Accidentally connected while ZL suite was off, picked something up: turned ZL back on- warnings from Zl and win. Zl- "Services and Controller is trying to open/unload/alter driver"- "driver" was "klm1"-never appeared before. When refused, win alert-"the ordinal 110 could not be located in the dynamic link library SSLEAY32.dll" when I initially ran a full scan (post exposure)-scan discontinued before completion. However, accidentally clicked "ALLOW" on ZL "Allow or deny driver to unload!!!! HJT found three ADS- two are "invisible" (don't appear in supposed folder)-AND the files ARE PARSING MY POSTS!!!... In other words, I tried to report above to another help site,but instead of the name of the folder appearing as I typed it...IT DROPPED THE FIRST LETTER, REPLACING IT WITH A GREEN SMILEY FACE! (posted twice, to make sure it wasn't typo). was told not to delete ADS until I determined funtion..but why on earth would anything necessary prevent reporting it by name?!?!? here are the ADS: C:\Documents and Settings\All Users\Application Data\TEMP...then the file "D"...is the first letter..followed by "FC5A2B2"...(118 bytes) This appears twice on the HJT ADS scan, as well as... C:\Documents and Settings\HP_Adminstrator\Favorites\Ancestry.com-SSmithe.url:favicon (9062 bytes) What is the TEMP file? Is there any reason I shouldn't assume it's malicious? Should I expect HJT to remove the threat completely (by using the "Remove Selected" function? What should be done about the unloaded "klm1" driver? Is it related to the ADS? THANKS!!