problemer med noen trojanere

[pc-bruker]

Hei, jeg har problemer med en pc på jobben. Norman antivirus sier den har et virus som ligger på wowfx.dll Trojan: W32/Qhost.czk ogen som ligger på C:\programfiler\4090312.exe Trojan: w32/Dloader.EWMF. Den siste endrer seg hele tiden det vil si den kommer opp med et annet nummer i exe filen. Norman legger de i karantene. Men det ser ut som en evig loop da det hele tiden kommer opp en ny exe fil som blir lagt i karantene. Vi har prøvd å scanne med ad aware uten at det ble noe bedre. Vi forsøkte også å innstallere spybot search and destroy, men denne ville ikke la seg innstallere. Installasjonen kuttet etter kun få sekunder? Det var dog ikke noe problem å innstallere denne på en annen pc.

 

Er det noen som har en idè på hvordan vi kan bli kvitt denne? Jeg har dessverre ikke PC-en her så jeg kan ikke sende noen logg.

[vesleengen]

prøv avast eller avg

 

begge er gratis og kicker norman any day!

[norbat]

Når du har mulighet:

 

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix (c:\combofix.txt)

[pc-bruker]

hei,

 

etter å ha forsøkt divere spy programmer klarte vi å fjerne alt utenom wowfx.dll (qhost trojaner). Denne ble 5 sekunder etter at norman la den i karantene gjennoprettet og deretter oppdaget av norman igjen (loop). Til slutt åpnet vi pc-en i sikkerhetsmodus og slettet filen manuelt og før den rakk å gjenopprette sette lagde vi en tom folder med samme navn.

 

Når vi da startet opp i normal modus fant ikke lenger Norman noe virus. Hvordan kan dette ha seg? Kan noen forklare, en som har fått litt IT-ansvar fordi han var den eneste som kunne finne power knappen, hvordan dette fungerer? Det må vel antagelvis fortsatt ligge noe muffens på PC-en et sted, men nå klarer den ikke lenger å lage den dll filen? Hva kan eventuelt en slik dll fil gjøre, og kan det som fortsatt er igjen på PC-en være skummelt (blir ikke lenger funnet av spyware)?

 

Glemte dessverre å kopiere ut loggen.

 

på forhånd takk!

[pc-bruker]

Her er loggen fra Combofix. Noen som kan si om det fortsatt er noen bugs? hvordan setter man inn den smarte boksen som jeg ser andre bruker til å poste loggen?

 

 

ComboFix 08-01-09.2 - BB 2008-01-09 9:16:40.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.473 [GMT 1:00]

Running from: C:\Documents and Settings\BB\Skrivebord\ComboFix.exe

.

 

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))

.

 

2008-01-09 09:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-08 16:33 . 2008-01-08 16:33 <DIR> d-------- C:\WINDOWS\system32\wowfx.dll

2008-01-08 16:22 . 2008-01-08 16:22 <DIR> d-------- C:\WINDOWS\system32\l

2008-01-08 15:51 . 2008-01-08 15:51 <DIR> d-------- C:\Documents and Settings\hca\Programdata\U3

2008-01-08 11:30 . 2008-01-08 11:30 <DIR> d-------- C:\Documents and Settings\hca\Programdata\RegSweep

2008-01-08 11:29 . 2008-01-08 12:53 <DIR> d-------- C:\Programfiler\RegSweep

2008-01-08 10:45 . 2008-01-08 10:46 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-01-08 10:45 . 2008-01-08 10:45 <DIR> d-------- C:\Documents and Settings\hca\Programdata\SUPERAntiSpyware.com

2008-01-08 10:45 . 2008-01-08 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-01-07 16:56 . 2008-01-07 16:56 <DIR> d-------- C:\Programfiler\XoftSpySE

2008-01-07 16:34 . 2008-01-08 09:48 <DIR> d-------- C:\Programfiler\RegistrySmart

2008-01-07 16:34 . 2008-01-08 09:48 <DIR> d-------- C:\Documents and Settings\hca\Programdata\RegistrySmart

2008-01-07 15:31 . 2008-01-08 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-01-07 14:29 . 2008-01-07 14:29 <DIR> d-------- C:\Programfiler\Lavasoft

2008-01-07 14:29 . 2008-01-07 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-01-07 14:28 . 2008-01-08 10:44 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-01-03 16:02 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2008-01-03 01:02 . 2008-01-07 11:02 <DIR> d-------- C:\Program

