Were these really Trojans?

[Jooske]

For the FreshDevices thing, if you're happy with it and don't have the issues i had and it doesn't give any other problems, after reading those threads i just posted ------ you might like to look for other download helpers on the www.wilders.org site (that's where i found the fresh download stuff too before those warnings!)

But i still don't see anything related to your warpigs /zonelockup and downs, wupdate and the other files related to them, (fortunately!) had hoped to see anything to get more clues, in fact your system looks rather neat.

The Homepage, either a blank or google or such a startpage you know, or this forum or your ISP, whatever you like most.

You did run SpyBotS&D as well with all search options up and deep registry scanning etc? It's one of the few with Ad-Aware one can think of (fully updated too after install) If there was anything new in the startups it would have shown in this HJT log!

With respect to this one:

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL

Have a look at the CLSID list from TonyKlein (an absolutely great expert !!!) at ComputerCops:
http://computercops.biz/CLSID.html

Put in that CLSID, let it search, and you'll get what my screenshot is showing you:

[Jooske]

I know Jan, it's a legal program, but did you also look in the threads about it we just posted about the problems people can have with it?
Remember my rightclick mouse functions disappearing and three pages thread necessary to find it back thanks to the FreshDevices stuff?
For us it's on the "banned software" list.

[TonyKlein]

Whoops....

[dee]

Yes, I got that too - but I still don't get it, if you know what I mean.

I think I'll uninstall F. Download & be done with it! I can live without one, being on ADSL, & Opera lets you resume d/loads anyway.

What about all those entries that say "This page could be nasty"? Do I delete those things? I keep trying to set IE's startpage to about blank, & every time I do that, my next AAW scan brings up those browser hijack registry entries, it's like an endless loop!

Jooske, I'm rapt that you said " in fact your system looks rather neat." - I'm really quite anal about this, even to having only 4 desktop icons.

[TonyKlein]

Quote:

Originally Posted by Pilli

Hi Dee, This looks ominous:
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL

For more information please go here:
http://www.webuser.co.uk/cgi-bin/for...=5&o=93&part=1

Pilli, I see nothing in that thread that looks ominous to me.

Fresh Download doesn't have a bad reputation, at least as far as I know, and any botched uninstall (even say SpyBot S&D) can leave a still registered browser plugin behind that's therefore hard to remove...

[Jooske]

Heythere Tony, good that you come to visit!
Pilli and i remember the trouble i had on my system with the FreshDevices stuff, but there are people like Dee fortunately who had no problems with it at all.

In that HJT log i only see the R1 and R0 search.html pages as mentioned suspicious, as the other LS3 is a known thing Dee installed with a purpose.

I'm still wondering if anything from the warpigs.exe / zonelockup.exe infection could stil be there -- if all the scanners don't say anything at all anymore i would think it is clean and do a few scans the coming days wiht NOD32 and TDS (after updating it each time.

Would you think AutoStartViewer could still show anything suspicious or the SpybotS&D?

[dee]

Definitely gonna uninstall Fr.Download, don't need it, & my system will be just that little bit leaner.

I take it I can safely remove those " R1 and R0 search.html pages as mentioned suspicious", & that I can do this via the HJT log?

I've already d/loaded DiamondCS's AutoStartViewer - should I run it then?

[TonyKlein]

Hi Jooske,

Well, these need to fixed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\SEARCH.HTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\SEARCH.HTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\SEARCH.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = file://c:\search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\SEARCH.HTM
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = file://C:\SEARCH.HTM

And that C:\Search.htm file deleted.

Otherwise it's a clean log.

[Jooske]

Now you're getting so clean i think it's a real good idea to run the AutoStartViewer with all options on too and post it, you see now you get the grip of it and enjoying the already even more clean system!

[dee]

Should I post a screen capture of ASV?

I D/loaded the latest hJT version, its log looked the same.
Then I uninstalled F.D/load via Total Uninstall, & used RegCleanr.exe to remove its registry entries, then re-booted. I fired up IE & changed its start page to www.google.com.au then closed it & ran HJT with one change in its configuration - start page to be www.google.com.au .Then I did an HJT scan & "fixed" seven "R" items & saved the log -

Logfile of HijackThis v1.98.0
Scan saved at 1:03:00 AM, on 25/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\LS3\LS3.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DU METER\DUMETER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE

O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [DU Meter] C:\PROGRAM FILES\DU METER\DUMETER.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [LanSafe III] C:\LS3\LS3.EXE /NoPop
O4 - HKLM\..\RunServices: [IECleanAux] IEBOOT6.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\ESET\NOD32KRN.EXE
O4 - Startup: BACKUP.PIF = C:\WRPALL3\BACKUP.BAT
O4 - Global Startup: Power Monitor.lnk = C:\LS3\LS3.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xmpskin: C:\Program Files\Opera\PLUGINS\npfd.dll
O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\npfd.dll
O15 - Trusted Zone: www.garageband.com
O15 - Trusted Zone: http://www.urbandoggrooming.com.au

Is that looking any better?

