader.6595
> eTrust-InoculateIT 23.71.66 02.02.2006 no virus found
> eTrust-Vet 12.4.2063 02.02.2006 no virus found
> Ewido 3.5 02.02.2006 Trojan.Lmir.aqs
> Fortinet 2.54.0.0 02.02.2006 W32/LegMir.AQS!pws
> F-Prot 3.16c 02.02.2006 no virus found
> Ikarus 0.2.59.0 02.01.2006 no virus found
> Kaspersky 4.0.2.24 02.02.2006 Trojan-PSW.Win32.Lmir.aqs
> McAfee 4687 02.01.2006 PWS-LegMir
> NOD32v2 1.1391 02.01.2006 no virus found
> Norman 5.70.10 02.02.2006 no virus found
> Panda 9.0.0.4 02.01.2006 Suspicious file
> Sophos 4.02.0 02.02.2006 no virus found
> Symantec 8.0 02.02.2006 no virus found
> TheHacker 5.9.3.088 02.02.2006 Trojan/PSW.Lmir.aqs
> UNA 1.83 02.01.2006 Trojan.PSW.Win32.Lmir
> VBA32 3.10.5 02.01.2006 Trojan-PSW.Win32.Lmir.aqs

Thanks for posting the results. I'm not fond of NAV/NIS, but to be fair
you have to remember that no av will catch everything. You might want
to run Ewido just to be sure you're OK. Ewido is quite good at catching
trojans and you can d/l a full-functional trial version and then
uninstall it afterwards if you don't want to keep it.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Top

Re: what the hell is KB7218151.LOG? by Stefan

Stefan
Sat Feb 04 07:08:38 CST 2006

"Feng Li" <fengli@gmail.com> wrote:

> Hi guys,
>
> I found that every process running in my winxp system contains a
> strange module with the name "KB7218151.LOG". the file is located
> under "c:\windows" folder,

Why do you work with administrative privileges all the time?
Create an unprivileged account for your everyday work and malware running
under your account won't infect the machine.

> instead of being a plain text file as the
> name suggested, it's actually an executable module (start with the "MZ"
> header). after some further investigation, i found that it's is loaded
> by the following registry entry.
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows]
> "AppInit_DLLs"="KB7218151.LOG"

Same as above: only Administrators have write access to HKLM!

> that's why every process in the system is injected with this dll
> module.
>
> I dont think it's a patch released by MS as MS wouldnt use these kind
> of misleading filename to hide their actual intention. i have searched
> through the internet but cannot find anything about this
> "KB7218151.LOG".
>
> is there any guru here know what it is? i will mail the "KB7218151.LOG"
> file to you if you need to examine it.

Your machine is infected by a trojan which most probably has loaded
other malware.
You can't trust your system any more, any "tools" run from this system
might give tampered results.
Go ahead and reinstall your system from scratch, with current service
pack and all security hotfixes, BEFORE going online. Then setup an
unprivileged account for your daily work. Consider using software
restriction policies to enable execution only from %SystemRoot%\ and
below and %ProgramFiles%\ and below, or at least disable execution from
%UserProfile%\ and below, %HomeDrive%%HomePath%\ and below, %TEMP%\ and
below, ?:\RECYCLE?\ and below.

<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>
| "Cleaning a Compromised System ...
| 2) You can't clean a compromised system by removing the back doors. You
| can never guarantee that you found all the back doors the attacker put
| in.
| 4) You can't clean a compromised system by using a virus scanner....
...
| The only way to clean a compromised system is to flatten and rebuild.
| That's right.

Stefan

Top