File ntoskrnl.exe danneggiato secondo ComboFix

[waikiki]

Ciao ragazzi dopo essere colpito da Vundo ho fatto un po' di scan con tutti i i programmi della guida alla disinfezione malwarebytes,prevx3.0 ,e e ComboFix , che mi hanno eliminato chiavi di registro e file dll. infetti. Però ComboFix omi ha segnalato ntoskrnl.exe infetto e me lo segnala ancora. Prevx che è l'unico software che ho visto che oltre Combofix mi ha segnalato in precedenza davvero tutti i file malware mi trova invece il sistema interamente pulito, come anche tutt gli altri scan non c'e' nulla, solo Combo mi segnala questa cosa.
Evidenzio che proprio per la mancanza/danneggiamento del file la modaltà provvisoria non si avvia

Questo è il log di Combo
(l'hd è un pata provvisorio che ho dovuto mettere a posta del sata samsung che sembra si sia rotto non mi avvia più xp e mi ddegli errori nello scan della sua utility).

Inviando il file in oggetto ntskrnl.exe a VirusTotal mi dà solo questi 3 positivi
Authentium5.1.2.42009.09.19: W32/Damaged_File.gen!Eldorado

Prot4.5.1.852009.09.19: W32/Damaged_File.gen!Eldorado

VBA323.12.10.102009.09.20: suspected of Corrupted.Win32File.ILE

Codice:

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ntoskrnl.exe . . . è infetto!!

.
(((((((((((((((((((((((((   Files Creati Da 2009-08-20 al 2009-09-20  )))))))))))))))))))))))))))))))))))
.

2009-09-19 10:16 . 2009-09-19 10:28    268435456    --sha-w-    c:\windows\system32\temppf.sys
2009-09-19 09:35 . 2009-09-19 09:35    --------    d-----w-    c:\documents and settings\All Users\Dati applicazioni\F-Secure
2009-09-18 18:58 . 2009-09-18 18:58    --------    d-----w-    c:\programmi\a-squared Free
2009-09-18 18:44 . 2009-09-18 18:44    27656    ----a-w-    c:\windows\system32\drivers\pxsec.sys
2009-09-18 18:44 . 2009-09-18 18:44    22024    ----a-w-    c:\windows\system32\drivers\pxscan.sys
2009-09-18 18:44 . 2009-09-18 18:44    --------    d-----w-    c:\programmi\Prevx
2009-09-18 18:43 . 2009-09-18 18:43    --------    d-----w-    c:\documents and settings\All Users\Dati applicazioni\PrevxCSI
2009-09-18 18:29 . 2009-07-28 14:34    55656    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2009-09-18 18:29 . 2009-03-30 08:33    96104    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2009-09-18 18:29 . 2009-02-13 10:29    22360    ----a-w-    c:\windows\system32\drivers\avgntmgr.sys
2009-09-18 18:29 . 2009-02-13 10:17    45416    ----a-w-    c:\windows\system32\drivers\avgntdd.sys
2009-09-18 13:10 . 2009-09-18 13:10    --------    d-----w-    c:\programmi\Spyware Terminator
2009-09-17 23:12 . 2009-09-17 23:11    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-09-16 22:57 . 2009-09-16 22:57    --------    d-----w-    c:\documents and settings\Dwade\Dati applicazioni\Betfair
2009-09-13 21:21 . 2009-09-13 21:21    40    ----a-w-    c:\windows\ujf635.bin
2009-09-12 14:53 . 2009-09-12 14:53    --------    d-----w-    c:\programmi\Betfair
2009-09-12 14:53 . 2009-09-12 14:53    --------    d-----w-    c:\documents and settings\Dwade\Impostazioni locali\Dati applicazioni\Downloaded Installations
2009-09-03 15:43 . 2009-09-03 15:43    --------    d-----w-    c:\windows\BDOSCAN8
2009-09-03 15:03 . 2009-09-03 15:03    --------    d--h--w-    c:\windows\system32\GroupPolicy
2009-08-29 15:13 . 2009-08-29 15:13    --------    d-----w-    c:\programmi\SopCast
2009-08-29 14:41 . 2009-08-29 14:41    --------    d-----w-    c:\documents and settings\Dwade\Dati applicazioni\StreamTorrent
2009-08-28 14:37 . 2009-08-28 14:37    --------    d-----w-    c:\documents and settings\Dwade\Dati applicazioni\vlc
2009-08-26 15:53 . 2009-08-26 15:53    --------    d-----w-    c:\documents and settings\Dwade\Dati applicazioni\Malwarebytes
2009-08-26 15:53 . 2009-08-03 11:36    38160    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-26 15:53 . 2009-08-26 15:53    --------    d-----w-    c:\programmi\Malwarebytes' Anti-Malware
2009-08-26 15:53 . 2009-08-26 15:53    --------    d-----w-    c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-08-26 15:53 . 2009-08-03 11:36    19096    ----a-w-    c:\windows\system32\drivers\mbam.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 18:18 . 2009-07-24 18:18    --------    d-----w-    c:\documents and settings\Dwade\Dati applicazioni\Vidalia
2009-07-24 18:18 . 2009-07-24 18:18    --------    d-----w-    c:\documents and settings\Dwade\Dati applicazioni\Tor
2009-07-22 19:13 . 2009-07-21 23:22    28592    ----a-w-    c:\windows\system32\drivers\tap0901.sys
2009-07-22 16:58 . 2009-07-22 16:58    --------    d-----w-    c:\programmi\Mozilla Firefox3.0.12
2009-06-30 12:06 . 2009-06-01 18:13    33840    ----a-w-    c:\windows\system32\drivers\HssDrv.sys
.

