Would appreciate a look at these logs.

[Bob Thomas]

The below listed are from hjt and mwav. I see some problems but not sure of the correct fix. thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:17:31 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\cisvc.exe
c:\program files\ema\frat\listener.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
F:\Virus and spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = INETPROXY:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-6.0.0...-ob-assets.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1112916750383
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84005912-8217-46F9-8E98-E2FB10F8C546}: Domain = phila.gov
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: FRAT Listener - Eagan, McAllister Associates, Incorporated - c:\program files\ema\frat\listener.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
_________________________________________________________________
MWAV:
Sat Jun 11 08:36:19 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Sat Jun 11 08:36:22 2005 => System found infected with BearShare Spyware/Adware ({905d0df2-3a0a-4d94-853c-54a12a745905})! Action taken: No Action Taken.
Sat Jun 11 08:36:22 2005 => Object "BearShare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Jun 11 08:36:22 2005 => System found infected with BearShare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken.
Sat Jun 11 08:36:22 2005 => Object "BearShare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Jun 11 08:36:22 2005 => System found infected with BearShare Spyware/Adware ({5f95e1af-2620-4f15-bdf9-7fdce4607e17})! Action taken: No Action Taken.
Sat Jun 11 08:36:22 2005 => Object "BearShare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Jun 11 08:36:22 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Sat Jun 11 08:36:22 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Jun 11 08:36:23 2005 => Offending value found in HKCU\appevents\schemes\apps\bearshare !!!
Sat Jun 11 08:36:23 2005 => Offending value found in HKLM\Software\magnet\handlers\bearshare !!!
Sat Jun 11 08:36:23 2005 => Offending value found in HKLM\Software\bearshare !!!
Sat Jun 11 08:36:23 2005 => Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Jun 11 08:36:23 2005 => Offending value found in HKCU\appevents\eventlabels\bearsharechatnotifymsg !!!
Sat Jun 11 08:36:23 2005 => Object "bearsharechatnotifymsg Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Jun 11 08:36:32 2005 => System found infected with CWS.therealsearch Spyware/Adware (waol.exe)! Action taken: No Action Taken.
Sat Jun 11 08:36:32 2005 => Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Jun 11 08:36:33 2005 => System found infected with iSearch Spyware/Adware (patch.exe)! Action taken: No Action Taken.
Sat Jun 11 08:36:33 2005 => Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.


Sat Jun 11 08:36:33 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Sat Jun 11 08:36:41 2005 => Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.

Sat Jun 11 08:36:44 2005 => Entry "HKCR\Automap.Map.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.

Sat Jun 11 08:36:44 2005 => Entry "HKCR\Automap.Template.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.

[Bob Thomas]

I was just wondering if there was some problem with the format of my request. I noticed that this thread had been here much longer and unanswered than all others in the same timeframe. Please advise and I will change the request accordingly.

[jgvernonco]

Apologies...sometimes it is a melee here.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Then, please post back a new mwave log.

[Bob Thomas]

I did as instructed but still have the same listings coming up.

MWAV log:

Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearsharechatnotifymsg Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\Automap.Map.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.
Entry "HKCR\Automap.Template.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.

[greyknight17]

Download CCleaner and install it. Run it and go to the issues tab. Run a scan and delete the invalid objects it finds.

Go to your Add/Remove panel and uninstall these if they are listed:

BearShare
WhenU
Save
iSearch

Delete these files if found:

c:\windows\editpad.exe
c:\windows\quicken.exe

Run CWShredder again.

Any problems now? If not:

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[Bob Thomas]

Hello:
Thank you for your response. I have done the steps described above however I still have the same things listed in the Mwav log. Editpad.exe and quicken.exe were not there. CWShredder did not pick anything up and ccleaner did not find any issues. I have been told that the entries are left over for spyware and trojans that no longer exist is this correct?

I have sent you my Mwav log once again and My HJT log is unchanged. Can I leave these entries or should I try to get rid of them? Again Thank You for all your help.

Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearsharechatnotifymsg Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\Automap.Map.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.
Entry "HKCR\Automap.Template.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.

[greyknight17]

Yes, they are usually just some remanants left over, but we'll remove it now.

OK, for the entries below in bold (registry part), make sure there are no spaces for each line. Sometimes the forum here will spit up words like CurrentVersion into something like Curr entVersion -- so make sure they have no spaces.

OK, it did it again. Actually for quite a lot of lines there.

I just edited it out now. Download the attachment (see below) instead. Rename the .txt extension to a .reg file instead. Double click on it and say yes.

If you can find these files, delete them:

waol.exe
patch.exe

[Bob Thomas]

One question before i do these procedures as I'm not really comfortable with this process. Kind of a scardey cat. lol. After I back up the registry can I go in an manually delete these entries?. Also where would the waol.exe and patch.exe files reside? In C:\Windows?

[Bob Thomas]

Ok got some nerve. lol. I followed your instructions and when I opened the file and clicked ok I got the error message that reads: Cannot import C:\Documen~1\FWP-TEK\Desktop\delete.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.

[greyknight17]

Arrggg. Forgot to edit those out in the file which is why it didn't work

OK, for the delete.reg file, right click on it and choose Edit. Then delete [ b ] at the top and the [ / b ] at the end. I just put some extra spacing here since they will be recognized at BB code if I don't. The one in the delete.reg file won't have spaces. Just delete those two tags in the beginning and end of the file and save the file. Now run it.

For those two EXE files, do a search for them since I'm not sure where they could be (maybe windows or system32 folder).

No need to delete this manually unless you are comfortable editing the registry. The delete.reg file should be able to remove them for you faster.

[Bob Thomas]

Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\Automap.Map.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.
Entry "HKCR\Automap.Template.NA.9" refers to invalid object "{A49EEA00-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken

This is a new log. I still see the CWS enrty and the two others refer to something with Microsoft Streets and trips I believe.

Thanks

[greyknight17]

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run and delete these if found:

quicken
editpad

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Yes, the other two entries are for Microsoft Streets. If you want, try reinstalling it.

Any problems now? If not, make sure you get those prevention tools (link given to you earlier).

[Bob Thomas]

I went to the above registry locations and did'nt find quicken or editpad. My Mwav log remains the same as above. I will try to find the cws object and eventually delete it.

I want to thank you for all your help. You guys and gals are fantastic. Just goes to show ya, there are good folks out there. Best Regards.

[greyknight17]

Glad we could help

So you tried running CWShredder in both Safe Mode and Normal Mode and it still won't remove that entry in mwav right? I don't think it's a major issue anymore.

If you want, you can do a search for therealsearch and see if anything comes up.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, go to Edit->Find and do a search for therealsearch and see if you can find anything on it. Hit F3 to do a Find Next if you find something.

See if any traces of it are found.

[Bob Thomas]

I did find an entry under HKCU\software\microsoft\windows\curver\internet settings\zonemap\domains. There were also tons of other .com sites listed. What is this key for and do i have some problem? Also under HKCU\software\microsoft\windows\curver there is a folder for P3P\history which also has a ton of bad sites listed. Is this key legit?

[Bob Thomas]

Just wanted to clear up this last issue before I put it to bed. Computer is running great.

[greyknight17]

Those two locations in the registry are most likely safe to keep. Spybot might have added those sites to the restricted list - so if you visit a bad site listed there in the registry, Internet Explorer will block access to it so you are safe.

OK, all signs say you are clear. I'm thinking that it's a false positive that was detected.