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-05 10:25 --------- d-----w C:\Programfiler\Mamut

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2006-09-27 13:33 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]

"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

"pdfFactory Pro Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2003-06-14 20:44 376832]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 10:04 68856]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsmqIntCert"="regsvr32 /s mqrt.dll" []

"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 02:00 88203 C:\WINDOWS\AGRSMMSG.exe]

"SoundMAXPnP"="C:\Programfiler\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11 925696]

"SoundMAX"="C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 13:06 716800]

"PTHOSTTR"="C:\Programfiler\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-02-14 10:56 122880]

"HP Software Update"="C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 04:20 122940]

"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 19:04 761945]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 13:17 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 13:13 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 13:17 118784]

"hpWirelessAssistant"="C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 09:49 454656]

"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 19:12 17920]

"QlbCtrl"="C:\Programfiler\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 14:39 131072]

"Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2006-02-22 07:03 40960]

"WatchDog"="C:\Programfiler\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 10:59 184320]

"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40 183352]

"ISUSPM Startup"="c:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" [2006-05-16 10:58 213936]

"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2006-09-11 04:56 86960]

"ISUSPM"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\isuspm.exe" [2006-05-16 10:58 213936]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"RegistrySmart"="C:\Programfiler\RegistrySmart\RegistrySmart.exe" [2007-10-16 21:45 4044016]

"RegSweep"="C:\Programfiler\RegSweep\RegSweep.exe" [ ]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:00 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

BTTray.lnk - C:\Programfiler\WIDCOMM\Bluetooth-programvare\BTTray.exe [2006-02-15 15:16:02]

DVD Check.lnk - C:\Programfiler\InterVideo\DVD Check\DVDCheck.exe [2006-09-25 07:33:14]

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [2000-01-21 08:15:54]

VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-09-26 10:01:22]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

C:\Programfiler\HPQ\IAM\Bin\AsWlnPkg.dll 2005-07-25 19:41 40960 C:\Programfiler\HPQ\IAM\Bin\AsWlnPkg.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, , , ,

 

R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:00]

R2 Ndiskio;Ndiskio;C:\NORMAN\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-07-09 09:50]

R3 nvcoas;Norman Virus Control on-access component;C:\NORMAN\Nvc\bin\nvcoas.exe [2007-07-12 10:38]

R3 NVCScheduler;Norman Virus Control Scheduler;C:\NORMAN\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]

S3 nvcfsr;nvcfsr;C:\NORMAN\Nvc\bin\nvcfsr.sys [2007-01-09 14:25]

S3 nvcoafl51;nvcoafl51;C:\NORMAN\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25]

S3 nvcoaft51;nvcoaft51;C:\NORMAN\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25]

S3 nvcoarc51;nvcoarc51;C:\NORMAN\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Cognizance REG_MULTI_SZ ASChannel

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0418c3dc-9f1b-11dc-b48f-00130280fa2e}]

\Shell\AutoRun\command - E:\JDLightning\Windows\JDLightning.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d916322-4c5f-11db-badf-806d6172696f}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

 

.

Contents of the 'Scheduled Tasks' folder

"2008-01-09 08:20:48 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"

- C:\Programfiler\RegistrySmart\RegistrySmart.ex

- C:\Programfiler\RegistrySmart

"2008-01-08 10:30:15 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"

- C:\Programfiler\RegSweep\RegSweep.ex

- C:\Programfiler\RegSweep

"2008-01-09 08:19:53 C:\WINDOWS\Tasks\XoftSpySE 2.job"

- C:\Programfiler\XoftSpySE\XoftSpy.exe

"2008-01-07 15:56:08 C:\WINDOWS\Tasks\XoftSpySE.job"

- C:\Programfiler\XoftSpySE\XoftSpy.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-09 09:20:53

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe??????? ???@???????????????@?????????????(?@???????@

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-09 9:22:13 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-09 08:22:10

ComboFix2.txt 2008-01-09 08:14:19

.

2007-12-12 16:08:17 --- E O F ---

[norbat]

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen.

File::

C:\WINDOWS\system32\wowfx.dll

 

Loggene legger du mellom -spoiler- tagger. Du finner den bla. i nedtreksvinduet 'Sett inn spesialelementer'.