Ciao Ragazzi sono stato infettato da qualche porcheria che mi cancella il file .exe
di qualsiasi programma di sicurezza installi sul pc (AVG,Avast,Pc Tool Antivirus, Spybot). Dopo che termino l'installazione si cancella il file .exe e quindi non posso aprire il programma. Ho provato ad entrare sul computer in modalità provvisoria e dopo aver reinstallato l'antivirus tutto funzionava alla perfezione, ho fatto una scansione e non ho trovato nulla di maligno. Allora ho riavviato il pc in modalità normale e di nuovo tutto da capo il file .exe dell'antivirus cancellato. cosa devo fare? Aiuto!!! Per favore :mc: :cry: :muro: :help: :read:

Guida alla rimozione virus Bagle (antivirus disattivato) (http://www.hwupgrade.it/forum/showthread.php?t=1562611)

Se non risolvi segui la GUIDA alla DISINFEZIONE per INFETTI (http://www.hwupgrade.it/forum/showthread.php?t=1599737).

Qualcosa di più facile?

L'alternativa più semplice è formattare.:D

Ma non esiste un alternativa più semplice comunque se seguo il tuo consiglio di prima quale delle due operazioni mi conviene fare prima la 1 o la 2 ? Ciao

Visto che non ti è chiaro lo riscrivo. Devi fare la 1. Se non riesci a risolvere con la 1 allora dovrai passare alla 2.

Guida alla rimozione virus Bagle (antivirus disattivato) (http://www.hwupgrade.it/forum/showthread.php?t=1562611)

Se non risolvi segui la GUIDA alla DISINFEZIONE per INFETTI (http://www.hwupgrade.it/forum/showthread.php?t=1599737).


P.S. Forse c'è un'alternativa più semplice. Puoi provare con un antivirus online in grado di rimuovere i virus ( BitDefender Online Scanner (http://www.bitdefender.com/scan8/) o Trend Micro housecall (http://housecall.trendmicro.com/)) con la speranza che riescano a rimuovere anche l'infezione che ti ha colpito.
Se decidi di provare ricordati di postare qui i log delle scansioni, secondo le regole di sezione(*** REGOLE di SEZIONE - obbligatoria la lettura!! *** (http://www.hwupgrade.it/forum/showthread.php?t=1589984)).

Ho fatto l'analisi con elibagla ed ecco il post:

Sun Nov 25 21:30:52 2007
EliBagle v10.73 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle

Sun Nov 25 21:31:55 2007
EliBagle v10.73 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 4407
Nº Total de Ficheros: 43604
Nº de Ficheros Analizados: 9214
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

I log vanno postati secondo queste regole:

Quando viviene richiesto di inserire nel thread i log dei vari tool di disinfezione siete pregati di allegarli con la funzione "Gestisci Allegati" o altrimenti tra i tag (code)(/code) sostituire le parentesi con parentesi [];
http://img105.imageshack.us/img105/7689/1fr1.jpg
che poi inserirà i due tag evidenziati
http://img292.imageshack.us/img292/2624/1ub7.jpg
quindi incollare in mezzo i vari log

Ho fatto l'analisi con Avenger ed ecco il log:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aqeygpwf

*******************

Script file located at: \??\C:\nlnnuoci.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gccugjdk

*******************

Script file located at: \??\C:\Program Files\nqqlmfab.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034



File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034



File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a



Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!

Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034



Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034



Folder C:\Documents and Settings\Andrea\Dati applicazioni\hidires not found!
Deletion of folder C:\Documents and Settings\Andrea\Dati applicazioni\hidires failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA deleted successfully.


Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
Status: 0xc0000034



Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kjqewapy

*******************

Script file located at: \??\C:\xdhukgbx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034



File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034



File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a



Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!

Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034



Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034



Folder C:\Documents and Settings\Andrea\Dati applicazioni\hidires not found!
Deletion of folder C:\Documents and Settings\Andrea\Dati applicazioni\hidires failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
Status: 0xc0000034



Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ptdcylan

*******************

Script file located at: \??\C:\rsxcdpbf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034



File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034



File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\rosa.sys
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\m\data.oct
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\m\flec006.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a



Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!

Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034



Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034



Folder C:\Documents and Settings\Andrea\Dati applicazioni\hidires not found!
Deletion of folder C:\Documents and Settings\Andrea\Dati applicazioni\hidires failed!

Could not process line:
C:\Documents and Settings\Andrea\Dati applicazioni\hidires
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
Status: 0xc0000034



Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Ti invito a modificare i tuoi precedenti post perchè i log vanno postati secondo queste regole:

Quando viviene richiesto di inserire nel thread i log dei vari tool di disinfezione siete pregati di allegarli con la funzione "Gestisci Allegati" o altrimenti tra i tag (code)(/code) sostituire le parentesi con parentesi [];
http://img105.imageshack.us/img105/7689/1fr1.jpg
che poi inserirà i due tag evidenziati
http://img292.imageshack.us/img292/2624/1ub7.jpg
quindi incollare in mezzo i vari log

Ho fatto la scnasione con Panda Anti-Rootkit e non mi ha trovato niente.

Ho fatto la scnasione con HijackThis ed ecco il log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.01.34, on 25/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andrea\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [aqbqdqtd] C:\gguwhnyj.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192733317156
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFBBFD9-4085-42F4-B982-AC5519C6CDCE}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A39B1F4-014A-4531-97F5-E1C7EA912DA4}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3E183A2-371B-4F00-9992-5FF45B5FEE96}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AFBBFD9-4085-42F4-B982-AC5519C6CDCE}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{4AFBBFD9-4085-42F4-B982-AC5519C6CDCE}: NameServer = 192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5905 bytes

A questo punto, visto il risultato delle precedenti scansioni è meglio se segui la GUIDA alla DISINFEZIONE per INFETTI (http://www.hwupgrade.it/forum/showthread.php?t=1599737).
I prossimi log però mettili con la funzione Gestisci Allegati, così si riduce la lunghezza della discussione.

Fixa queste voci:

O4 - HKLM\..\Run: [aqbqdqtd] C:\gguwhnyj.bat

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

Poi apri Avenger, selezionare "Input script manually" e cliccare sulla lente d'ingrandimento. Nella nuova finestra, incollare lo script che viene indicato cliccare sul pulsante "Done",cliccare sull'icona di semaforo verde rispondere "yes" 2 volte ;il pc dovrebbe riavviarsi da solo se così non fosse, riavvialro manualmente.

Files to delete:
C:\gguwhnyj.bat

Ha fatto una scansione com gmer e non mi ha riportato nessuna voce in rosso. Ho fixato quella voce che mi hai detto prima. Ora cosa faccio eseguo le instruzione dell'altra guida?

Ho modificato il precedente post, leggilo e fai anche le altre cose e poi posta un nuovo log di HJT.

Ho fixato quelle voci ed ecco il log:

Ho fatto la scansione con Eset ADS ed ecco il log:

Ha fatto la scansione con a-squarer ed ecco il log:

Ha fatto la scansione con Prevx CSI e non mi ha trovato niente.

Fai anche questo e poi prova ad installare un antivirus e vedi se hai ancora problemi.


Poi apri Avenger, selezionare "Input script manually" e cliccare sulla lente d'ingrandimento. Nella nuova finestra, incollare lo script che viene indicato cliccare sul pulsante "Done",cliccare sull'icona di semaforo verde rispondere "yes" 2 volte ;il pc dovrebbe riavviarsi da solo se così non fosse, riavvialro manualmente.
Files to delete:
C:\gguwhnyj.bat

Ha fatto la scansione con Nano scan e non ha trovato nulla.
Ora la guida mi dice di fare la scansione con HijackThis ma gia l'ho fatta quindi cosa faccio?

Grazie ho risolto tutto. Ciao