[Pilli]

Thanks for your input Tony I remember problems ppl had with that F. Download program from the past but as you say maybe ominous is not the correct word.

Dee, Glad you are making good progress.

Pilli

[Jooske]

You missed this remark:
O1 HOSTS file entry is TDS's known entry, but the IP address should be changed for 64.91.255.87
(easiest way open TDS > System Analysis > View File > Network Hosts, change that entry and save)
This will cause the F5 in TDS to work properly and get you to the DiamondCS forum on the new location www.diamondcs.com.au/forum

[dee]

Dunno what I'm doing wrong here.I changed that value in TDS & saved it, rebooted, did another HJT, made no difference. So then I opened the hosts file in Notepad, changed the dcsresearch value saved it & rebooted. But my next HJT hasn't changed a thing. And those C:/search.htm ones seem to be still there .

Logfile of HijackThis v1.98.0
Scan saved at 11:50:13 AM, on 25/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\LS3\LS3.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DU METER\DUMETER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\SEARCH.HTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\SEARCH.HTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\SEARCH.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\SEARCH.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = file://c:\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = file://C:\SEARCH.HTM
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [DU Meter] C:\PROGRAM FILES\DU METER\DUMETER.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [LanSafe III] C:\LS3\LS3.EXE /NoPop
O4 - HKLM\..\RunServices: [IECleanAux] IEBOOT6.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\ESET\NOD32KRN.EXE
O4 - Startup: BACKUP.PIF = C:\WRPALL3\BACKUP.BAT
O4 - Global Startup: Power Monitor.lnk = C:\LS3\LS3.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xmpskin: C:\Program Files\Opera\PLUGINS\npfd.dll
O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\npfd.dll
O15 - Trusted Zone: www.garageband.com
O15 - Trusted Zone: http://www.urbandoggrooming.com.au

Hi Dee,

About this one:
O1 - Hosts: 203.161.127.141 www.dcsresearch.com

Could it be that for example your ZoneAlarm is protecting your HOSTS file?
ZA has such an option.

I have to admit that I'm now a little bit guessing whether this was the culprit

Does your HOSTS file show the right line:
64.91.255.87 www.dcsresearch.com
and is there no other line in it with www.dcsresearch.com ?

See also:
http://www.wilderssecurity.com/showthread.php?t=25715

[dee]

AFAIK, ZAPro [v.4.5] isn't protecting the hosts file, but the new value just won't stick. Have tried it in TDS3, & in the hosts file itself, saving each time & rebooting. And no, I only found that one entry for dcsreseaech. I guess I'll have to live with it. Those C:/SEARCH.HTM ones are concerning me more.

[Jooske]

A google for search.htm only gives over 1 million hits, so i wonder where you get with a search.
You seem to have a file search.htm on your C:\ drive, maybe hidden.
Find it in the windows search/find, make sure all files are showing in folder options.

For the fixing:
did you close all programs including any resident protection,
except HiJackThis
run a new HJT scan and
checkmark the wanted fixes,
press fix and
reboot?

Do you have any kind of protection on, registry protection, a backup protection, anything like that blocking all the changes?
SpybotS&D maybe with some of the extra protective options?
Did you uncheck ZoneAlarm HOSTS file protection?
DOSStop? (? exact name?)
Remember ZA keeps the old settings till after the reboot in most cases.
Cleansed caches, cookies, history, hidden files and extensions on in folder options?

Via Windows Explorer > Windows find the HOSTS file, save it with another name (.bak) for instance so you have a copy. Make the necessary change in it. Delete the original HOSTS file. Rename the .bak version back to HOSTS

Just the same way you created the HJT log, with ASViewer you can save the log as well. No need for screenshot, you can just save it as text.

[Jooske]

Another approach:
you have a very good back up system installed you say, is that a whole complete image or just a series of files?

Why don't you put back your most probable last clean backup from just before the infection and all should be well at once?

[dee]

Sorry I'm so thick, can't find Hosts protection in ZAPro, I haven't enabled any privavy or cookie controls in ZAP [v.4.5] either.
But I've got the hosts file right after doing it the latest way you suggested.

I do have an image of the O/S only, on a separate paartition, but it's 6 weeks old, my bad, & I don't want to restore it, I'll do another one tomorrow but that's no help & I feel slack now.

Don't have Spybot S&D, none of the others happening either, IEClean cleared caches, temp. files etc. Just thought I'd let you know I'm really trying! I'll do the HJT dance again & fix those search.htm's - & post another log, & if it's not right this time, I'll either neck myself or get drunk!

