Registry filth

There is nothing wrong with that entry. It was more than likely added by Spybot or SpywareBlaster for your protection. There are a thousand or more of them in the Domains key. That is, assuming it is in the Restricted Zone and not the Trusted Zones.

 

As I said before, most of them are there due to programs like Spybot and they are in the Restricted Zones. However if it is detected because it is in the Trusted Zone, that is a different story. You can easily look in your Interne Explorer Security settings and see what is in the Trusted and Restricted Zones. You can also view them from the registry. If the data value is a 4, they are in the Restricted Zone. If the data value is a 2, it is in the Trusted Zone.

Perhaps you should work thru our standard cleaning procedures below so we can make sure you have no malware problems.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

Why did the BitDefender scan surprise you?

You have to complete the rest of the READ ME.

Attach the PandaActiveScan log too. And then follow the procedure in step 7 exactly to makes sure HijackThis is installed properly and attach a log from it too.

 

I'm not sure what other tools your are referring to. Name them all.

No I would not run BitDefender and PandaScan multiple times per week. It takes way too long. You may just need better protection and maybe you should read this:

How to Protect yourself from malware!

Why do you have all of the hosts backup files?

 

Yes delete the backup hosts files. You should only have the actual hosts file and it should only have one line (besides the starting comment lines) and that line should be 127.0.0.1

All of the tools you are using are fine but a paid version of Spy Sweeper would be much better than free MS Antispyware (beta).

You HJT log shows no malware but the below can be fixed:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Error


Did you delete any of the files found by Panda? If no, delete the below:
C:\WINDOWS\optimize.exe C:\WINDOWS\pcconfig.dat
C:\WINDOWS\system32\WrapperOuter.exe

 

Actually there were three files to delete. I did not put it one carriage return:
C:\WINDOWS\optimize.exe
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\system32\WrapperOuter.exe

Just use Windows Explorer and go to the folder and delete them. See the PandaActiveScan log for the file names and path to where they are at.

Run a new Panda scan and attach the log after doing the above.

Also for your initial problem with:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adservs.com

What is the data value in this registry key?

 

Don't worry about System Restore until we are done fixing all problems. For now we want it enabled.

If the data value is 4, ignore what MS AS was telling you because as I stated earlier, it is not an issue. The Domain is in the Restricted Zone which is what you want.

 

You're welcome.

I'm not sure what you mean about video1?? Who is telling you there is a video1 folder? And where did it say it was?

 

Startups are easy to find. They are under Application Agents. You just need to select the Manage Allowed/Blocked link. Their output is not very good though since MS AS was not designed to allow the next window to be large enough to view all of the text on it properly and it is not resizeable. But what does this have to do with a video1 folder?

 

But what are you asking me? If you do not want it blocked, then un-block it.

This application does not need to load at startup anyway. So I'm not sure what your problem is. The actual Startup is frequently completely removed from the registry using HJT or manual editing of the registry. Quicktime works fine without loading this at startup. It should only be run when you need quicktime and then it should be killed afterwards.

We are no longer in the realm of Malware. So at this point, if you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

That's old info! Clear the list!

 

That's why they are blocked. Don't you recognize the first one from your very first message.

 

No! They are being blocked which is what you want to happen. Removing them would allow the bad sites to be accessed.

I think you should uninstall MS Antispyware, reboot, and then attach a new HJT log for me.

Then I think you should reinstall MS Antispyware, update it and do a full scan. Basically start over again so you clear all the history crap out of MS AS. Now you can start deciding what to allow and not to allow from a clean starting point.

Do you have SpywareBlaster installed and updated with all protections enabled? It is in the How to protect thread I gave you?

Do you have Spybot installed and updated and did you use the Immunize feature?

 

Okay your HJT log looks OK! Notice that now QuickTime (qttask.exe) is loading at startup. This process is not necessary and quicktime can just be run when needed but this can sometimes be a personal preference. Most people just disable this from loading at startup (which is what I always do). Two ways to do this are:

1) to have HJT fix the O4 line which will stop it from loading

2) or use msconfig to disable the startup

I don't like option 2, since I do not like the idea of using msconfig and having it in selective startup mode.

 

You're welcome! Make sure you complete all the steps in the How to protect thread l gave you in message # 21.