Zlob.downloader [Archive] - Safer-Networking Forums

Dark Soul

2006-07-05, 12:11

Hi,

Im need some need of help with removing "Zlob.downloader" Trojan. I've ran Spybot 1.4, Ewido and Smitfraud all in the order that it was said to run them in, in this thread: http://forums.spybot.info/showthread.php?t=4015

All I've managed to do is rid myself of the process but not the registry value...

heres my HiJack This log

Logfile of HijackThis v1.99.1
Scan saved at 2:52:03 AM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
I:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [GameDrive] C:\Program Files\FarStone\GameDrive\GDP\gdtask.exe /AutoRestore /Silence
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] I:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144269687421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144275484328
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - I:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

pskelley

2006-07-05, 13:50

Hello and welcome to the forum. Please delete any copy of SmitfraudFix you have and download it again fresh. The Fix changes daily.

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php <<< here

Then I want you to run the first part of the fix (Search) which is #5 in the instructions:

Open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

and then please post rapport.txt and hold right there until I view it.

Something was done wrong in the instructions including the fact that three logs were supposed to be posted, and you posted only the HJT log. I will know more when I see if any of the infection is still on the computer. Please read and follow all directions carefully.

Thanks...pskelley
Safer Networking Forums

Dark Soul

2006-07-05, 14:31

I ran Webroot's "Spy Sweeper" as suggested by the guy who's post was deleted in this thread and I believe that that got rid of it. But I did however when I ran those other programs, I got the reports...

----------------------------------
I reran SmitFraud after reading your reply...

SmitFraudFix v2.67

Scan done at 5:18:22.06, Wed 07/05/2006
Run from C:\Documents and Settings\Dark Soul\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dark Soul\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DARKSO~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

-------------------------------------------

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:12:52 AM 7/5/2006

+ Scan result:

:mozilla.19:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.92:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.93:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.94:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.88:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.89:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.90:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.91:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.99:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.21:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.123:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.124:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.104:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.107:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.108:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.114:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.25:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.100:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.101:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.121:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.122:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.10:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.11:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.12:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.13:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.14:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.132:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.125:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.126:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.127:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.128:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.129:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.130:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.131:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.26:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.27:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.28:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.29:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.84:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.85:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.86:C:\Documents and Settings\Dark Soul\Application Data\Mozilla\Firefox\Profiles\df0kjeui.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

---------------------------------

I also have the report for Spybot if you'd like that, but I thought I'd ask first due to the size of the it... And I figured you'd be able to get the Hijack This from my first post
So would you like me to post the Spybot report aswell?

thanks

pskelley

2006-07-05, 14:53

OK and thanks for that information, while I am thinking about it your Java program needs an update to Java\jre1.5.0_07
http://forums.spybot.info/showpost.php?p=12880&postcount=2

ewido: you may want this information to control those cookies:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html

All three logs are clean, you said SpySweer cleared whatever it was you saw? I hesitate to run the fix portion of Smitfraudfix because the creator says it can mess up the Desktop running it when nothing is present. The first scan indication nothing is there.

If you have no issues, I will leave you with this information:
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

If you believe something is there, provide me with more information. 1) program reporting it 2) location of the item, otherwise:

Safe surfing and tashi:) will close your topic in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.