[Jooske]

Before going out dancing drunk can we have your AutoStartViewer log please?

[dee]

I couldn't find how to save an ASV log last time, but I'll have another try now. But first, here's the new HJT log, & now I'll give ASV another go.

Logfile of HijackThis v1.98.0
Scan saved at 7:28:34 PM, on 25/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\LS3\LS3.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DU METER\DUMETER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [DU Meter] C:\PROGRAM FILES\DU METER\DUMETER.EXE
O4 - HKLM\..\RunServices: [LanSafe III] C:\LS3\LS3.EXE /NoPop
O4 - HKLM\..\RunServices: [IECleanAux] IEBOOT6.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\ESET\NOD32KRN.EXE
O4 - Startup: BACKUP.PIF = C:\WRPALL3\BACKUP.BAT
O4 - Global Startup: Power Monitor.lnk = C:\LS3\LS3.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xmpskin: C:\Program Files\Opera\PLUGINS\npfd.dll
O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\npfd.dll
O15 - Trusted Zone: www.garageband.com
O15 - Trusted Zone: http://www.urbandoggrooming.com.au

[dee]

none so blind as those who will not see - & here's the ASV log.
My dancing days are over, HJT & ASV danced for me, & I really don't want a haqngover. So how's it look?

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for XXXX @ XXXX 07-25-2004
c:\autoexec.bat
PATH C:\PROGRA~1\WIN98RK
C:\WINDOWS\dosstart.bat
c:\windows\command\mscdex.exe /d:mscd000
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKCR\htafile\shell\open\command\
C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
C:\WINDOWS\system\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry
C:\WINDOWS\scanregw.exe /autorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\StillImageMonitor
C:\WINDOWS\SYSTEM\STIMON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DU Meter
C:\PROGRAM FILES\DU METER\DUMETER.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LanSafe III
C:\LS3\LS3.EXE /NoPop
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\IECleanAux
C:\WINDOWS\IEBOOT6.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\TrueVector
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NOD32kernel
C:\Program Files\ESET\NOD32KRN.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\SYSTEM\WEBCHECK.DLL
C:\WINDOWS\Tasks\Tune-up Application Start.job
walign
C:\WINDOWS\Start Menu\Programs\StartUp\
C:\WINDOWS\Start Menu\Programs\StartUp\BACKUP.PIF
C:\WINDOWS\All Users\Start Menu\Programs\StartUp\Power Monitor.lnk
C:\LS3\LS3.EXE
C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm Pro.lnk
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system\imon.dll
C:\WINDOWS\SYSTEM\mswsosp.dll
C:\WINDOWS\SYSTEM\msafd.dll
C:\WINDOWS\SYSTEM\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
C:\WINDOWS\system\vnetsup.vxd
HKLM\System\CurrentControlSet\Services\VxD\NDIS\
ndis.vxd,ndis2sup.vxd
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\VxD\VRTWD\
C:\WINDOWS\SYSTEM\vrtwd.386
HKLM\System\CurrentControlSet\Services\VxD\VFIXD\
C:\WINDOWS\SYSTEM\vfixd.vxd
HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
C:\WINDOWS\system\vnetbios.vxd
HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
C:\WINDOWS\system\vredir.vxd
HKLM\System\CurrentControlSet\Services\VxD\DFS\
C:\WINDOWS\system\dfs.vxd
HKLM\System\CurrentControlSet\Services\VxD\VSDATA95\
C:\WINDOWS\system\vsdata95.vxd
HKLM\System\CurrentControlSet\Services\VxD\VGARTD\
C:\WINDOWS\system\vgartd.vxd
HKLM\System\CurrentControlSet\Services\VxD\NDISWAN\
C:\WINDOWS\system\ndiswan.vxd
HKLM\System\CurrentControlSet\Services\VxD\AMON\
C:\PROGRA~1\ESET\AMON.VXD


Edit - I found C:/SEARCH.HTM & it's now in the Recycle Bin.

[Jooske]

And after gthat search.html deletion and reboot this is the clean result, no more HOSTS file changes, and other unwanted things? As these files look ok for me, maybe experts see anything else.
Scans don't show nothing anymore, no strange happenings on your system?
The housecall online scan, any other? later today TDS updated full system scan once more?

[dee]

TDS3 gave me 2 radius updates this arvo! I've scanned my whole machine with NOD32, TDS3 [still shows false positive even after today's updates but we know now] also AdAware.

Then all those who advised the Trend Housecall Scan, I trust your ears were burning, cos I cussed you all mightily! I had to use IE of course, with ActiveX on prompt. Got the whole machine scanned there, & it too found nothing.

Now I'm ready to make another image - 2 actually, O/S, then Programs that are kept on D partition. So if these 2 logs of mine look OK now, I'll be doing the imaging danxe next.