virus Win32/Heur

[exalpe]

Salve Avg mi ha rilevato OGGI questo virus Win32/Heur, ma fino a ieri il problema era Trojan Horse Downloader.generic7.wc2. sono giorni e giorni che sto provando a risolvere seguendo i consigli trovati sulla rete. ho scaricato un po' di tutto: prevx, VirIt, Spybot, Ccleaner, Ad-Aware, Hijackthis, KillBox, Atf-Cleaner, avenger, gmer. .... ma al momento sono nel pallone perchè mi sembra che la cosa stia peggiorando. in allegato c'è il log file dell'ultima scansione. Spero che ci sia qualcuno in grado di aiutarmi grazie in anticipo



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.40.34, on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {295E74AA-1CE7-4606-A4D5-AC5610C4302E} - C:\DOCUME~1\X2\IMPOST~1\Temp\asycfiltc.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {9E736870-899F-4D9B-BBE1-9E538243486D} - c:\windows\system32\aszcsgc.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Programmi\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [AMD_Display] C:\Programmi\AMD\AMD Power Monitor\AMD_PwrMon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language. exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\CyberLink\PowerCinema\PCMService.exe "
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBContr oller
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinManager.lnk = C:\Programmi\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photoworld.it/public/ImageUploader3.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: aivamohp - C:\WINDOWS\SYSTEM32\aszcsgc.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCap Svc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSch ed.exe
O23 - Service: CSIScanner - Prevx - C:\Programmi\PrevxCSI\prevxcsi.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\PowerCinema\Kernel\CLML_NTS ervice\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 6487 bytes

[Deifobe]

ciao,
scarica SystemScan, disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus

carica il rapporto che trovi sul desktop su Savefile e posta il link ottenuto.

[exalpe]

url href="http://savefile.com/files/1678431"]20_07_2008_21_49_report.zip - Hosted on SaveFile.com[/url]

20_07_2008_21_49_report.zip - Hosted on SaveFile.com




20_07_2008_21_49_report.zip - Hosted on SaveFile.com
Dei

[Deifobe]

ok.. Scarica Avenger, Registry Search Tool e CCleaner

Esegui avenger e nella finestra copia/incolla tutta la citazione:

files to delete:
C:\WINDOWS\system32\drivers\Winnu30.sys
C:\WINDOWS\system32\WinCtrl32.dll
C:\DOCUME~1\X2\IMPOST~1\Temp\tlsookeo.ini
c:\windows\system32\aszcsgc.dll
c:\windows\system32\drivers\njucnltj.sys

registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aivamohp
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{295E74AA-1CE7-4606-A4D5-AC5610C4302E}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9E736870-899F-4D9B-BBE1-9E538243486D}
HKEY_LOCAL_MACHINE\system\controlset002\services\n jucnltj
HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\njucnltj
HKEY_LOCAL_MACHINE\system\controlset002\services\W innu30
HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\Winnu30
HKEY_LOCAL_MACHINE\system\controlset001\services\W innu30
HKEY_LOCAL_MACHINE\system\controlset002\enum\root\ legacy_njucnltj
HKEY_LOCAL_MACHINE\system\controlset001\enum\root\ legacy_njucnltj
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\r oot\legacy_njucnltj
HKEY_LOCAL_MACHINE\system\controlset001\enum\root\ legacy_Winnu30
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\r oot\legacy_Winnu30
HKEY_LOCAL_MACHINE\system\controlset002\enum\root\ legacy_Winnu30
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Minimal\Winnu30.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Minimal\njucnltj.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Network\Winnu30.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Network\njucnltj.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Minimal\Winnu30.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Minimal\njucnltj.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Network\Winnu30.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Network\njucnltj.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contro l\SafeBoot\Minimal\Winnu30.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contro l\SafeBoot\Minimal\njucnltj.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contro l\SafeBoot\Network\Winnu30.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contro l\SafeBoot\Network\njucnltj.sys

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato (le chiavi in verde non è detto che ci siano..)

esegui hijackthis e fixa le voci residue:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {295E74AA-1CE7-4606-A4D5-AC5610C4302E} - C:\DOCUME~1\X2\IMPOST~1\Temp\asycfiltc.dll (file missing)
O2 - BHO: (no name) - {9E736870-899F-4D9B-BBE1-9E538243486D} - c:\windows\system32\aszcsgc.dll
O20 - Winlogon Notify: aivamohp - C:\WINDOWS\SYSTEM32\aszcsgc.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

se di prevx hai eseguito solo una scansione free, fixa anche:
O23 - Service: CSIScanner - Prevx - C:\Programmi\PrevxCSI\prevxcsi.exe

Esegui CCleaner e ripulisci i file temporanei e i cookie (eseguilo 2 volte).

Svuota C:\WINDOWS\Prefetch

Esegui registry search tool e cerca separatamente:
Winnu30 (salva il file come serv1.txt )
njucnltj (salva il file come serv2.txt )

Posta un nuovo systemscan i due file di testo e il rapporto di avenger
(caricali su Savefile, puoi anche inserirli in un unico zip) e dimmi a cosa corrisponde l'unità D (vedo un file D:\UXDCMN.SYS)

Dopo aver postato questi dati, esegui una scansione con Kaspersky_virusscanner (scegli "my computer" e salva/posta il rapporto quando finisce)
NOTA: se l'unità D = pen o HD esterno, allora collega anche questi prima della scansione.

ciao

[exalpe]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "C:\WINDOWS\system32\drivers\Winnu30.sys"
Deletion of file "C:\WINDOWS\system32\drivers\Winnu30.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

File "C:\WINDOWS\system32\WinCtrl32.dll" deleted successfully.
File "C:\DOCUME~1\X2\IMPOST~1\Temp\tlsookeo.ini" deleted successfully.

