HELP! i've been using a registered full version tds-3 for over two years now, and haven't had any problems.

i just ran a full system scan which resulted in 28 alarms with positive id on the file names and locations.

below is a copy of the scandump. my questions are, is it safe to delete these files and do i have to delete each file one at a time? can i delete them by right clicking in the tds window or do i need to follow the path and delete them?

any help would be much appreciated. thank you fellow tds-3 users.

-frankie-
--------------------------------------------------------------------------
Scan Control Dumped @ 18:49:59 15-09-04
RegVal Trace: RAT.Imiserv: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Win Server Updt=C:\WINDOWS\wupdt.exe]

Positive identification: TrojanDownloader.Win32.PurityScan.e
File: c:\documents and settings\fgray\application data\snoe.exe

Positive identification: Adware.180Solutions.j
File: c:\documents and settings\fgray\local settings\temp\delb.tmp

Positive identification: TrojanDownloader.Win32.Agent.ab
File: c:\documents and settings\fgray\local settings\temporary internet files\content.ie5\lc8vhtcx\thnall1t[1].exe

Positive identification (in archive): TrojanDownloader.Win32.INService.h
File: awi.exe (In c:\program files\application downloads\key gen zip files\crack[1].cd-adobe_photoshop_cs_keygen_activation.zip)

Positive identification: TrojanDownloader.Win32.INService.h
File: c:\program files\application downloads\key gens\photoshop cs activation keygen\awi.exe

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc5\weatherbug\minibugtransporter.dll

Positive identification (DLL): Adware.ToolBar.SideFind BHO (dll)
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\sfbho.dll

Positive identification (DLL): Adware.ToolBar.SideFind (dll)
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\sidefind.dll

Positive identification: TrojanDownloader.Win32.IstBar.fg
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\update\sidefind.exe

Positive identification (DLL): RAT.Agent.aq1 (dll)
File: c:\windows\1090297506.dll

Positive identification: TrojanDownloader.Win32.Alchemic
File: c:\windows\alchem.exe

Positive identification: Adware.Elitebar.a
File: c:\windows\gx9fzj83m9.exe

Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\windows\msbbhook.dll

Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.cr (dll)
File: c:\windows\nem219.dll

Positive identification: TrojanDownloader.Win32.Agent.ae
File: c:\windows\polall1t.exe

Positive identification: TrojanDownloader.Win32.Agent.ae
File: c:\windows\polmx3.exe

Positive identification: Adware.BiSpy.f
File: c:\windows\preinstt.exe

Positive identification (DLL): Adware.IMI (dll)
File: c:\windows\systb.dll_tobedeleted

Positive identification (DLL): Adware.BiSpy.c (dll)
File: c:\windows\twaintec.dll

Positive identification (DLL): TrojanSpy.Win32.Briss.g (dll)
File: c:\windows\downloaded program files\bridge.dll

Positive identification (DLL): TrojanDownloader.Win32.IstBar.fa (dll)
File: c:\windows\downloaded program files\istactivex.dll

Positive identification (DLL): TrojanSpy.Win32.Briss.g1 (dll)
File: c:\windows\downloaded program files\jao.dll

Positive identification (embedded in file): TrojanDownloader.Win32.PurityScan.e
File: c:\windows\downloaded program files\mediaticketsinstaller.ocx

Positive identification (DLL): Adware.PurityScan.i Dropper (dll)
File: c:\windows\downloaded program files\mediaticketsinstaller.ocx

Positive identification (DLL): Adware.Toolbar.Elitebar.a (dll)
File: c:\windows\downloaded program files\v2.dll

Positive identification: Trojan.Win32.ShowAds
File: c:\windows\system32\explorer.exe

Positive identification (DLL): TrojanDownloader.Win32.PurityScan.f (dll)
File: c:\windows\system32\pnvsppr.dll

-{ Quote: "Positive identification (in archive): TrojanDownloader.Win32.INService.h
File: awi.exe (In c:\program files\application downloads\key gen zip files\crack[1].cd-adobe_photoshop_cs_keygen_activation.zip)

" }-

Hi GRAYmatter,

Please allow me to ask a question:
Did you download/install a crack...?

as a matter of fact, YES i did. although, it was a month or so back.

i take it that's a bad thing, right?

