Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:onlinegames-csk[trj]


  • Please log in to reply
1 reply to this topic

#1 simona todaro

simona todaro

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 08 March 2008 - 08:48 AM

Had a warning about this Trojan from my avast anti-virus programme. Also have a problem with the following files that are placed in my waste-bin once the antivirus programme has run (kernel32.dll; winsock.dll; wsock32.dll). Every time I start my computer two boxes appear on the screen saying that it is impossible to exit word, and that the measure is not valid. I ran Combofix.exe and have the following report. Can you help me with these problems??

ComboFix 08-03-07.4 - Simona Todaro 2008-03-08 13:58:02.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.177 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Simona Todaro\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-02-08 al 2008-03-08 )))))))))))))))))))))))))))))))))))
.

2008-02-17 12:46 . 2008-02-17 12:47 <DIR> d-------- C:\Documents and Settings\Simona Todaro\Dati applicazioni\PrevxCSI
2008-02-12 13:28 . 2008-02-12 13:28 <DIR> d-------- C:\Programmi\Lavasoft
2008-02-12 13:28 . 2008-02-12 22:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-02-12 13:27 . 2008-02-12 13:27 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-02-11 23:07 . 2008-02-11 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2008-02-11 22:34 . 2008-02-11 22:34 <DIR> d-------- C:\Programmi\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 20:55 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-12 20:55 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-12 20:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-29 08:08 44,048 ----a-w C:\Documents and Settings\Simona Todaro\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-03-08_13.03.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-08 12:53:47 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2002-06-12 00:56 286720 C:\WINDOWS\system32\atiptaxx.exe]
"CARPService"="carpserv.exe" [2003-05-21 13:35 4608 C:\WINDOWS\system32\carpserv.exe]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 06:05 36864]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 22:34 36864]
"Display Settings"="C:\Programmi\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 05:26 45056]
"QT4HPOT"="C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE" [2002-10-14 18:57 98304]
"SynTPLpr"="C:\Programmi\Synaptics\SynTP\SynTPLpr.exe" [2002-09-09 23:42 126976]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2002-09-09 23:41 557056]
"Cpqset"="C:\Programmi\HPQ\Default Settings\cpqset.exe" [2002-10-23 12:19 176197]
"AdaptecDirectCD"="C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28 684032]
"Easy-PrintToolBox"="C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"OpwareSE2"="C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 10:00 49152]
"OPSE reminder"="C:\Programmi\ScanSoft\OmniPageSE2.0\EregIta\Ereg.exe" [2003-07-07 08:30 729088]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"Acrobat Assistant 7.0"="C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12 483328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 23:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-14 18:24:50 113664]
Avvio veloce di Adobe Acrobat.lnk - C:\WINDOWS\Installer\{AC76BA86-1034-4700-7760-000000000002}\SC_Acrobat.exe [2006-07-06 11:55:33 25214]
Digimax Viewer 1.0.lnk - C:\Programmi\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe [2003-09-03 21:49:35 331776]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04 83360]

R2 NwSapAgent;Agente SAP;C:\WINDOWS\System32\svchost.exe [2004-08-19 23:39]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 16:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 16:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2002-08-29 01:00]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;C:\WINDOWS\system32\DRIVERS\Express.sys [2002-10-17 02:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26ae4021-7ce7-11dc-b4f0-000bcd86ac63}]
\Shell\AutoRun\command - E:\x.com
\Shell\explore\Command - E:\x.com
\Shell\open\Command - E:\x.com

.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-07 09:41:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 14:01:34
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programmi\HPQ\Default Settings\cpqset.exe??????????????8????|?`???? ?X#B?????????????l|B????????

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-03-08 14:02:50
ComboFix2.txt 2008-03-08 12:03:46
ComboFix3.txt 2008-02-17 12:36:47
.
2008-02-13 07:30:21 --- E O F ---

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:23 AM

Posted 27 March 2008 - 10:16 AM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users