BillinDetroit
-
Posts
63 -
Joined
-
Last visited
-
pixel.adsafeprotected.com redirect bug?
BillinDetroit replied to mind5150's topic in Malwarebytes for Windows Support Forum
I know it has been over 7 months since this posting, but I was researching an issue with the website aarp.org today when the no-script plugin for Firefox flagged a script requesting access to my browser from "adsafeprotected.com". Has anyone determined whether adsafeprotected.com is a trusted process or not? -
I may. I originally agreed with you that the machine was probably as clean as it was going to get. However, I have had trouble now installing two packages of software, each of which got the error "Error: uninstallshield is in use. Please stop uninstallshield and resume the installation". I had previously begun the painstaking effort of reinstalling my main software packages without trouble until this happened. Have you heard of any virus activity that fits that pattern?
-
Yes, if I were to turn off AV & firewall, I would hope to be disconnected! How long does it take now before an unprotected system gets compromised after connecting? Minutes?
-
I may have to try that. I probably should take your word for it, since you are from the "show me" state. I will let you know what I find. Thanks again for your help.
-
Well, I am not convinced that all of this hard disk activity is not due to a rootkit. I happen to believe that where there is smoke there is fire and right now all these other indicators are smoke as far as I am concerned. I just can't figure out why someone would write a rootkit and then allow it to light the hard drive. I appreciate the help you and maniac have given me so far.
-
Well, I have been known to attract the attention of all the wrong people. Why would ComboFix present the screen that says it found evidence of a rootkit if it did not? Why does the Asus Update program tell me when I run it that there is an "NT service registry error! Please reboot NT and run again"? And then when I press on OK I get the warning "No ASUS motherboard. Installation will be abooted now." Note that I used the exact spelling of the warning. I am not convinced that there is not a rootkit on this machine. Do I just pitch it and build a new machine? What's to prevent whatever mechanism that placed this on my machine from doing it again on my or someone else's hardware? Do I just give up? I might have to write my own code after some research to see what can be done. I suppose I can start with a very draconian permissions routine and require each process to get permission before it can run, but that means this will take a lot longer than I or anyone else wants to spend on this. Could this be part of all those tax dollars at work that Dick C h e n e y wanted?
-
Sorry, after I hit enter I realized I didn't refer to the Event Viewer. Yes, the Event Viewer System log entry ends at 7:52:25 PM on 3/27/2011. I'm used to seeing entries every day. I didn't change anything, could this be a rootkit related action? Also, you say two rootkits. ComboFix-quarantined-files.txt shows the following: 2011-03-31 21:35:41 . 2011-03-31 21:35:41 8,017 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2011-03-31 21:17:47 . 2011-03-31 21:29:53 102 ----a-w- C:\Qoobox\Quarantine\catchme.log 2011-03-31 00:50:30 . 2011-03-31 00:50:30 898 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Start Menu\HP Image Zone .lnk.vir 2011-03-26 13:45:40 . 2005-10-03 03:12:40 2,683,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\InstAll.exe.vir Since this is a new clean install I have been slowly bringing capabilities on line since the install, like my HP printer. I scanned the HP install package with Kaspersky Pure before I ran it. Could that be a false detection, or did the install process somehow become infected due to rootkit activity?
