Author Topic: My gmer and hijackthis log files can someone take a look  (Read 9971 times)

0 Members and 1 Guest are viewing this topic.

ViralCode

  • Guest
My gmer and hijackthis log files can someone take a look
« on: April 26, 2010, 11:23:00 AM »
Here is my gmer and hijackthis log files can someone take a look and tell me if they contain any suspicious or malicious entries. Thanks.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: My gmer and hijackthis log files can someone take a look
« Reply #1 on: April 26, 2010, 12:05:13 PM »
You may also post the log`s from Essexboy`s guid, he will have look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0

ViralCode

  • Guest
Re: My gmer and hijackthis log files can someone take a look
« Reply #2 on: April 26, 2010, 01:59:22 PM »
You may also post the log`s from Essexboy`s guid, he will have look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0

Thanks for the information. Here are the otl and mbam logs.


Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: My gmer and hijackthis log files can someone take a look
« Reply #3 on: April 26, 2010, 04:41:18 PM »
Generally it is customary to actually say what is wrong (symptoms) that you feel the need to post the logs.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ViralCode

  • Guest
Re: My gmer and hijackthis log files can someone take a look
« Reply #4 on: April 26, 2010, 07:36:59 PM »
Generally it is customary to actually say what is wrong (symptoms) that you feel the need to post the logs.

I dont know much about computers but some entries in gmer log seems strange. Also sometimes programs open by themselfs in my sytem like for example notepad. Also i have a process called system that is listening on tcp and udp port 445 on my computer and sometimes some process called unknown makes some connections from my computer. Also when i was still using antivir it found some hidden registry keys from my computer and those are also mentioned in the gmer log file. Mbam scan and Avast scan dont find any viruses from my computer. Anyway if someone can tell me if the logs contain something that is not normal then let me know. Thanks.  ;D

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: My gmer and hijackthis log files can someone take a look
« Reply #5 on: April 26, 2010, 07:40:50 PM »
Well I didn't see anything obvious in the GMER log, but I'm not to familiar with it, but it is usually quite clear when it finds something.

What tool is it that is reporting System as listening on tcp/udp port 445 ?

http://www.grc.com/port_445.htm
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ViralCode

  • Guest
Re: My gmer and hijackthis log files can someone take a look
« Reply #6 on: April 26, 2010, 07:44:11 PM »
Well I didn't see anything obvious in the GMER log, but I'm not to familiar with it, but it is usually quite clear when it finds something.

What tool is it that is reporting System as listening on tcp/udp port 445 ?

http://www.grc.com/port_445.htm

It's a tool called cports from nirsoft.

==================================================
Process Name      : System
Process ID        : 4
Protocol          : TCP
Local Port        : 445
Local Port Name   : microsoft-ds
Local Address     : 0.0.0.0
Remote Port       :
Remote Port Name  :
Remote Address    : 0.0.0.0
Remote Host Name  :
State             : Listening
Process Path      :
Product Name      :
File Description  :
File Version      :
Company           :
Process Created On: N/A
User Name         :
Process Services  :
Process Attributes:
Added On          : 4/26/2010 10:32:17
Module Filename   :
Remote IP Country :
Window Title      :
==================================================

 ::)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: My gmer and hijackthis log files can someone take a look
« Reply #7 on: April 26, 2010, 07:56:37 PM »
@viralcode

These are some  issues in the hjt log to check at virustotal to see if they are safe:

C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe
O4 - HKCU\..\Run: [Nokia Internet Modem] "C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe" /background
Check if it isn't spyware or a crack...
   
    O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - hxtp://cainternetsecurity.net/scanner/cascanner.cab  Very safe
   Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   O17 - HKLM\System\CCS\Services\Tcpip\..\{27AB4DD4-D731-4513-887B-C97093B473A1}: NameServer = 62.241.198.245
62.241.198.246   Do you know the IP or Domain '62.241.198.245 62.241.198.246'? If not, fix this entry.

