Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm In My Bios?


  • This topic is locked This topic is locked
47 replies to this topic

#1 MotherMary

MotherMary

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 02 February 2007 - 02:21 PM

It's really my husband's computer, and it's new as of 7/06. On 12/30/06, I noticed that Jerry's Wireless Network Connection was named "WetPussy4Sale."

First I tried to do a System Restore, and the computer refused -- and there were no little blue lines before about 12/26 anyway.

McAfee, which came bundled with the computer, said everything was fine. Norton Internet Security says everything is fine. AdAware says everything is fine. Spybot says everything is fine. Housecall, Panda, Bit Defender, and McAfee AVERT Stinger say everything is fine. With no programs running, I used Task Manager to identify what processes were running. www.sysinfo.org said that two of them were viruses, and I used Safe Mode to delete them and then flush the recycle bin. Then, still in Safe Mode, I used regedit to change "WetPussy4Sale" to "Mary Loves Jerry." (Detailed version of what I did available at forums/topic79876.html.)

As I write, I am still connected by "WetPussy4Sale."

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 2:00:04 PM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\macromed\flash\GetFlash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/regwizard/RegWiz...ude@hotmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

I am TERRIFIED that the worm has gotten into Jerry's BIOS -- if I understand correctly (probably not), even if I reformatted this computer and reinstalled all the software, it would STILL be served by "WetPussy4Sale." Please help!

Mary

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:07 PM

Posted 04 February 2007 - 04:32 PM

First things first - have you spoken to your husband about the name change? He may have changed it himself, or a "friend" may have made the change.

If you right click the icon in the System Tray and select Open Network Connections, you can right click the icon and select Rename, rather than edit the registry.
One reason that your attempt may have failed is because you are using Spybot's TeaTimer function which protects the registry, and it may not be allowing the rename to take place. To disable this, do the following before trying to rename the connection -

Open Spybot S&D.
Click on Mode > Advanced Mode and click on Yes in the 'Warning' window.
In the left-hand pane, click on Tools > Resident
Uncheck the box to the left of Resident "Tea Timer" (Protection of over-all system settings) active
Close Spybot S&D.
Re-boot your PC.

As to the two files you deleted, they may not be malicious - there are M$ system files that have these names, and it is the location that is important - I have both of them on my PC. If your anti-virus is up-to-date, I wouldn't expect it to miss malware this old.

Give the following a go and see what happens -

Go to Start > Run, enter sfc /scannow ( note the space between the "c" and "/" ) and click on OK.

This will look for and attempt to replace any corrupt system files that can be found. There are backups of some of these files on your PC and Windows will check for a copy here first. If you are prompted to insert your Windows XP disc, do so. If you don't have this disc and are asked for it, you will have to cancel at this point.

For details on the System File Checker, click here.

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#3 MotherMary

MotherMary
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 05 February 2007 - 07:53 AM

Thank you for getting back to me so fast! No, my husband is not that sort of guy, and no one has touched his computer but him and me. In fact, Jerry is convinced that the worm has the power to turn the computer on and use it in absolute silence, without even the cooling fan, and so until WP4S is gone, he insists that the little chewing-gum-stick thingy be unplugged unless the computer HAS to go online, like to download AdAware and Spybot.

When I turned on Jerry's computer last evening, the little icon in the system tray told me I was on "Wireless Network Connection (WetPussy4Sale)".

I turned off TeaTime. Then I ran sfc /scannow. After about 20-25 minutes, the screen advising me to wait disappeared, which I hope means no files were found that were corrupted. But I imagine it means the worm fooled even sfc.

As you suggested, I first clicked on "Open Network Connections." I changed the name. When I hovered over the little icon in the system tray, it now said "Jerry's Wireless Network Connection (WetPussy4Sale)".

I went into regedit and changed every instance I could find of WP4S to "MaryLovesJerry." After I closed regedit, when I hovered over the icon, it now said "Jerry's Wireless Network Connection (MaryLovesJerry)".

I turned TeaTime back on, on the theory that it would now refuse to allow changes to the correct registry. I rebooted Jerry's computer. After the reboot, the little icon in the system tray told me I was on "Wireless Network Connection (WetPussy4Sale)".