-
OK, I ran Combofix. After installing the recovery console it ran and then said it found evidence of rootkit activity on the machine. Two reboots later it produced the following log: ComboFix 11-03-31.01 - William Osipoff 03/31/2011 17:31:23.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1574 [GMT -4:00] Running from: c:\documents and settings\William Osipoff\Desktop\ComboFix.exe AV: Kaspersky PURE *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky PURE *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users.WINDOWS\Start Menu\HP Image Zone .lnk c:\windows\install.exe . . ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 ))))))))))))))))))))))))))))))) . . 2011-03-31 00:17 . 2005-12-16 22:18 2537304 ----a-w- c:\temp\HP_WebRelease\setup\sipm\HpTcpMon.exe 2011-03-30 00:29 . 2011-03-31 00:14 -------- d-----w- C:\TEMP 2011-03-29 23:56 . 2011-03-29 23:56 -------- d-----w- C:\My Images 2011-03-27 23:26 . 2011-03-27 23:26 -------- d-----w- C:\NVIDIA 2011-03-27 02:13 . 2011-03-27 02:14 -------- d-----w- C:\2ff26beee0a37e7abce04b8faa8c86ac 2011-03-26 20:47 . 2011-03-26 20:47 -------- d-----r- C:\AHCache . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-08 03:27 . 2008-04-14 00:12 6397824 ----a-w- c:\windows\system32\nv4_disp.dll 2011-01-08 03:27 . 2007-04-13 03:44 1958400 ----a-w- c:\windows\system32\nvapi.dll 2011-01-08 03:27 . 2007-04-13 03:44 14671872 ----a-w- c:\windows\system32\nvoglnt.dll 2011-01-07 23:56 . 2011-01-07 23:56 81920 ----a-w- c:\windows\system32\nvwddi.dll 2011-01-07 23:56 . 2011-01-07 23:56 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll 2011-01-07 23:56 . 2011-01-07 23:56 277608 ----a-w- c:\windows\system32\nvmccs.dll 2011-01-07 23:56 . 2011-01-07 23:56 156776 ----a-w- c:\windows\system32\nvsvc32.exe 2011-01-07 23:56 . 2011-01-07 23:56 145000 ----a-w- c:\windows\system32\nvcolor.exe 2011-01-07 23:56 . 2011-01-07 23:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll 2011-01-07 23:56 . 2011-01-07 23:56 111208 ----a-w- c:\windows\system32\nvmctray.dll 2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2011-03-18 17:53 . 2011-03-26 16:23 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon] @="{dd230880-495a-11d1-b064-008048ec2fc5}" [HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}] 2010-10-02 03:05 129624 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE\shellex.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE\avp.exe" [2010-10-02 348760] "Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 3627008] "SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728] . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [3/25/2011 9:39 PM 88632] R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 10:18 PM 36880] R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [3/25/2011 9:39 PM 39352] R1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [3/29/2011 8:02 PM 39824] R2 CSObjectsSrv;CryptoStorage control service;c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [12/21/2009 6:34 PM 743992] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 3:42 PM 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472] R3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\drivers\CA506AV.SYS [3/29/2011 8:02 PM 162096] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384] S3 BS_DEF;BS_DEF;c:\windows\BS_DEF.sys [3/26/2011 12:28 AM 12800] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504] . . ------- Supplementary Scan ------- . IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\William Osipoff\Application Data\Mozilla\Firefox\Profiles\93xsdpge.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-31 17:41 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2056) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\progra~1\COMMON~1\X10\Common\x10nets.exe c:\windows\system32\wscntfy.exe c:\windows\system32\RUNDLL32.EXE c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe c:\program files\HP\Digital Imaging\bin\hpqimzone.exe . ************************************************************************** . Completion time: 2011-03-31 17:46:25 - machine was rebooted ComboFix-quarantined-files.txt 2011-03-31 21:46 . Pre-Run: 483,611,856,896 bytes free Post-Run: 483,862,790,144 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer . - - End Of File - - F414A1E6EDF5E6C45BC76E3344C43D2B Regarding how the computer is doing, it seems to be running great. However, still have intermittent drive activity shown for no apparent reason. In addition, The system log for some reason has it's last entry at 7:52:25 PM on 3/27/2011. It's almost as if logging has been disabled somehow...