Fix    O23 - Service: 03022BA6 - Unknown owner - C:\WINDOWS\system32\03022BA6.exe (file missing)
   Unknown service. (03022BA6.exe)

You apparently have this malware then: http://www.virustotal.com/analisis/61c4b83ca42cd72e90ac46557547994c1aa4a49412e7b1190c610d1837ef8819-1264239608


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My gmer and hijackthis log files can someone take a look
« Reply #8 on: April 26, 2010, 08:44:55 PM »
There are a few oddballs there that look a bit iffy - GMER was mainly to do with sandbox

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:Files
C:\Documents and Settings\Administrator\Desktop\xo8oisbe.exe

:Services
03022BA6

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

ViralCode

  • Guest
Re: My gmer and hijackthis log files can someone take a look
« Reply #9 on: April 27, 2010, 01:45:31 PM »
Here is the new log. Also i noticed one thing when i scanned with Avast i received a warning saying that the file windows/winstart.bat could not be scanned because it is offline. Today also outpost firewall popped up a message that system wants to contact internet through esp.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My gmer and hijackthis log files can someone take a look
« Reply #10 on: April 27, 2010, 09:05:53 PM »
You do have a lot of security systems on your computer, so they may be obscuring something

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

ViralCode

  • Guest
Re: My gmer and hijackthis log files can someone take a look
« Reply #11 on: April 28, 2010, 08:41:18 AM »
Here is the combofix log.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My gmer and hijackthis log files can someone take a look
« Reply #12 on: April 28, 2010, 09:39:39 PM »
Quote
R0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [3/24/2010 11:11 AM 15888]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/23/2010 8:10 AM 28552]
R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 11:15 PM 22016]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/25/2010 1:10 AM 162768]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [4/24/2010 12:56 AM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/9/2010 4:11 AM 95024]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [3/21/2010 7:06 AM 1872320]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [4/24/2010 12:54 AM 1195008]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/25/2010 1:10 AM 19024]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/24/2010 12:55 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/24/2010 12:56 AM 257432]
R3 nokiappo;Nokia Internet Stick Wireless Modem Power Policy Service;c:\windows\system32\drivers\nokiappo.sys [6/23/2009 12:34 PM 27008]
S0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 AMoniterDriver;Antiy Labs Process creation detector.;\??\c:\program files\Antiy Labs\AModule\AMonitorDriver.sys --> c:\program files\Antiy Labs\AModule\AMonitorDriver.sys [?]
S3 Antiy-Product-Protect;Antiy-Product-Protect;\??\c:\program files\Antiy Labs\AModule\ProAntiy.sys --> c:\program files\Antiy Labs\AModule\ProAntiy.sys [?]
S3 AntiyFirewall;AntiyFirewall;\??\c:\windows\system32\drivers\AntiyFW.sys --> c:\windows\system32\drivers\AntiyFW.sys [?]
S3 BCASPROT;Advanced System Protector;\??\c:\program files\Systweak\Advanced System Protector\sasprot32.sys --> c:\program files\Systweak\Advanced System Protector\sasprot32.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\51.tmp --> c:\windows\system32\51.tmp [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [1/20/2010 1:11 AM 24416]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [3/7/2010 2:48 AM 27192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 uty3nde4;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uty3nde4.sys --> c:\windows\system32\Drivers\uty3nde4.sys [?]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 DET;DET;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe [?]
All of these drivers are security related - it is a wonder that your system runs at all

What problems are you having

ViralCode

  • Guest
Re: My gmer and hijackthis log files can someone take a look
« Reply #13 on: May 11, 2010, 01:27:32 PM »
Now i dont been having much problems lately. I have used many antiviruses in my system but i have allways unistalled them after using them but maybe they have not uninstalled totally. Anyways i dont know if the three files that combofix quarantined are malicious or not. I have scanned them at virustotal but the files are not detected as malicious.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My gmer and hijackthis log files can someone take a look
« Reply #14 on: May 11, 2010, 08:41:38 PM »
I feel that they are either or files, CF tries to determine what the files are linked to and whether or not the location is correct.  It might be worth using the uninstall tools to ensure that all the low level drivers for old AV's are gone