Whimper....
Mary

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:07 PM

Posted 07 February 2007 - 04:47 PM

Sorry for the delay in replying - slight email notification overlooking issue! :thumbsup:

It could still be a TeaTimer issue as it can sometimes refuse to let go, even when disabled. Try the following and if this doesn't work, we'll dig further -

1) Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

@echo off

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\Snapshots\*.*
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\logs\resident.log
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:win
deltree /y %WINDIR%\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\applic~1\spybot~1\logs\resident.log
del %WINDIR%\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:winme
del /y %WINDIR%\alluse~1\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\logs\resident.log
exit

:last
echo Press any key to terminate,..
pause
exit


2) Save it to your Desktop with the following filename, including quotation marks: "reset.bat"

3) Disable TeaTimer, as before, and reboot the PC.

4) Locate and double click reset.bat to run it and then delete it.

Try to change the wireless name again and let me know how you get on.

Jerry is convinced that the worm has the power to turn the computer on and use it in absolute silence, without even the cooling fan

Without the fan, the PC will overheat and crash quite quickly, so I wouldn't expect it to be so.

So long, and thanks for all the fish.

 

 


#5 MotherMary

MotherMary
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 08 February 2007 - 03:02 PM

Gosh, it's been so long since I've seen a batch file, much less run one!

I followed your instructions. When I ran reset.bat, the screen flickered momentarily rather than pausing and waiting for me to read the message and hit any key to continue. When I ran it a second time, I saw a small, empty black window (ca. 3"h. x 1"v.) for about half a second or so.

And then, this is interesting -- the first time I changed regedit, there were three or four instances of WP4S. This time it was only in one place, HKEY_LOCAL_MACHINE\SOFTWARE\RtlWake\LinkedSSID. And regedit refused to accept the edit! I would change "WetPussy4Sale" to "MaryLovesJerry," hit okay, then double-click on LinkedSSID and there WP4S would be again! I infer that in my past adventures with regedit, I never actually made the changes I thought I was making -- at least, not after the first time, when I did a Ctrl-F for MLJ and found it. (TeaTime is off until you tell me to turn it on again.)

I found a page at file.net that says that RtlWake.exe is supposed to be the registry in HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\Explorer\User. But the page did NOT say where the actual file is supposed to live or what it does. Interestingly, the regedit *I* am looking at doesn't even offer a subdirectory for Windows! -- it goes WholeSecurity, Windows 3.1 Migration Status (!), Wise Solutions.

I did a search, and found RtlWake.exe in Windows\Prefetch\RTLWAKE.EXE-05D72AED.pf, where it is a 38KB pf file, AND in Program Files\NETGEAR\WG111v2 Configuration Utility (738KB). The pf file was created when I rebooted. The page at file.net said the legitimate RtlWakes were all about 738KB.

I deleted RTLWAKE.EXE-05D72AED.pf and emptied the recycle bin. Then I rebooted the computer and again tried to changed LinkedSSID -- and once again, regedit refused to accept any changes. Then I searched for RtlWake, and found it ONLY in NETGEAR. I used Explorer to go look at NETGEAR, and found everything looking completely innocent. (Not that I knew what I was looking at.)

I *IMAGINE* that RtlWake is my culprit, but obviously deleting it in Windows Prefetch did nothing. I checked Windows Prefetch with Explorer, and there were several .pf files that had been created after the reboot, for example for Firefox. I did NOT recognize LUCALLBACKPROXY. There was a new SVCHOST.EXE-bunchofletters.pf, and I seem to recall reading about two weeks ago that SVCHOST.EXE is another favorite disguise for malware. But also a necessary and legitimate file, and I'm semi-sure I deleted the virus "svchost.exe" (as opposed to the necessary & legitimate one) about a month ago.

So -- what do I do now, O Wise One?

Mary

#6 MotherMary

MotherMary
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 08 February 2007 - 03:09 PM

P.S. I found a free program called Registry Booster that looked legit, so I downloaded it. It says I have 41 errors in Jerry's registry, most of them missing links -- and it will only fix 15 of them for free. Is it worth it?

