Hi does anyone know how to deal with this..
...my IE once launched it will go to http://www.guarduptodate.com/
sometimes it goes to www.404dns.com

I have ewido anti-malware installed and ez antivirus but i just can't seem to get it out of my system...

Thygar

Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Total number of scanned objects 30572
Number of viruses found 6
Number of infected objects 27
Number of suspicious objects 0
Duration of the scan process 01:16:29

C:\Documents and Settings\andy-lim\Local Settings\Temp\Temporary Directory 1 for radmin22.zip\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\andy-lim\Local Settings\Temp\Temporary Directory 1 for radmin22.zip\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\andy-lim\Local Settings\Temp\Temporary Directory 1 for radmin22.zip\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

C:\Documents and Settings\andy-lim\Local Settings\Temp\Temporary Directory 1 for radmin22.zip\RADMIN22.EXE Gentee: infected - 3 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\HA_RAdmin21_HQB0713.rar/HBP_RAdmin2.1_HQB.exe/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\HA_RAdmin21_HQB0713.rar/HBP_RAdmin2.1_HQB.exe/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\HA_RAdmin21_HQB0713.rar/HBP_RAdmin2.1_HQB.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.30 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\HA_RAdmin21_HQB0713.rar/HBP_RAdmin2.1_HQB.exe/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\HA_RAdmin21_HQB0713.rar/HBP_RAdmin2.1_HQB.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\HA_RAdmin21_HQB0713.rar RAR: infected - 5 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\pplive.exe/0001\F6\SynaLiveSetup.exe/stream/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\pplive.exe/0001\F6\SynaLiveSetup.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\pplive.exe/0001\F6\SynaLiveSetup.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\pplive.exe Tarma: infected - 3 skipped

C:\Documents and Settings\andy-lim\My Documents\My Received Files\pplive.exe UPX: infected - 3 skipped

C:\Program Files\PPLive TV\SynaLiveSetup.exe/stream/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Program Files\PPLive TV\SynaLiveSetup.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Program Files\PPLive TV\SynaLiveSetup.exe NSIS: infected - 2 skipped

C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

D:\Qatar Solved Dialers\eMule0.46b_Installer.exe/stream/data0246 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

D:\Qatar Solved Dialers\eMule0.46b_Installer.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

D:\Qatar Solved Dialers\eMule0.46b_Installer.exe NSIS: infected - 2 skipped

D:\radmin22.zip/RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

D:\radmin22.zip/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

D:\radmin22.zip/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

D:\radmin22.zip/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped

D:\radmin22.zip ZIP: infected - 4 skipped

Scan process completed.

Sorry i save it wrongly.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:31 PM, on 5/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\gWall\bin\SRVANY.EXE
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\OfficeScan NT\ofcpfwsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\TEMP\DE2395.EXE
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\OfficeScan NT\pccntupd.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp64DF.tmp
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://comp.mediaring.com/consumer/pcphone/ver5.4.4.0/wbaxuiph544.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {77AAD261-A84E-4564-BEC2-C51FF6A7187F} (MRActivXUI Class) - http://comp.mediaring.com/consumer/pcphone/ver6.1.2.0/wbaxuiph612.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.mediaring.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.mediaring.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.mediaring.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.mediaring.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: gWall - Unknown owner - C:\WINDOWS\gWall\bin\SRVANY.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (ofcpfwsvc) - Trend Micro Inc. - C:\OfficeScan NT\ofcpfwsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

Pls help me

Run the smitrem scan below and post the report before we go any further.

Please download SmitRemFix from this link http://siri.geekstogo.com/SmitfraudFix.php Then extract the contents to your desktop into it's own folder and name it " SmitfraudFix".

Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Jabuck thanks for helping me.

SmitFraudFix v2.40

Scan done at 22:01:01.75, 05/06/2006 Sat
Run from D:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

C:\

C:\WINDOWS

C:\WINDOWS\system

C:\WINDOWS\Web

C:\WINDOWS\system32

C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !

C:\WINDOWS\system32\LogFiles

C:\Documents and Settings\andy-lim\Application Data

Start Menu

C:\DOCUME~1\andy-lim\FAVORI~1

C:\DOCUME~1\andy-lim\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop

C:\Program Files

Corrupted keys

Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{35a88e51-b53d-43e9-b8a7-75d4c31b4676}"="Register LogWare"

[HKEY_CLASSES_ROOT\CLSID\{35a88e51-b53d-43e9-b8a7-75d4c31b4676}\InProcServer32]
@="C:\WINDOWS\system32\reglogs.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{35a88e51-b53d-43e9-b8a7-75d4c31b4676}\InProcServer32]
@="C:\WINDOWS\system32\reglogs.dll"

Scanning wininet.dll infection

End

Now for the smitrem fix.