-
OK, here are the contents of dds.txt. I was not prompted for any optional scan. DDS (Ver_09-06-26.01) - NTFSx86 Run by William Osipoff at 21:06:16.26 on Wed 03/30/2011 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT -4:00] AV: Kaspersky PURE *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky PURE *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\William Osipoff\Desktop\dds.scr ============== Pseudo HJT Report =============== BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky pure\ievkbd.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll mRun: [AVP] "c:\program files\kaspersky lab\kaspersky pure\avp.exe" mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe" mRun: [soundMan] SOUNDMAN.EXE mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky pure\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab Notify: klogon - c:\windows\system32\klogon.dll AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\willia~1\applic~1\mozilla\firefox\profiles\93xsdpge.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ============= SERVICES / DRIVERS =============== R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [2011-3-25 88632] R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [2011-3-25 39352] R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-3-25 315408] R1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [2011-3-29 39824] R2 AVP;Kaspersky PURE;c:\program files\kaspersky lab\kaspersky pure\avp.exe [2010-10-1 348760] R2 CSObjectsSrv;CryptoStorage control service;c:\program files\common files\infowatch\cryptostorage\ProtectedObjectsSrv.exe [2009-12-21 743992] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472] R3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\drivers\CA506AV.SYS [2011-3-29 162096] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S3 BS_DEF;BS_DEF;c:\windows\BS_DEF.sys [2011-3-26 12800] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] =============== Created Last 30 ================ 2011-03-30 20:50 <DIR> --d----- c:\program files\common files\Sonic Shared 2011-03-30 20:50 <DIR> --d----- c:\program files\common files\HP 2011-03-30 20:48 <DIR> --d----- c:\windows\system32\URTTEMP 2011-03-30 20:47 <DIR> --d----- c:\program files\common files\Hewlett-Packard 2011-03-30 20:46 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys 2011-03-30 20:46 15,104 a------- c:\windows\system32\drivers\usbscan.sys 2011-03-30 20:44 <DIR> --d----- c:\program files\HP 2011-03-30 20:44 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys 2011-03-30 20:44 25,856 a------- c:\windows\system32\drivers\usbprint.sys 2011-03-30 20:44 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys 2011-03-30 20:44 32,128 a------- c:\windows\system32\drivers\usbccgp.sys 2011-03-30 20:33 112,384 a------- c:\windows\hpoins07.dat 2011-03-30 20:33 21,124 -------- c:\windows\hpomdl07.dat 2011-03-30 20:18 51,120 a------- c:\windows\system32\drivers\HPZid412.sys 2011-03-30 20:18 21,744 a------- c:\windows\system32\drivers\HPZius12.sys 2011-03-30 20:18 16,496 a------- c:\windows\system32\drivers\HPZipr12.sys 2011-03-30 20:17 606,208 a------- c:\windows\system32\hpotscl.dll 2011-03-30 20:17 278,528 a------- c:\windows\system32\hpgwiamd.dll 2011-03-30 20:17 274,432 a------- c:\windows\system32\HPZc3212.dll 2011-03-30 20:17 258,122 a------- c:\windows\system32\hpovst08.dll 2011-03-30 20:17 98,304 a------- c:\windows\system32\hpzjsn01.dll 2011-03-30 20:16 393,216 a------- c:\windows\system32\hpzcon12.dll 2011-03-30 20:16 196,608 a------- c:\windows\system32\hpzcoi12.dll 2011-03-30 20:16 180,315 a------- c:\windows\system32\hpzsnt12.dll 2011-03-30 