View Full Version : Zlob.DNSChanger
Facendo una scansione con Spybot mi viene fuori questo trojan Zlob.DNSChanger, il problema è che facendo la correzione automatica mi cade la connesione wireless dopo 30 secondi... quindi come faccio a eliminarlo senza avere problemi, qualcuno mi può aiutare per favore?
Nella descrizione del trojan mi dice: this trojan horse changes the DNS settings, sitalls and runs a hidden exe file which is added to winlogon. Vabbè come il 99% dei trojans :cry:. Grazie a tutti :muro:
lancetta
23-06-2007, 17:22
credo che dopo l'eliminazione si debbano ripristinare i dns originali.
Saluti
posta log di hijakthis
e dà un occhiata qui http://www.megalab.it/forum/viewtopic.php?t=32575
Chill-Out
23-06-2007, 17:25
Tu eliminalo facendo la correzione automatica, se cade la connessione non ha importanza devi andare a reinserire i server DNS, dopo di chè fai una scansione on line con F-Secure e posta un log di HijackThis, qualcuno degli utenti più esperti di me te lo leggerà.
Ciao.
Allora ho fatto il log con Hijackthis senza eliminare il trojan, così potete darmi qualche consiglio, anche perchè non è che so maneggiare molto le impostazioni DNS (anzi non le ho mai maneggiate in vita mia), ma in che file stanno?
Cmq Hijackthis mi ha "vomitato" tutto questo... :rolleyes:
Logfile of HijackThis v1.99.1
Scan saved at 10.29.45, on 24/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\Borland\InterBase\bin\ibguard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\system32\nvsvc32.exe
C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\windows\system32\svchost.exe
C:\Programmi\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\system32\WgaTray.exe
C:\windows\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Programmi\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Programmi\BOINC\boincmgr.exe
C:\Programmi\BOINC\boinc.exe
C:\Programmi\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe
C:\Programmi\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\WINDOWS\temp\Rar$EX32.937\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BOINC Manager.lnk = C:\Programmi\BOINC\boincmgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {590D2967-D752-4ADA-A685-90CEFCBB248F} (DBDrawX Control) - http://chemdb.kisti.re.kr/activex/DBDrawX.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.it/app/uploader/FileUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C16B446C-68BF-4D61-9D14-93085745FAD5}: NameServer = 85.255.116.116,85.255.112.175
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\AGNITUM\OUTPOS~1.0\wl_hook.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Programmi\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Programmi\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
Devo modificare solo questo?
http://avantissimo.vision2000.it/Intranet/FCKeditor/filemanager/browse/links/dns.pdf
Qualcuno mi controlla il log di HijackThis, grazie :rolleyes:
per me il log di hijackthis è pulito...
fai una ricerca nel tuo computer, files e cartelle, e come oggetto metti bak...
vedi se trovi qualcosa...se si dicci cosa e dove....
Scarymiss
29-06-2007, 11:58
Ciao Tommy.
Controlla questa voce e casomai fixala:
O16 - DPF: {590D2967-D752-4ADA-A685-90CEFCBB248F} (DBDrawX Control) - http://chemdb.kisti.re.kr/activex/DBDrawX.cab
Per quanto riguarda il trojan prova a scaricare Fix Wareout (http://downloads.subratam.org/Fixwareout.exe)
Salvalo sul desktop, installalo e fallo partire, riavvia il pc quando il programma te lo chiede, potrebb richiedere un po' più di tempo del normale. Alla fine dovresti riavviare ancora una volta il pc.
Infine riposta il log di Hijack insieme al report di Fixwareout situato in C:\fixwareout\report.txt
Ciao Tommy.
Controlla questa voce e casomai fixala:
O16 - DPF: {590D2967-D752-4ADA-A685-90CEFCBB248F} (DBDrawX Control) - http://chemdb.kisti.re.kr/activex/DBDrawX.cab
Per quanto riguarda il trojan prova a scaricare Fix Wareout (http://downloads.subratam.org/Fixwareout.exe)
Salvalo sul desktop, installalo e fallo partire, riavvia il pc quando il programma te lo chiede, potrebb richiedere un po' più di tempo del normale. Alla fine dovresti riavviare ancora una volta il pc.
Infine riposta il log di Hijack insieme al report di Fixwareout situato in C:\fixwareout\report.txt
La voce che mi hai segnalato è pulita, si tratta di un programma istallato, ora provo con Fixwareout, grazie per l'aiuto :D
Questo è il log di Fixwareout:
Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C16B446C-68BF-4D61-9D14-93085745FAD5}
"nameserver"="85.255.116.116,85.255.112.175" <Value cleared.
Svuotata la cache del resolver DNS.
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"DAEMON Tools"="\"C:\\Programmi\\DAEMON Tools\\daemon.exe\" -lang 1033"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"REGSHAVE"="C:\\Programmi\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"avgnt"="\"C:\\Programmi\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Programmi\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"OutpostFeedBack"="C:\\Programmi\\Agnitum\\Outpost Firewall 1.0\\feedback.exe /dump:os_startup"
"Outpost Firewall"="C:\\Programmi\\Agnitum\\Outpost Firewall 1.0\\outpost.exe /waitservice"
"Adobe Reader Speed Launcher"="\"C:\\Programmi\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
vBulletin® v3.6.4, Copyright ©2000-2025, Jelsoft Enterprises Ltd.