Dopo diverse ricerche con google, ho capito il virus che ho.
E' questo: http://www.sophos.com/security/analyses/viruses-and-spyware/w32forbotgi.html

Quando avvio il sistema, appena appare l'interfaccia di xp mi esce un messaggio:

c:\WINDOWS\system32\drivers\ntndis.exe
FILE NON TROVATO!
(una cosa del genere)

Praticamente mi ha dato questo problema non appena ho ripristinato xp...
Il file infetto l'ho cercato nella directory indicata, ma non c'è appunto perchè ho ripristinato il sistema... ma mi chiedo allora perchè mi da questo benedetto errore?
Sicuramente è rimasta traccia del worm, sapete come risolvere?

ciao

carica secondo queste modalità (http://www.hwupgrade.it/forum/showthread.php?t=1751598) il log classico di HiJackThis (http://www.hwupgrade.it/forum/showpost.php?p=24033212&postcount=13)

mi hai linkato il regolamento invece delle modalità -.- :mc:

Comunque ho fato scar classico con logfile e mi ha creato sto log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37, on 06/03/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\WiFiConnector\NintendoWFCReg.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_15\bin\ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programmi\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - Global Startup: Esegui il programma di registrazione.lnk = C:\Programmi\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F29E9DC-24C3-4E02-8132-F3FD3E7987AE}: NameServer = 85.37.17.17 85.38.28.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F29E9DC-24C3-4E02-8132-F3FD3E7987AE}: NameServer = 85.37.17.17 85.38.28.72
O23 - Service: MySQL - Unknown owner - C:\WM\MySQL-4.1.12\bin\mysqld-nt.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMServerTools - Apache - Apache Software Foundation - C:\WM\Apache-2.0.54\bin\Apache.exe
O23 - Service: WMServerTools - MySQL - Unknown owner - C:\WM\MySQL-4.1.12\bin\mysqld-nt.exe

--
End of file - 4403 bytes


Sapete come posso rimuovere il worm?

mi hai linkato il regolamento invece delle modalità -.- :mc:

● HijackThis Download (http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe)
Compatibile: Windows XP - Vista
Caratteristiche: non necessita di installazione

Doppio click su HijackThis.exe messo preventivamente in una cartella dedicata
Cliccare su Do a system scan and save a log file ed allegare il .txt per il controllo