------- Sigcheck -------

[-] 2008-09-13 . 3ADCE4790F591BF160A94F6F08039577 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2004-08-19 11:34 . D2E8E8A7EA2C919815AF82F70F6ABB25 . 2097152 . . [------] . . c:\windows\system32\ntoskrnl.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-09-19_10.30.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-19 23:21 . 2009-09-19 23:23    84661              c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-09-06 10:42 . 2009-09-11 00:26    84661              c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati. 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-11-14 21:44    200192    ----a-w-    c:\programmi\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-08-19 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-09-17 149280]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-19 160256]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-11 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Privoxy.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\Programmi\\Vidalia Bundle\\Vidalia\\vidalia.exe"=
"c:\\Programmi\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Programmi\\SopCast\\ADV\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\VLC.EXE"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1853:UDP"= 1853:UDP:Windows Media Format SDK (wmplayer.exe)
"1852:UDP"= 1852:UDP:Windows Media Format SDK (wmplayer.exe)
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [18/09/2009 20.44.02 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [18/09/2009 20.44.02 27656]
R2 CSIScanner;CSIScanner;c:\programmi\Prevx\prevx.exe [18/09/2009 20.44.01 4368952]
R2 HssSrv;Hotspot Shield Routing Service;c:\programmi\Hotspot Shield\HssWPR\hsssrv.exe [06/08/2009 20.58.38 331824]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [22/07/2009 1.22.24 28592]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [07/08/2008 18.10.21 28672]
S0 osbmbgd;osbmbgd;c:\windows\system32\drivers\lezbwy.sys --> c:\windows\system32\drivers\lezbwy.sys [?]
S0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\DRIVERS\agpkx.sys --> c:\windows\system32\DRIVERS\agpkx.sys [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\programmi\Hotspot Shield\bin\HssTrayService.exe [11/08/2009 1.19.16 57640]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\Drivers\MayPro.sys --> c:\windows\system32\Drivers\MayPro.sys [?]
.
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = local
TCP: {07C6D123-EF8B-41D9-ADAC-0FA3BDCD0863} = 10.24.112.1
FF - ProfilePath - c:\documents and settings\Dwade\Dati applicazioni\Mozilla\Firefox\Profiles\thyi7b06.Mich\
FF - prefs.js: browser.startup.homepage - hxxp://www.hwupgrade.it/forum/subscription.php?do=viewsubscription&folderid=all
FF - plugin: c:\programmi\Mozilla Firefox\plugins\np-mswmp.dll
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-msnmsgr - c:\programmi\MSN Messenger\msnmsgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 02:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ... 

scansione entrate autostart nascoste ... 

Scansione files nascosti ... 

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2009-09-20  2.50.23
ComboFix-quarantined-files.txt  2009-09-20 00:50
ComboFix2.txt  2009-09-19 10:31

Pre-Run: 2.164.195.328 byte disponibili
Post-Run: 2.176.368.640 byte disponibili

134    --- E O F ---    2008-08-08 00:23

[wjmat]

ciao

se avevi vundo posta qui nel 3d ufficiale i log richiesti per la sua disinfezione
i log caricati singolarmente sui server remoti presenti nelle regole di sezione
anche il log precedente di combo se possibile

[Chill-Out]

Chiudo