Warning : running option #2 on a non infected computer will remove your Desktop background.

<Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd"
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Also post back with a new HJT log.

Hi Jabuck,

I think my window xp pro has become corrupted. I was not able to get into safe mode.
Now my system boots up to a blue screen showing Stop : 0x00000024.
I am outstation and i do not have my recovery cd..guess i am screwed.

Regards
Thygar

If you can borrow an xp cd from someone you can run the xp repair and possibly fix it.

Hey Jabuck,

Sorry for the late reply.. Someone flew over to pass me the recovery cd...lost all my data as the ntfs was corrupted and unable to do repair.

Do you have any good suggestion anti malware program so that i will not get infected again. I think all issues happen after my website was hijacked by www.guarduptodate.com.

Regards
Thygar

Hey Thygar, I use AVG antivirus (free), spywareblaster(free) for antispyware and sygate for firewall. Some other great tools are SpywareGuard, IE-Spyad, avast antivirus, zone alarm free firewall.

Jabuck,

Thank you very much!!

Regards
Thygar

SmitFraudFix v2.53

Scan done at 14:27:19.81, Wed 05/31/2006
Run from C:\Documents and Settings\Owner\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Security Toolbar\ FOUND !
C:\Program Files\SpywareQuake\ FOUND !
C:\Program Files\SpywareQuake.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://media1.break.com/static/break/images/bg.gif"
"SubscribedURL"="http://media1.break.com/static/break/images/bg.gif"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0c7416f0-dd23-420f-97f5-aae352ea2bf1}"="glochid"

[HKEY_CLASSES_ROOT\CLSID\{0c7416f0-dd23-420f-97f5-aae352ea2bf1}\InProcServer32]
@="C:\WINDOWS\system32\wfkduei.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{0c7416f0-dd23-420f-97f5-aae352ea2bf1}\InProcServer32]
@="C:\WINDOWS\system32\wfkduei.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, July 13, 2006 11:35:22 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 12/07/2006
Kaspersky Anti-Virus database records: 206948
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 201903
Number of viruses found: 8
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 21:17:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14720987.exe Infected: Backdoor.Win32.Optix.aa skipped
C:\Documents and Settings\Andrew Scott\Local Settings\Temp\tzl3F9.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Documents and Settings\Andrew Scott\Local Settings\Temp\tzl411.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Program Files\BearShare\BearShareZangoInstaller.exe/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Program Files\BearShare\BearShareZangoInstaller.exe CAB: infected - 1 skipped
C:\Program Files\Netscape\Netscape Browser\nsHPSetup.exe/data0145 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\Netscape\Netscape Browser\nsHPSetup.exe NSIS: infected - 1 skipped
C:\Program Files\Netscape\Netscape Browser\NSUninst.exe/data0004 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\Netscape\Netscape Browser\NSUninst.exe NSIS: infected - 1 skipped
C:\Program Files\Zango\zango.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Program Files\Zango\zangohook.dll Infected: not-a-virus:AdWare.Win32.180Solutions.au skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe/WISE0010.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe/WISE0010.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe WiseSFX: infected - 2 skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe WiseSFX Dropper: infected - 2 skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi/ESPNInst/WISE0010.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi/ESPNInst/WISE0010.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi/ESPNInst Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi Embedded: infected - 3 skipped
C:\WINDOWS\Downloaded Program Files\ClientAX.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
D:\shared\CANOPUS VIDEO FX TRANSITIONS CANOPUS + Update for Adobe Premiere Pro 1.5.zip/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped
D:\shared\CANOPUS VIDEO FX TRANSITIONS CANOPUS + Update for Adobe Premiere Pro 1.5.zip ZIP: infected - 1 skipped
D:\WebEx MeetMeNow 1.0.zip/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped
D:\WebEx MeetMeNow 1.0.zip ZIP: infected - 1 skipped
D:\WebExe 1.55.zip/Setup.exe Infected: Worm.Win32.VB.an skipped
D:\WebExe 1.55.zip ZIP: infected - 1 skipped
D:\Zaxwerks ProAnimator v4.0.1.rar/Setup.exe Infected: Backdoor.Win32.IRCBot.dd skipped
D:\Zaxwerks ProAnimator v4.0.1.rar ZIP: infected - 1 skipped

Scan process completed.