My gmer and hijackthis log files can someone take a look

Here is my gmer and hijackthis log files can someone take a look and tell me if they contain any suspicious or malicious entries. Thanks.

You may also post the logs from Essexboys guid, he will have look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0

Thanks for the information. Here are the otl and mbam logs.

Generally it is customary to actually say what is wrong (symptoms) that you feel the need to post the logs.

I dont know much about computers but some entries in gmer log seems strange. Also sometimes programs open by themselfs in my sytem like for example notepad. Also i have a process called system that is listening on tcp and udp port 445 on my computer and sometimes some process called unknown makes some connections from my computer. Also when i was still using antivir it found some hidden registry keys from my computer and those are also mentioned in the gmer log file. Mbam scan and Avast scan dont find any viruses from my computer. Anyway if someone can tell me if the logs contain something that is not normal then let me know. Thanks. ;D

Well I didn’t see anything obvious in the GMER log, but I’m not to familiar with it, but it is usually quite clear when it finds something.

What tool is it that is reporting System as listening on tcp/udp port 445 ?

http://www.grc.com/port_445.htm

It’s a tool called cports from nirsoft.

==================================================
Process Name : System
Process ID : 4
Protocol : TCP
Local Port : 445
Local Port Name : microsoft-ds
Local Address : 0.0.0.0
Remote Port :
Remote Port Name :
Remote Address : 0.0.0.0
Remote Host Name :
State : Listening
Process Path :
Product Name :
File Description :
File Version :
Company :
Process Created On: N/A
User Name :
Process Services :
Process Attributes:
Added On : 4/26/2010 10:32:17
Module Filename :
Remote IP Country :
Window Title :

::slight_smile:

@viralcode

These are some issues in the hjt log to check at virustotal to see if they are safe:

C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe
O4 - HKCU..\Run: [Nokia Internet Modem] “C:\Program Files\Nokia\Nokia Internet Modem\WellPhone2.exe” /background
Check if it isn’t spyware or a crack…

O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - hxtp://cainternetsecurity.net/scanner/cascanner.cab  Very safe
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
O17 - HKLM\System\CCS\Services\Tcpip\..\{27AB4DD4-D731-4513-887B-C97093B473A1}: NameServer = 62.241.198.245 

62.241.198.246 Do you know the IP or Domain ‘62.241.198.245 62.241.198.246’? If not, fix this entry.

Fix O23 - Service: 03022BA6 - Unknown owner - C:\WINDOWS\system32\03022BA6.exe (file missing)
Unknown service. (03022BA6.exe)

You apparently have this malware then: http://www.virustotal.com/analisis/61c4b83ca42cd72e90ac46557547994c1aa4a49412e7b1190c610d1837ef8819-1264239608

polonus

There are a few oddballs there that look a bit iffy - GMER was mainly to do with sandbox

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files
C:\Documents and Settings\Administrator\Desktop\xo8oisbe.exe

:Services
03022BA6

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here is the new log. Also i noticed one thing when i scanned with Avast i received a warning saying that the file windows/winstart.bat could not be scanned because it is offline. Today also outpost firewall popped up a message that system wants to contact internet through esp.

You do have a lot of security systems on your computer, so they may be obscuring something

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here is the combofix log.

R0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [3/24/2010 11:11 AM 15888] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/23/2010 8:10 AM 28552] R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 11:15 PM 22016] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/25/2010 1:10 AM 162768] R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [4/24/2010 12:56 AM 704384] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/9/2010 4:11 AM 95024] R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [3/21/2010 7:06 AM 1872320] R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [4/24/2010 12:54 AM 1195008] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/25/2010 1:10 AM 19024] R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/24/2010 12:55 AM 31128] R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/24/2010 12:56 AM 257432] R3 nokiappo;Nokia Internet Stick Wireless Modem Power Policy Service;c:\windows\system32\drivers\nokiappo.sys [6/23/2009 12:34 PM 27008] S0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?] S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\Administrator\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?] S3 AMoniterDriver;Antiy Labs Process creation detector.;\??\c:\program files\Antiy Labs\AModule\AMonitorDriver.sys --> c:\program files\Antiy Labs\AModule\AMonitorDriver.sys [?] S3 Antiy-Product-Protect;Antiy-Product-Protect;\??\c:\program files\Antiy Labs\AModule\ProAntiy.sys --> c:\program files\Antiy Labs\AModule\ProAntiy.sys [?] S3 AntiyFirewall;AntiyFirewall;\??\c:\windows\system32\drivers\AntiyFW.sys --> c:\windows\system32\drivers\AntiyFW.sys [?] S3 BCASPROT;Advanced System Protector;\??\c:\program files\Systweak\Advanced System Protector\sasprot32.sys --> c:\program files\Systweak\Advanced System Protector\sasprot32.sys [?] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\51.tmp --> c:\windows\system32\51.tmp [?] S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [1/20/2010 1:11 AM 24416] S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [3/7/2010 2:48 AM 27192] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872] S3 uty3nde4;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uty3nde4.sys --> c:\windows\system32\Drivers\uty3nde4.sys [?] S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?] S4 DET;DET;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DET.exe [?]
All of these drivers are security related - it is a wonder that your system runs at all

What problems are you having

Now i dont been having much problems lately. I have used many antiviruses in my system but i have allways unistalled them after using them but maybe they have not uninstalled totally. Anyways i dont know if the three files that combofix quarantined are malicious or not. I have scanned them at virustotal but the files are not detected as malicious.

I feel that they are either or files, CF tries to determine what the files are linked to and whether or not the location is correct. It might be worth using the uninstall tools to ensure that all the low level drivers for old AV’s are gone