Author Topic: My gmer and hijackthis log files can someone take a look  (Read 4071 times)

Offline ViralCode

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
My gmer and hijackthis log files can someone take a look
« on: April 26, 2010, 09:23:00 AM »
Here is my gmer and hijackthis log files can someone take a look and tell me if they contain any suspicious or malicious entries. Thanks.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21644
  • Gender: Male
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #1 on: April 26, 2010, 10:05:13 AM »
You may also post the log`s from Essexboy`s guid, he will have look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline ViralCode

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #2 on: April 26, 2010, 11:59:22 AM »
You may also post the log`s from Essexboy`s guid, he will have look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0

Thanks for the information. Here are the otl and mbam logs.


Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #3 on: April 26, 2010, 02:41:18 PM »
Generally it is customary to actually say what is wrong (symptoms) that you feel the need to post the logs.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline ViralCode

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #4 on: April 26, 2010, 05:36:59 PM »
Generally it is customary to actually say what is wrong (symptoms) that you feel the need to post the logs.

I dont know much about computers but some entries in gmer log seems strange. Also sometimes programs open by themselfs in my sytem like for example notepad. Also i have a process called system that is listening on tcp and udp port 445 on my computer and sometimes some process called unknown makes some connections from my computer. Also when i was still using antivir it found some hidden registry keys from my computer and those are also mentioned in the gmer log file. Mbam scan and Avast scan dont find any viruses from my computer. Anyway if someone can tell me if the logs contain something that is not normal then let me know. Thanks.  ;D

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #5 on: April 26, 2010, 05:40:50 PM »
Well I didn't see anything obvious in the GMER log, but I'm not to familiar with it, but it is usually quite clear when it finds something.

What tool is it that is reporting System as listening on tcp/udp port 445 ?

http://www.grc.com/port_445.htm
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline ViralCode

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #6 on: April 26, 2010, 05:44:11 PM »
Well I didn't see anything obvious in the GMER log, but I'm not to familiar with it, but it is usually quite clear when it finds something.

What tool is it that is reporting System as listening on tcp/udp port 445 ?

http://www.grc.com/port_445.htm

It's a tool called cports from nirsoft.

==================================================
Process Name      : System
Process ID        : 4
Protocol          : TCP
Local Port        : 445
Local Port Name   : microsoft-ds
Local Address     : 0.0.0.0
Remote Port       :
Remote Port Name  :
Remote Address    : 0.0.0.0
Remote Host Name  :
State             : Listening
Process Path      :
Product Name      :
File Description  :
File Version      :
Company           :
Process Created On: N/A
User Name         :
Process Services  :
Process Attributes:
Added On          : 4/26/2010 10:32:17
Module Filename   :
Remote IP Country :
Window Title      :
==================================================

 ::)

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20116
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #7 on: April 26, 2010, 05:56:37 PM »
@viralcode

These are some  issues in the hjt log to check at virustotal to see if they are safe:

C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe
O4 - HKCU\..\Run: [Nokia Internet Modem] "C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe" /background
Check if it isn't spyware or a crack...
   
    O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - hxtp://cainternetsecurity.net/scanner/cascanner.cab  Very safe
   Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   O17 - HKLM\System\CCS\Services\Tcpip\..\{27AB4DD4-D731-4513-887B-C97093B473A1}: NameServer = 62.241.198.245
62.241.198.246   Do you know the IP or Domain '62.241.198.245 62.241.198.246'? If not, fix this entry.

Fix    O23 - Service: 03022BA6 - Unknown owner - C:\WINDOWS\system32\03022BA6.exe (file missing)
   Unknown service. (03022BA6.exe)

You apparently have this malware then: http://www.virustotal.com/analisis/61c4b83ca42cd72e90ac46557547994c1aa4a49412e7b1190c610d1837ef8819-1264239608


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #8 on: April 26, 2010, 06:44:55 PM »
There are a few oddballs there that look a bit iffy - GMER was mainly to do with sandbox

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:Files
C:\Documents and Settings\Administrator\Desktop\xo8oisbe.exe

:Services
03022BA6

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline ViralCode

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #9 on: April 27, 2010, 11:45:31 AM »
Here is the new log. Also i noticed one thing when i scanned with Avast i received a warning saying that the file windows/winstart.bat could not be scanned because it is offline. Today also outpost firewall popped up a message that system wants to contact internet through esp.


Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #10 on: April 27, 2010, 07:05:53 PM »
You do have a lot of security systems on your computer, so they may be obscuring something

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Offline ViralCode

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #11 on: April 28, 2010, 06:41:18 AM »
Here is the combofix log.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #12 on: April 28, 2010, 07:39:39 PM »
Quote
R0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [3/24/2010 11:11 AM 15888]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/23/2010 8:10 AM 28552]
R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 11:15 PM 22016]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/25/2010 1:10 AM 162768]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [4/24/2010 12:56 AM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/9/2010 4:11 AM 95024]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [3/21/2010 7:06 AM 1872320]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [4/24/2010 12:54 AM 1195008]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/25/2010 1:10 AM 19024]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/24/2010 12:55 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/24/2010 12:56 AM 257432]
R3 nokiappo;Nokia Internet Stick Wireless Modem Power Policy Service;c:\windows\system32\drivers\nokiappo.sys [6/23/2009 12:34 PM 27008]
S0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 AMoniterDriver;Antiy Labs Process creation detector.;\??\c:\program files\Antiy Labs\AModule\AMonitorDriver.sys --> c:\program files\Antiy Labs\AModule\AMonitorDriver.sys [?]
S3 Antiy-Product-Protect;Antiy-Product-Protect;\??\c:\program files\Antiy Labs\AModule\ProAntiy.sys --> c:\program files\Antiy Labs\AModule\ProAntiy.sys [?]
S3 AntiyFirewall;AntiyFirewall;\??\c:\windows\system32\drivers\AntiyFW.sys --> c:\windows\system32\drivers\AntiyFW.sys [?]
S3 BCASPROT;Advanced System Protector;\??\c:\program files\Systweak\Advanced System Protector\sasprot32.sys --> c:\program files\Systweak\Advanced System Protector\sasprot32.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\51.tmp --> c:\windows\system32\51.tmp [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [1/20/2010 1:11 AM 24416]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [3/7/2010 2:48 AM 27192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 uty3nde4;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uty3nde4.sys --> c:\windows\system32\Drivers\uty3nde4.sys [?]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 DET;DET;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe [?]
All of these drivers are security related - it is a wonder that your system runs at all

What problems are you having

Offline ViralCode

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #13 on: May 11, 2010, 11:27:32 AM »
Now i dont been having much problems lately. I have used many antiviruses in my system but i have allways unistalled them after using them but maybe they have not uninstalled totally. Anyways i dont know if the three files that combofix quarantined are malicious or not. I have scanned them at virustotal but the files are not detected as malicious.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: My gmer and hijackthis log files can someone take a look
« Reply #14 on: May 11, 2010, 06:41:38 PM »
I feel that they are either or files, CF tries to determine what the files are linked to and whether or not the location is correct.  It might be worth using the uninstall tools to ensure that all the low level drivers for old AV's are gone

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now