Avast WEBforum

Other => Viruses and worms => Topic started by: ViralCode on April 26, 2010, 11:23:00 AM

Title: My gmer and hijackthis log files can someone take a look
Post by: ViralCode on April 26, 2010, 11:23:00 AM
Here is my gmer and hijackthis log files can someone take a look and tell me if they contain any suspicious or malicious entries. Thanks.
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: Pondus on April 26, 2010, 12:05:13 PM
You may also post the log`s from Essexboy`s guid, he will have look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: ViralCode on April 26, 2010, 01:59:22 PM
You may also post the log`s from Essexboy`s guid, he will have look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0

Thanks for the information. Here are the otl and mbam logs.

Title: Re: My gmer and hijackthis log files can someone take a look
Post by: DavidR on April 26, 2010, 04:41:18 PM
Generally it is customary to actually say what is wrong (symptoms) that you feel the need to post the logs.
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: ViralCode on April 26, 2010, 07:36:59 PM
Generally it is customary to actually say what is wrong (symptoms) that you feel the need to post the logs.

I dont know much about computers but some entries in gmer log seems strange. Also sometimes programs open by themselfs in my sytem like for example notepad. Also i have a process called system that is listening on tcp and udp port 445 on my computer and sometimes some process called unknown makes some connections from my computer. Also when i was still using antivir it found some hidden registry keys from my computer and those are also mentioned in the gmer log file. Mbam scan and Avast scan dont find any viruses from my computer. Anyway if someone can tell me if the logs contain something that is not normal then let me know. Thanks.  ;D
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: DavidR on April 26, 2010, 07:40:50 PM
Well I didn't see anything obvious in the GMER log, but I'm not to familiar with it, but it is usually quite clear when it finds something.

What tool is it that is reporting System as listening on tcp/udp port 445 ?

http://www.grc.com/port_445.htm (http://www.grc.com/port_445.htm)
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: ViralCode on April 26, 2010, 07:44:11 PM
Well I didn't see anything obvious in the GMER log, but I'm not to familiar with it, but it is usually quite clear when it finds something.

What tool is it that is reporting System as listening on tcp/udp port 445 ?

http://www.grc.com/port_445.htm (http://www.grc.com/port_445.htm)

It's a tool called cports from nirsoft.

==================================================
Process Name      : System
Process ID        : 4
Protocol          : TCP
Local Port        : 445
Local Port Name   : microsoft-ds
Local Address     : 0.0.0.0
Remote Port       :
Remote Port Name  :
Remote Address    : 0.0.0.0
Remote Host Name  :
State             : Listening
Process Path      :
Product Name      :
File Description  :
File Version      :
Company           :
Process Created On: N/A
User Name         :
Process Services  :
Process Attributes:
Added On          : 4/26/2010 10:32:17
Module Filename   :
Remote IP Country :
Window Title      :
==================================================

 ::)
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: polonus on April 26, 2010, 07:56:37 PM
@viralcode

These are some  issues in the hjt log to check at virustotal to see if they are safe:

C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe
O4 - HKCU\..\Run: [Nokia Internet Modem] "C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe" /background
Check if it isn't spyware or a crack...
   
    O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - hxtp://cainternetsecurity.net/scanner/cascanner.cab  Very safe
   Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   O17 - HKLM\System\CCS\Services\Tcpip\..\{27AB4DD4-D731-4513-887B-C97093B473A1}: NameServer = 62.241.198.245
62.241.198.246   Do you know the IP or Domain '62.241.198.245 62.241.198.246'? If not, fix this entry.

Fix    O23 - Service: 03022BA6 - Unknown owner - C:\WINDOWS\system32\03022BA6.exe (file missing)
   Unknown service. (03022BA6.exe)

You apparently have this malware then: http://www.virustotal.com/analisis/61c4b83ca42cd72e90ac46557547994c1aa4a49412e7b1190c610d1837ef8819-1264239608


polonus
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: essexboy on April 26, 2010, 08:44:55 PM
There are a few oddballs there that look a bit iffy - GMER was mainly to do with sandbox

Run OTL
Code: [Select]
:Files
C:\Documents and Settings\Administrator\Desktop\xo8oisbe.exe

:Services
03022BA6

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: ViralCode on April 27, 2010, 01:45:31 PM
Here is the new log. Also i noticed one thing when i scanned with Avast i received a warning saying that the file windows/winstart.bat could not be scanned because it is offline. Today also outpost firewall popped up a message that system wants to contact internet through esp.

Title: Re: My gmer and hijackthis log files can someone take a look
Post by: essexboy on April 27, 2010, 09:05:53 PM
You do have a lot of security systems on your computer, so they may be obscuring something

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: ViralCode on April 28, 2010, 08:41:18 AM
Here is the combofix log.
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: essexboy on April 28, 2010, 09:39:39 PM
Quote
R0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [3/24/2010 11:11 AM 15888]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/23/2010 8:10 AM 28552]
R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 11:15 PM 22016]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/25/2010 1:10 AM 162768]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [4/24/2010 12:56 AM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/9/2010 4:11 AM 95024]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [3/21/2010 7:06 AM 1872320]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [4/24/2010 12:54 AM 1195008]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/25/2010 1:10 AM 19024]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/24/2010 12:55 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/24/2010 12:56 AM 257432]
R3 nokiappo;Nokia Internet Stick Wireless Modem Power Policy Service;c:\windows\system32\drivers\nokiappo.sys [6/23/2009 12:34 PM 27008]
S0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 AMoniterDriver;Antiy Labs Process creation detector.;\??\c:\program files\Antiy Labs\AModule\AMonitorDriver.sys --> c:\program files\Antiy Labs\AModule\AMonitorDriver.sys [?]
S3 Antiy-Product-Protect;Antiy-Product-Protect;\??\c:\program files\Antiy Labs\AModule\ProAntiy.sys --> c:\program files\Antiy Labs\AModule\ProAntiy.sys [?]
S3 AntiyFirewall;AntiyFirewall;\??\c:\windows\system32\drivers\AntiyFW.sys --> c:\windows\system32\drivers\AntiyFW.sys [?]
S3 BCASPROT;Advanced System Protector;\??\c:\program files\Systweak\Advanced System Protector\sasprot32.sys --> c:\program files\Systweak\Advanced System Protector\sasprot32.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\51.tmp --> c:\windows\system32\51.tmp [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [1/20/2010 1:11 AM 24416]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [3/7/2010 2:48 AM 27192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 uty3nde4;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uty3nde4.sys --> c:\windows\system32\Drivers\uty3nde4.sys [?]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 DET;DET;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe [?]
All of these drivers are security related - it is a wonder that your system runs at all

What problems are you having
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: ViralCode on May 11, 2010, 01:27:32 PM
Now i dont been having much problems lately. I have used many antiviruses in my system but i have allways unistalled them after using them but maybe they have not uninstalled totally. Anyways i dont know if the three files that combofix quarantined are malicious or not. I have scanned them at virustotal but the files are not detected as malicious.
Title: Re: My gmer and hijackthis log files can someone take a look
Post by: essexboy on May 11, 2010, 08:41:38 PM
I feel that they are either or files, CF tries to determine what the files are linked to and whether or not the location is correct.  It might be worth using the uninstall tools to ensure that all the low level drivers for old AV's are gone