-frankie-

Most of those should delete no problems, make sure IE isn't running. Safe Mode mode be needed or use AdAware or Spybot (most of that is adware)

This thread explains how to use AdAware and Spybot, it seems like you need them ! Some browser security would go a long way to stop this happening again too
http://www.wilderssecurity.com/showthread.php?t=15913

Hi, GRAYmatter

-{ Quote: "as a matter of fact, YES i did. although, it was a month or so back.

i take it that's a bad thing, right?

-frankie-" }-
:-[ :o :D ;D ::).

Take Care,
TheQuest 8)

thank you for the reply Gavin.

i'm usually pretty good about utilizing both adaware and spybot, but i guess i've been slacking in keeping up with my scans.

thank you for link as well. it confirmed that i was at least using the right apps to keep spyware and trojan free.

-frankie-

Hope your exec protection blocked files from executing and preventing more disasters too. Think your HiJackThis log would show lots too.
Only what i don't understand if you had that download several weeks ago why then now for the first time you see all those positive identifications. Guess your scanning the download shoyuld have informed you already. So you see downloads can come with a price and some extras.

Hello DiamondCS Support & Moderators,

I am following up as per the directions/suggestions sent o me in this post reply and in the email sent to me from my file submission.

I have run an AdAware 6 Plus scan as well as a SpyBot scan. I am also including below the results of the HijackThis scan log.

I am aware of the forum rules about HijacThis scan log reviews, but I am only following the directions as suggested to me, to both send it for review via email as well as within the original post.

I apologize if I somehow misunderstood what I was directed to do.

Thanks again for your help and I look forward to a response.

Regards,

-Frankie-

--------------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 8:06:33 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\zyheet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Application Downloads\HijackThis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11971b80e40961cc9514/netzip/RdxIE601.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O21 - SSODL: System - {A45AB5BB-A284-4488-89FA-2A0FA6BF0E03} - C:\WINDOWS\system32\system32.dll (file missing)

Yeah Frankie, you did as asked for.
Unfortunately i am no expert, i do see a few things which i need to google what they are, so i do hope in the meantime others are able to comment.
Few general comments would be:
make sure you move the HJT exe to a folder of it's own, as it will place backups from possible fixes in the same folder.
Where files are missing i guess those could be fixed, but do it all together with possible other suggested fixes if there are.
Are there any files you don't recognise yourself?

Those lines with http://searchmiracle.com/sp.php need fixing
TkBellExe can be considered spyware by Real.
Any idea what this is?
O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe ?

Off-topic post by TDSfan, removed.

thanks for the reply jooske,

yes, i know...quite a mess this time around. i think i've gotten control of things but i'm still having a hard time trying to fix these below. tried to delete them with HJT, but that didn't work. any suggestions?

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

and as for the file, O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe i can't figure out what this is. it won't delete and it's a locked file when tds-3 scans it. totally puzzled.

i also followed your suggestion as to putting HJT in it's own folder. thanks for the tip. if you should happen to have any further suggestions or possible fixes, all would be greatly appreciated.

thanks and take care...

frankie

Hi Frankie,

For a Hijack tutorial have a look here: http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#RDiag

For your information you can copy and paste your log file here:
http://hijackthis.de/index.php?langselect=english

Take care if you see things you dont know about before deleting them.

Gerard

-{ Quote: "and as for the file, O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe i can't figure out what this is. it won't delete and it's a locked file when tds-3 scans it. totally puzzled.

" }-

Hi Frankie,

Have you tried to run a full system scan with TDS-3 while you are in Safe Mode ?
(please at that moment no AVG resident !).
It could take some time so make yourself a coffee ;)

Why are you helping someone who steals software?

-{ Quote: "Why are you helping someone who steals software?" }-

Hello,

Anyone who knows me, know that I don't like stealing software; there cannot be any doubt about that.

But please consider that there is always a chance that people learn from this.
It isn't the first time that someone learned a lesson the hard way, and thinks to him/her-self "Hmmm, if all this mess on my PC is the price I have to pay, I'd better change things the way I was doing".

If that would happen in this case too, I really would be happy ! :)

So the message to Frankie is : it's up to you, Frankie ;)
Please think about what might have caused this on your machine...

And as a side-note:
What could have caused sooo many people asking for help with HJT-logs?
No, I'm definitely not saying that everyone of them were installing cracks.
But it is one of the reasons, together with visiting porn- and other sites unprotected, and lots of other reasons.