20:14 <DIR> --d----- c:\temp\HP_WebRelease 2011-03-29 20:31 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Active Home Professional 2011-03-29 20:31 69 a------- c:\windows\NeroDigital.ini 2011-03-29 20:29 <DIR> --d----- C:\TEMP 2011-03-29 20:13 154,496 ac------ c:\windows\system32\dllcache\icam4usb.sys 2011-03-29 20:02 162,096 a------- c:\windows\system32\drivers\CA506AV.SYS 2011-03-29 20:02 39,824 a------- c:\windows\system32\drivers\CA506AA.sys 2011-03-29 19:56 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\X10 Settings 2011-03-29 19:56 <DIR> --d----- C:\My Images 2011-03-29 19:45 17,792 a------- c:\windows\system32\drivers\x10ufx2.sys 2011-03-29 19:45 127,184 a------- c:\windows\Unwise.exe 2011-03-29 19:44 <DIR> --d----- c:\program files\common files\X10 2011-03-29 19:44 <DIR> --d----- c:\program files\ActiveHome Pro 2011-03-28 18:54 <DIR> --d----- c:\program files\MSXML 4.0 2011-03-27 19:47 <DIR> --d----- c:\windows\system32\NtmsData 2011-03-27 19:28 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\NVIDIA Corporation 2011-03-27 19:26 <DIR> --d----- c:\program files\NVIDIA Corporation 2011-03-27 19:26 <DIR> --d----- C:\NVIDIA 2011-03-27 19:08 940,794 a------- c:\windows\system32\LoopyMusic.wav 2011-03-27 19:08 146,650 a------- c:\windows\system32\BuzzingBee.wav 2011-03-27 19:08 60,416 a------- c:\windows\ALCFDRTM.VER 2011-03-27 19:08 60,416 a------- c:\windows\ALCFDRTM.EXE 2011-03-27 19:08 <DIR> --d----- c:\windows\system32\Lang 2011-03-27 18:56 54,156 a---h--- c:\windows\QTFont.qfn 2011-03-27 18:56 1,409 a------- c:\windows\QTFont.for 2011-03-27 17:52 <DIR> --d----- c:\program files\InterVideo 2011-03-27 17:48 2,297,552 a------- c:\windows\system32\d3dx9_26.dll 2011-03-27 17:43 24,064 -------- c:\windows\system32\msxml3a.dll 2011-03-27 17:43 364,544 -------- c:\windows\system32\TwnLib4.dll 2011-03-27 17:41 125,184 -------- c:\windows\system32\drivers\imagesrv.sys 2011-03-27 17:41 1,568,768 -------- c:\windows\system32\ImagX7.dll 2011-03-27 17:41 476,320 -------- c:\windows\system32\ImagXpr7.dll 2011-03-27 17:41 471,040 -------- c:\windows\system32\ImagXRA7.dll 2011-03-27 17:41 262,144 -------- c:\windows\system32\ImagXR7.dll 2011-03-27 17:41 106,496 -------- c:\windows\system32\TwnLib20.dll 2011-03-27 17:31 <DIR> --d----- c:\docume~1\willia~1\applic~1\NeroVision 2011-03-27 17:30 145,608 -------- c:\windows\UNNeroVision.cfg 2011-03-27 17:30 2,973,696 -------- c:\windows\UNNeroVision.exe 2011-03-27 17:25 57,344 a----r-- c:\windows\system32\ImageDrive.cpl 2011-03-27 17:25 5,504 -------- c:\windows\system32\drivers\imagedrv.sys 2011-03-27 17:24 38,912 -------- c:\windows\system32\picn20.dll 2011-03-27 17:24 544,768 a----r-- c:\windows\system32\imagx5.dll 2011-03-27 17:24 569,344 a----r-- c:\windows\system32\imagr5.dll 2011-03-27 17:24 283,920 a----r-- c:\windows\system32\ImagXpr5.dll 2011-03-27 17:24 155,648 a------- c:\windows\system32\NeroCheck.exe 2011-03-27 10:57 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat 2011-03-26 22:14 <DIR> --d----- c:\windows\system32\XPSViewer 2011-03-26 22:13 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll 2011-03-26 22:13 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2011-03-26 22:13 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll 2011-03-26 22:13 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll 2011-03-26 22:13 <DIR> --d----- C:\2ff26beee0a37e7abce04b8faa8c86ac 2011-03-26 22:13 1,676,288 -------- c:\windows\system32\xpssvcs.dll 2011-03-26 22:13 575,488 -------- c:\windows\system32\xpsshhdr.dll 2011-03-26 22:13 117,760 -------- c:\windows\system32\prntvpt.dll 2011-03-26 20:08 13,312 