Mary

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:07 PM

Posted 08 February 2007 - 03:53 PM

When I ran reset.bat, the screen flickered momentarily rather than pausing and waiting for me to read the message and hit any key to continue. When I ran it a second time, I saw a small, empty black window (ca. 3"h. x 1"v.) for about half a second or so.

What made you think you would have the option to read anything? The DOS Pixie will only visit this particular portion of the batch file if the OS is an "Unsupported Version"

echo Unsupported Version
goto last

:last
echo Press any key to terminate,..
pause
exit


Prefetch is a method that Windows uses to increase the access time for the utilities that you use most often. These utilities are "part loaded" so that when you require them, it takes less time to get them up and running. Each utility that you use gets an entry in the Prefetch folder and these entries are pruned regularly to keep things as efficient as possible.
Deleting an entry from here simply increases the access time for the associated file to start, so it isn't going to have any effect on your problem at all.

I *IMAGINE* that RtlWake is my culprit

Why? You should be able to identify where the file came from by checking the various Tabs - it should belong to NetGear. If it does, and I expect it to, then it's legitimate and gets to live there in peace and quiet.

I did NOT recognize LUCALLBACKPROXY.

This is Norton calling home - presumably for updates.

It's possible that you don't have the correct access to edit the registry entry and all you need to do is to correct this.
  • Go to Start > Run, enter regedit and then click OK.
  • Navigate to the key that you are trying to change, right click it and select Properties...
  • Then from the Toolbar menu select Edit > Permissions...
  • Under "Group or user names:" select your username.
  • Under "Permissions for your username", see if there is a checkmark in the "Allow" box to the right of "Full Control".
  • If there isn't a checkmark there, click the box and then OK.
See if you can know edit the key to your desired value - let me know how you get on.

I found a free program called Registry Booster that looked legit, so I downloaded it. It says I have 41 errors in Jerry's registry, most of them missing links -- and it will only fix 15 of them for free. Is it worth it?

It ain't that free then, is it?

Cleaning the registry is a little risky as errors can result in a PC that refuses to boot - not very likely, but possible.
If you do want to clean the registry then a handy program, and it's free, is RegSeeker 1.52
I suggest you also use ERUNT to back up the registry before you start to give you a safety net should things go wrong. You can find a tutorial, and download links here.

So long, and thanks for all the fish.

 

 


#8 MotherMary

MotherMary
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 09 February 2007 - 01:00 PM

Until about an hour ago, the only account that existed was the one I created for Jerry, the Owner/Administrator. I tried the permissions route you suggested, but "Everyone" is currently checked off as having Full Control.

I created a new User Account, for myself, with full Administrator privileges. Regedit accepted my edits! I changed the name of the network connection to "Jerry's WNC." I restarted the machine, and discovered I was being served by "Jerry's WNC (WetPussy4Sale)."

I re-ran reset.bat, and ran regedit again. Regedit again refused to accept my changes as Administrator, BUT it DID allow me to delete the entire "LinkedSSID" -- for exactly as long as regedit was open. It was back a second later when I opened regedit again.

I tried changing the name of LinkedSSID. When I reopened regedit a second later, I had BOTH "FrackYouVirus" AND "LinkedSSID."

You guessed it. I'm still on "Jerry's WNC (WetPussy4Sale)."

I will certainly go the RegSeeker 1.52 route once we've gotten this fracking malware out of the machine. Doesn't seem much point at the moment, since all my hard work is going to vanish the moment I close regedit.

Whimper....
Mary

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:07 PM

Posted 09 February 2007 - 03:11 PM

So we'll assume that there is a nasty onboard and go looking for it then.

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of AVG Anti-Spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating AVG Anti-Spyware: below.

* Please note that this program was formerly known as Ewido anti-spyware 4.0. Taken from the Ewido website:

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Double click the avgas-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.
  • Updating AVG Anti-Spyware:

    By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either AVG A-S will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed AVG A-S, double click avgas-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close AVG A-S.

AVG A-S is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG A-S will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.


2) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

3) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Boot into Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
2) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

3) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

4) Go to Start > Control Panel > Internet Options.