I DO hope that Frankie's PC can be cleaned !!!

Peace

Regards, Jan.

Can you find out in the properties anything more about the zyheet.exe, moment of creation or modification, etc? In windows search/find i try to look for more files of the same date the folder it's in or the file was modified which might give a clue. If you don't trust it please submit it.

Going back to an older restore point is no option for you?

You'll have to fix the DPF for that search thing too or it would install itself again after you fixed the R1 lines.


Like said, during the scans AVG really needs to be closed completely:
open the GUI and uncheck all there is, so the systray icon greys out. Then use your scanners, http://housecall.antivirus.com and al the rest.
If you check the zyheet.exe file at www.kaspersky.com/remoteviruschk.html does it beep on it?

First download CWshredder from http://www.thespykiller.co.uk and put it on the desktop as you will need to run it a bit later on

before going any further please copy these files ( if they all exist, don't worry if any are missing) and zip them and send to submit@diamondcs.com.au with a short note referring to this thread

C:\WINDOWS\mxTarget.dll
C:\WINDOWS\system32\system32.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\zyheet.exe

and as they weren't found by adaware either please also submit them to adaware http://www.lavahelp.net/submit/

Now once you have sent them off this will hopefully fix your problem

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11971b8...ip/RdxIE601.cab
O21 - SSODL: System - {A45AB5BB-A284-4488-89FA-2A0FA6BF0E03} - C:\WINDOWS\system32\system32.dll (file missing)

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

now Run CWSHREDDER
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

then

Delete these files
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\system32\system32.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\zyheet.exe

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well and everything in C:\temp

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware SE from http://www.lavasoft.de/support/download

and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml

and run it before the main adaware scan and follow it's directions

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R8 13.09.2004 or a higher number/later date
Then ........
click the "Scan" button. and select full scan

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

reboot again

Run an online antivirus check from at least one and preferably 2 of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/

reboot again

it is vital that you go here (http://v4.windowsupdate.microsoft.com/en/default.asp), click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

then post a new hijackthis log to check what is left

Thanks a lot Derek for jumping in !!!!! :D
We needed an HJT expert advice :)

Warm regards, Jan.

Dump your XP restore file - it is full of whatever infected you. Reboot
without a restore file ( you should have a recent "data" backup - if needed ) -
Then run :
1. Full Deep Virus Scan ( update definifition files first)

2. You can try Adware SE Pro, Spybot or Pest Patrol Corporate
( personally I prefer Giant AntispyWare over ALL OF THE ABOVE )

I run Outpost Pro 2.1.303.4009 (313) with TDS3 Pro, Macafee Virusscan Pro , Blackice Server Protection 3.6cns version 3.6.319, Spybot (just
to protect my browser and startups) and Giant Antispyware - all - peacefully coexisting and protecting my happy arse.

Hope this help.

( been on the net before Mosiac was developed - when yahoo was just a .txt file on a university computer server accessed only by telnet. )

DudeX

LIFE RULE #2:
Stealing = BAD KARMA ( ALWAYS )

Hello fellow TDS forum members & moderators,

Thank you everyone for all your help and guidance in resolving my spyware dilemma. I'm sorry to have not posted sooner, but I've been dealing with a few health issues. (All is good though)

I think I've managed to finally get my computer clean. I also figured out why some of the harmful files were not being removed. Along with AdAware I was also running AdWatch which was set to block all changes in the registry and a few other places. Once I turned the monitoring off, everything seemed to get corrected, including the mysterious zyheet.exe file.

To all moderators, I did submit that file on my second tds full system scan for your review and testing.

As a matter of reference for all others newly reading this post, the information from moderators Jooske, FanJ, dvk01 and Gavin at DiamondCS was extremely helpful if followed carefully. Other contributing posts of great benefit were from forum members Dudex and gerardwil.

For those of you running HijackThis needing your scan logs to be evaluated quickly, the site gerardwil posted was not only easy to use and understand, but made making the decision to delete the harmful files form the needed files a safe choice. http://hijackthis.de/index.php?langselect=english

There's alot of help and much to learn within the posts of this thread. And yes, to all concerned that I downloaded a crack, potentially stealing software, I've learned my lesson.

Thanks again to all who offered help.

Frankie