Error: could not open file "c:\windows\system32\aszcsgc.dll"
Deletion of file "c:\windows\system32\aszcsgc.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open file "c:\windows\system32\drivers\njucnltj.sys"
Deletion of file "c:\windows\system32\drivers\njucnltj.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\system\controlset002\services\ njucnltj" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\system\controlset002\services\ njucnltj" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\servi ces\njucnltj" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\servi ces\njucnltj" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Registry key "HKEY_LOCAL_MACHINE\system\controlset002\services\ Winnu30" deleted successfully.

Error: could not delete registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\servi ces\Winnu30"
Deletion of registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\servi ces\Winnu30" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not delete registry key "HKEY_LOCAL_MACHINE\system\controlset001\services\ Winnu30"
Deletion of registry key "HKEY_LOCAL_MACHINE\system\controlset001\services\ Winnu30" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Registry key "HKEY_LOCAL_MACHINE\system\controlset002\enum\root \legacy_njucnltj" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\system\controlset001\enum\root \legacy_njucnltj" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\ root\legacy_njucnltj" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\ root\legacy_njucnltj" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\system\controlset001\enum\root \legacy_Winnu30" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\ root\legacy_Winnu30" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\ root\legacy_Winnu30" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\system\controlset002\enum\root \legacy_Winnu30" deleted successfully.

Error: could not delete registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Minimal\Winnu30.sys"
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Minimal\Winnu30.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Minimal\njucnltj.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Minimal\njucnltj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Network\Winnu30.sys"
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Network\Winnu30.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Network\njucnltj.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\S afeBoot\Network\njucnltj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\S afeBoot\Minimal\Winnu30.sys" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\S afeBoot\Minimal\njucnltj.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\S afeBoot\Minimal\njucnltj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\S afeBoot\Network\Winnu30.sys" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\S afeBoot\Network\njucnltj.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\S afeBoot\Network\njucnltj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Minimal\Winnu30.sys"
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Minimal\Winnu30.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Minimal\njucnltj.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Minimal\njucnltj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Network\Winnu30.sys"
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Network\Winnu30.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Network\njucnltj.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contr ol\SafeBoot\Network\njucnltj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aivamohp" for deletion
Deletion of registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aivamohp" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32" deleted successfully.

Error: could not open registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{295E74AA-1CE7-4606-A4D5-AC5610C4302E}" for deletion
Deletion of registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{295E74AA-1CE7-4606-A4D5-AC5610C4302E}" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{9E736870-899F-4D9B-BBE1-9E538243486D}" for deletion
Deletion of registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{9E736870-899F-4D9B-BBE1-9E538243486D}" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

[exalpe]

Per quanto riguarda D direi che non esisteva prima di questo casino. Ora in risorse del computer è tra le Periferiche con archivi rimovibili: Unità CD (D e sembrerebbe vuoto guardando le propietà (tasto destro)

[exalpe]

Your link to the file: http://www.savefile.com/files/1678802

Your link to the file: http://www.savefile.com/files/1678803

Your link to the file: http://www.savefile.com/files/1678804

[exalpe]

La scansione con Kaspersky virusscanner, ha datato risultato negativo!!!

[Deifobe]

Avenger non e' riusciro a rimuovere files e servizi, passiamo a combofix.

se D e' l'unita' CD dovevi averlo anche prima.. (non avevi il CD???)
Comunque fai questo controllo: da risorse del computer clicca sull'unita' D con il tasto destro del mouse e seleziona "proprieta'". Verifica ci sia stritto "CD Rom" o "unita' CD"
Ad ogni modo, se e' un CD ROM, in qualche CD deve esserci un file D:\UXDCMN.SYS che ha installato quel servizio (forse lo rimuovera' combofix )

crea una nuova cartella in c:\ e chiamala pippo
copiaci dentro questi 4 files:
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\lsprst7.tgz
C:\WINDOWS\system32\ssprs.tgz
C:\WINDOWS\system32\ssprs.dll

zippali, carica il file zip su savefile e mandami il link con un messaggio privato (mi raccomando, non inserire il link sul forum)

scarica ComboFix_BleepingComputer sul desktop

apri il blocco note e copiaci dentro questo:

KillAll::
Registry::
[-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\aivamohp]
[-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{295E74AA-1CE7-4606-A4D5-AC5610C4302E}]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9E736870-899F-4D9B-BBE1-9E538243486D}]
[-HKEY_LOCAL_MACHINE\system\controlset002\services\n jucnltj]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\njucnltj]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\Winnu30]
[-HKEY_LOCAL_MACHINE\system\controlset001\services\W innu30]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Minimal\Winnu30.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Network\Winnu30.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Minimal\Winnu30.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Network\Winnu30.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contro l\SafeBoot\Minimal\Winnu30.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Contro l\SafeBoot\Network\Winnu30.sys]

File::
C:\WINDOWS\system32\drivers\Winnu30.sys
C:\WINDOWS\system32\WinCtrl32.dll
c:\windows\system32\aszcsgc.dll
c:\windows\system32\drivers\njucnltj.sys

Driver::
njucnltj
Winnu30

salvalo sul desktop con il nome CFScript.txt
Chiudi il file

disconnetti il pc da internet, chiudi tutti i programmi e disattiva l'antivirus (è importante!)

Trascina il file sull'icona rossa di combofix (attenzione: non toccare nulla mentre combofix lavora)

riattiva l'antivirus

Posta il log combofix

[exalpe]

Per quanto riguarda D le proprietà dicono che è "unità CD"

Di seguito il link del log di combifix
Your link to the file: http://www.savefile.com/files/1680470

Grazie