For I.E. 6 - under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

For I.E. 7 - under Browsing History, click delete...
Under Temporary Internet Files, click Delete files...

5) Ensure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that AVG A-S has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When AVG A-S has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close AVG A-S.

6) Boot into Normal Mode.

Post a new HJT log (run in Normal Mode), the AVG A-S log AND a description of how your PC is running.

So long, and thanks for all the fish.

 

 


#10 MotherMary

MotherMary
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 10 February 2007 - 03:31 PM

HJT log, followed by AVG log, followed by (dispirited) commentary:

_____________________________________________________________

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:51:54 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/regwizard/RegWiz...ude@hotmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

_____________________________________________________________

AVGAS Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:43:03 PM 2/10/2007

+ Scan result:

Nothing found.

::Report end

_____________________________________________________________

While still in Safe Mode, I used regedit to change LinkedSSID. For a minute or so after my first reboot from safe mode into normal mode, my wireless network connection was merely "Jerry's Wireless Network Connection," with nothing following it in parentheses. (!!!!!) Roughly one minute after I checked the first time, it's once again "Jerry's WNC "(WP4S)," just as if I hadn't spent more than two hours cleaning out the computer in Safe Mode. (The LAN, which for obvious reasons we've never completed, has *ALWAYS* been "NETGEAR WG111v2 is connected to WetPussy4ale".)

I see in the HJT log that there are TWO copies of svshost.exe in the Windows\system32 subdirectory. That is the only item that to my naive eyes seems a little odd. Although I have no idea what the "Extra 'Tools'" are. As I mentioned before, this computer is brand-new as of late June / early July 2006, and my husband is FAR less of a nethead than I am (which is why you're hearing from me instead of him). Jerry's idea of dangerous surfing is checking out the anti-Bush articles in the London Times and similar foreign newspapers. ("Democracy is two wolves and a lamb voting on what's for dinner. Liberty is a well-armed lamb contesting the vote." -- Ben Franklin -- I believe that thanks to George W. Bush, the United States is a neofascist dictatorship today -- emphatically neither a democracy nor a system possessed of liberty as defined by Ben Franklin.)

What do I know? Nothing. Every single antivirus program I've tried says that everything is perfectly fine, nothing wrong "ay-TALL" -- except that I'm still on "WetPussy4Sale," no matter what I try to do.

Whimper, sniff, pule, blubber....
Mary

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:07 PM

Posted 10 February 2007 - 03:35 PM

Have you considered uninstalling and reinstalling the wireless software?

So long, and thanks for all the fish.

 

 


#12 MotherMary

MotherMary
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 10 February 2007 - 03:56 PM

I've considered everything, including buying a shotgun and blowing Jerry's computer to kingdom come. Is that (uninstall/reinstall) the next tactic you advise?

Mary

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:07 PM

Posted 10 February 2007 - 04:19 PM

I'm running out of options fast. If there isn't any malware onboard, then I suppose it's possible that one of the Netgear files has become corrupt in some way, but I don't honestly know.
A reinstall is a solution to many an issue, but whether it solves your problem is an unknown. I'd save the shotgun until after you've tried it, but I would keep it in mind! :thumbsup:

So long, and thanks for all the fish.

 

 


#14 MotherMary

MotherMary
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 10 February 2007 - 05:08 PM

Okay. Ought I to do the uninstall/reinstall in Safe Mode, or does it not matter particularly? Ought I to try redoing exactly the steps I performed earlier today, but this time while I'm still in Safe Mode, empty the Recycle Bin two or three times?

Wikipedia just taught me two new phrases: "rootkit" and "virus chest file." Are either of these phrases useful to you in considering my predicament? (They're Greek to me.) I.e., did you just thump your forehead and shout, "Eureka! Three comes after two, not before!" [With apologies to Alfred Bester.]

What might happen if I just deleted the little green icons from Jerry's system tray (so that no one had to SEE that the computer was being served by WP4S), and I kept doing obsessional scans with all the many AV programs -- Norton, AdWare, AVGAS, and all the rest? Every single program says that with the one exception of "(WP4S)", everything is just fine, no problems A-tall. When I invoke Task Manager when nothing is running, no processes appear to be running that ought not to be running. The computer has no noticeable performance problems.

