Hi, last night I tried to scan with spybot. The first time, i left the computer for a bit, and when I returned I found a "windows has closed this program to protect your computer" DEP dialogue box. I saw that it had detected, among other things, CWS, Sgrunt, Media motor, smitfraud c, and guardian monitor. I put spybot in the DEP ignore list, and ran another scan. Again, I left the pc, and came back a bit later to find that spybot had disappeared. No process in task manager. I scanned once more, and watched spybot scan (quite boring), saw the list of detections rise, and then spybot vanished again! No "spybot has encountered an error and needs to close" error box, nothing. Getting a little worried, I then scanned with SAS, which didn't even find a cookie, then with AVG AS, which also found nothing. By this time I had read on spybots forums that there was a false positive with guardian monitor, but found no mention of the others as being FP's. I then ran ad-aware, which found 46 "possible browser hijack attempts". the comment for each detection was "trusted zone presumably compromised". I looked at the sites listed in IE's trusted zone, and found nothing there. I ran HJT, which found 2 entries that I think may be suspect, they weren't there last time I ran it. F3- REG:win.ini:LOAD= F3- REG:win.ini:RUN= The other day when I updated spyware blaster, I noticed that "protection for restricted sites" had somehow become disabled, when I checked it today it was alright though. So, basically I've got spybot and ad-aware saying one thing, (and I know that one of spybots is an fp), and SAS and AVG AS saying another, with HJT adding more confusion to the mix. Is it possible to hide part of an entry from HJT? I mean, is it possible for HJT to detect the part that says "run", but not the part that says "this program.exe"? There are no strange processes in process explorer, no strange alerts from comodo FW, and IE most definitely has not been hijacked. The only "strange" behaviour at all is spybot disappearing before it can finish scanning. If it weren't for the fact that spybot crashes before it can complete a scan (Which it has NEVER done before), and that ad-aware also finds 46(!) "possible browser hijack attempts. I'd just go with what SAS and AVG AS are saying. But now I'm not at all sure. So, who should I believe? What else can I try to determine whether I've got an infection or not? Thanks, argus.