|
|||||||
|
|
|
 |
|
|
Strumenti |
23-06-2007, 16:51
|
#1 |
|
Senior Member
Iscritto dal: Feb 2007
Messaggi: 1020
|
Zlob.DNSChanger
Facendo una scansione con Spybot mi viene fuori questo trojan Zlob.DNSChanger, il problema è che facendo la correzione automatica mi cade la connesione wireless dopo 30 secondi... quindi come faccio a eliminarlo senza avere problemi, qualcuno mi può aiutare per favore?
Nella descrizione del trojan mi dice: this trojan horse changes the DNS settings, sitalls and runs a hidden exe file which is added to winlogon. Vabbè come il 99% dei trojans  . Grazie a tutti 
|
|
|
|
23-06-2007, 17:22
|
#2 |
|
Senior Member
Iscritto dal: Feb 2007
Città: Salerno......
Messaggi: 3259
|
credo che dopo l'eliminazione si debbano ripristinare i dns originali.
Saluti
__________________
Opera disabilitazione script ed iframe  Recuperare le proprie password on line. Messenger: massima attenzione ai SITI TRUFFA | GUIDA:ShutdownTimer (Spegnimento auto pc) | Quando il centro sicurezza non riconosce i soft. Guida a Malwarebytes' Anti-Malware = tiemp bell e na volta...
|
|
|
|
|
23-06-2007, 17:25
|
#3 |
|
Registered User
Iscritto dal: May 2007
Messaggi: 64
|
posta log di hijakthis
e dà un occhiata qui http://www.megalab.it/forum/viewtopic.php?t=32575 |
|
|
|
|
23-06-2007, 17:25
|
#4 |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Tu eliminalo facendo la correzione automatica, se cade la connessione non ha importanza devi andare a reinserire i server DNS, dopo di chè fai una scansione on line con F-Secure e posta un log di HijackThis, qualcuno degli utenti più esperti di me te lo leggerà.
Ciao. |
|
|
|
|
24-06-2007, 09:27
|
#5 |
|
Senior Member
Iscritto dal: Feb 2007
Messaggi: 1020
|
Allora ho fatto il log con Hijackthis senza eliminare il trojan, così potete darmi qualche consiglio, anche perchè non è che so maneggiare molto le impostazioni DNS (anzi non le ho mai maneggiate in vita mia), ma in che file stanno?
Cmq Hijackthis mi ha "vomitato" tutto questo...  Logfile of HijackThis v1.99.1 Scan saved at 10.29.45, on 24/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\Programmi\AntiVir PersonalEdition Classic\sched.exe C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Programmi\Borland\InterBase\bin\ibguard.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\windows\system32\nvsvc32.exe C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe C:\windows\system32\svchost.exe C:\Programmi\Borland\InterBase\bin\ibserver.exe C:\WINDOWS\system32\dllhost.exe C:\windows\system32\WgaTray.exe C:\windows\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Programmi\DAEMON Tools\daemon.exe C:\Programmi\TortoiseSVN\bin\TSVNCache.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\WINDOWS\eHome\ehmsas.exe C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Programmi\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\Programmi\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe C:\Programmi\BOINC\boincmgr.exe C:\Programmi\BOINC\boinc.exe C:\Programmi\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe C:\Programmi\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Programmi\Internet Explorer\iexplore.exe C:\Programmi\Internet Explorer\iexplore.exe C:\Programmi\Internet Explorer\iexplore.exe C:\Programmi\WinRAR\WinRAR.exe C:\WINDOWS\temp\Rar$EX32.937\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti R3 - Default URLSearchHook is missing O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: BOINC Manager.lnk = C:\Programmi\BOINC\boincmgr.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {590D2967-D752-4ADA-A685-90CEFCBB248F} (DBDrawX Control) - http://chemdb.kisti.re.kr/activex/DBDrawX.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.it/app/uploader/FileUploader.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C16B446C-68BF-4D61-9D14-93085745FAD5}: NameServer = 85.255.116.116,85.255.112.175 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\AGNITUM\OUTPOS~1.0\wl_hook.dll O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Programmi\Borland\InterBase\bin\ibguard.exe O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Programmi\Borland\InterBase\bin\ibserver.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe |
|
|
|
|
24-06-2007, 09:33
|
#6 |
|
Senior Member
Iscritto dal: Feb 2007
Messaggi: 1020
|
Devo modificare solo questo?
http://avantissimo.vision2000.it/Int.../links/dns.pdf |
|
|
|
|
28-06-2007, 21:46
|
#7 |
|
Senior Member
Iscritto dal: Feb 2007
Messaggi: 1020
|
Qualcuno mi controlla il log di HijackThis, grazie
|
|
|
|
|
29-06-2007, 09:13
|
#8 |
|
Member
Iscritto dal: Jun 2007
Messaggi: 191
|
per me il log di hijackthis è pulito...
fai una ricerca nel tuo computer, files e cartelle, e come oggetto metti bak... vedi se trovi qualcosa...se si dicci cosa e dove.... |
|
|
|
|
29-06-2007, 11:58
|
#9 |
|
Member
Iscritto dal: Apr 2007
Città: Pisciatoio d'Italia.
Messaggi: 69
|
Ciao Tommy.
Controlla questa voce e casomai fixala: O16 - DPF: {590D2967-D752-4ADA-A685-90CEFCBB248F} (DBDrawX Control) - http://chemdb.kisti.re.kr/activex/DBDrawX.cab Per quanto riguarda il trojan prova a scaricare Fix Wareout Salvalo sul desktop, installalo e fallo partire, riavvia il pc quando il programma te lo chiede, potrebb richiedere un po' più di tempo del normale. Alla fine dovresti riavviare ancora una volta il pc. Infine riposta il log di Hijack insieme al report di Fixwareout situato in C:\fixwareout\report.txt |
|
|
|
|
29-06-2007, 14:03
|
#10 | |
|
Senior Member
Iscritto dal: Feb 2007
Messaggi: 1020
|
Quote:
|
|
|
|
|
|
29-06-2007, 15:57
|
#11 |
|
Senior Member
Iscritto dal: Feb 2007
Messaggi: 1020
|
Questo è il log di Fixwareout:
Fixwareout Last edited 6/27/2007 Post this report in the forums please ... »»»»»Prerun check HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C16B446C-68BF-4D61-9D14-93085745FAD5} "nameserver"="85.255.116.116,85.255.112.175" <Value cleared. Svuotata la cache del resolver DNS. System was rebooted successfully. »»»»» Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... »»»»» Misc files. .... »»»»» Checking for older varients. .... »»»»» Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe" "DAEMON Tools"="\"C:\\Programmi\\DAEMON Tools\\daemon.exe\" -lang 1033" "SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "REGSHAVE"="C:\\Programmi\\REGSHAVE\\REGSHAVE.EXE /AUTORUN" "avgnt"="\"C:\\Programmi\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min" "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "SunJavaUpdateSched"="\"C:\\Programmi\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "OutpostFeedBack"="C:\\Programmi\\Agnitum\\Outpost Firewall 1.0\\feedback.exe /dump:os_startup" "Outpost Firewall"="C:\\Programmi\\Agnitum\\Outpost Firewall 1.0\\outpost.exe /waitservice" "Adobe Reader Speed Launcher"="\"C:\\Programmi\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\"" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="\"C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background" .... Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»» |
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 00:22.