More to the point, Jerry can't remember the passwords he chose for either of his paid e-mail accounts, so he uses only his hotmail account -- we haven't installed Eudora yet, and neither of us EVER uses MSOutlook for any reason. I.e., there's no way WP4S can hijack Jerry's addressbook, because on his computer, he has no addressbook.

So If I do a full system scan once a week (or more often) with Norton Internet Security, AVGAS, Spybot, and all the others, and they all say Jerry's computer is okay-fine, and we don't experience any problems, and no "contraband" files mysteriously appear, and Jerry never uses any e-mail program on his own fracking computer, and Task Manager says nothing is running that ought not to be running -- would I just be courting disaster, like the "turn-up-the-radio" school of auto repair?

In other words, is it delusional of me to hope that you and I got rid of everything except whatever bit of malicious code (possibly in the BIOS???) insists on renaming Jerry's WNC? I mean, if some evildoer spraypainted my car "WP4S" as a first step toward stealing it, I could live with spraypaint all over my car as long as that were the full extent of the problem.... My fear is that the evildoer(s) behind WP4S mean me not to notice that the spraypaint is really a bomb with a really looooooooong fuse.

But if I'm vigilantly scanning and cleaning and searching for unwanted new files and etc....?

Mary

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:07 PM

Posted 10 February 2007 - 05:41 PM

Ought I to do the uninstall/reinstall in Safe Mode, or does it not matter particularly?

Shouldn't matter.

Ought I to try redoing exactly the steps I performed earlier today, but this time while I'm still in Safe Mode, empty the Recycle Bin two or three times?

I'm not sure what you hope to achieve, but it shouldn't do any harm to do it again.

Wikipedia just taught me two new phrases: "rootkit" and "virus chest file." Are either of these phrases useful to you in considering my predicament?

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


Double click gmer.exe to begin:
  • If you get a message about "system modification", click Yes and work through the rest of the instructions.
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately. Please preview your posts to ensure that all of both logs get posted.

did you just thump your forehead and shout, "Eureka!

I doubt that this is a rootkit issue, but the GMER log will offer a second opinion on that - it seems to me to be a waste of rootkit technology to make a file or files invisible to various scanners and then attract attention by making such a puerile change, but we'll see.

What might happen if I just deleted the little green icons from Jerry's system tray (so that no one had to SEE that the computer was being served by WP4S),

No-one would be able to see it.

I kept doing obsessional scans with all the many AV programs

You either have a nasty onboard that is able to avoid detection, which may change in the future as the programs are updated, or not, or the scanners will continue to find nothing as there isn't anything to find.

When I invoke Task Manager when nothing is running, no processes appear to be running that ought not to be running.

Task Manager is of very little use in this area. Try Process Explorer if you want to take a proper look under the hood of the PC - http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

More to the point, Jerry can't remember the passwords he chose for either of his paid e-mail accounts, so he uses only his hotmail account -- we haven't installed Eudora yet, and neither of us EVER uses MSOutlook for any reason. I.e., there's no way WP4S can hijack Jerry's addressbook, because on his computer, he has no addressbook.

So If I do a full system scan once a week (or more often) with Norton Internet Security, AVGAS, Spybot, and all the others, and they all say Jerry's computer is okay-fine, and we don't experience any problems, and no "contraband" files mysteriously appear, and Jerry never uses any e-mail program on his own fracking computer, and Task Manager says nothing is running that ought not to be running -- would I just be courting disaster, like the "turn-up-the-radio" school of auto repair?

I don't know whether there is anything on your PC or not, so I can't say whether there is any risk in having this file on your PC, if it exists.

In other words, is it delusional of me to hope that you and I got rid of everything except whatever bit of malicious code (possibly in the BIOS???) insists on renaming Jerry's WNC?

No, it's not delusional. If there is something there, it may, or may not be, something more than an irritation in the manner that it is now. If it isn't there, it isn't a problem - obviously.

I would try uninstalling and reinstalling the software and see if that has any effect on the problem. If you don't want to, then you don't do it - it is your PC after all.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users