a------- c:\windows\system32\lsass.exe 2011-03-26 20:07 6,144 a------- c:\windows\system32\csrss.exe 2011-03-26 16:50 <DIR> --d----- c:\program files\Paint.NET 2011-03-26 16:47 <DIR> --d-hr-- C:\AHCache 2011-03-26 16:40 <DIR> --d----- c:\docume~1\willia~1\applic~1\Malwarebytes 2011-03-26 16:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-26 16:39 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes 2011-03-26 16:39 20,952 a------- c:\windows\system32\drivers\mbam.sys 2011-03-26 16:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2011-03-26 16:25 169 a------- c:\windows\RtlRack.ini 2011-03-26 14:01 26,052 a------- c:\windows\Ascd_tmp.ini 2011-03-26 13:34 40,960 -c------ c:\windows\system32\dllcache\ndproxy.sys 2011-03-26 13:34 45,568 -c------ c:\windows\system32\dllcache\wab.exe 2011-03-26 13:34 974,848 -c------ c:\windows\system32\dllcache\mfc42.dll 2011-03-26 13:34 953,856 -c------ c:\windows\system32\dllcache\mfc40u.dll 2011-03-26 13:34 617,472 -c------ c:\windows\system32\dllcache\comctl32.dll 2011-03-26 12:45 115,830 a------- c:\windows\system32\nvapps.xml 2011-03-26 12:45 <DIR> --d----- c:\windows\nview 2011-03-26 12:45 356,352 a------- c:\windows\system32\nvudisp.exe 2011-03-26 12:45 17,177 a------- c:\windows\system32\nvdisp.nvu 2011-03-26 12:45 <DIR> --d----- c:\windows\NV2820684.TMP 2011-03-26 12:28 552 a------- c:\windows\system32\d3d8caps.dat 2011-03-26 12:28 <DIR> --d----- c:\program files\SystemRequirementsLab 2011-03-26 12:17 <DIR> --dsh--- c:\documents and settings\william osipoff\PrivacIE 2011-03-26 12:16 376 a------- c:\windows\ODBC.INI 2011-03-26 12:16 17,920 a------- c:\windows\system32\mdimon.dll 2011-03-26 12:15 <DIR> --d----- c:\program files\Microsoft ActiveSync 2011-03-26 12:14 <DIR> --d----- c:\windows\SHELLNEW 2011-03-26 11:36 <DIR> --d----- c:\windows\system32\bits 2011-03-26 11:26 <DIR> --dsh--- c:\documents and settings\william osipoff\IETldCache 2011-03-26 11:12 <DIR> --d----- c:\windows\ie8updates 2011-03-26 11:12 11,080,704 -c------ c:\windows\system32\dllcache\ieframe.dll 2011-03-26 11:12 1,991,680 -c------ c:\windows\system32\dllcache\iertutil.dll 2011-03-26 11:12 743,424 -c------ c:\windows\system32\dllcache\iedvtool.dll 2011-03-26 11:12 602,112 -c------ c:\windows\system32\dllcache\msfeeds.dll 2011-03-26 11:12 247,808 -c------ c:\windows\system32\dllcache\ieproxy.dll 2011-03-26 11:12 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll 2011-03-26 11:12 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll 2011-03-26 11:11 <DIR> -cd-h--- c:\windows\ie8 2011-03-26 10:56 <DIR> --d----- c:\windows\ServicePackFiles 2011-03-26 10:41 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys 2011-03-26 10:34 <DIR> --d----- c:\windows\system32\PreInstall 2011-03-26 10:34 26,144 a------- c:\windows\system32\spupdsvc.exe 2011-03-26 10:34 <DIR> --d-h--- c:\windows\$hf_mig$ 2011-03-26 09:59 664 a------- c:\windows\system32\d3d9caps.dat 2011-03-26 09:58 <DIR> --d----- c:\windows\system32\SoftwareDistribution 2011-03-26 09:56 <DIR> --d----- c:\windows\system32\LogFiles 2011-03-26 09:56 <DIR> --d----- c:\program files\Marvell 2011-03-26 09:55 <DIR> --d----- c:\program files\Realtek Sound Manager 2011-03-26 09:55 <DIR> --d----- c:\program files\AvRack 2011-03-26 09:55 164 -----r-- c:\windows\avrack.ini 2011-03-26 09:55 <DIR> --d----- c:\program files\Realtek AC97 2011-03-26 09:55 3,644,800 a----r-- c:\windows\system32\drivers\ALCXWDM.SYS 2011-03-26 09:55 156,672 a----r-- c:\windows\system32\RTLCPAPI.dll 2011-03-26 09:55 90,112 a----r-- c:\windows\SOUNDMAN.EXE 2011-03-26 09:55 40,960 -----r-- c:\windows\system32\ChCfg.exe 2011-03-26 09:55 10,458,112 a----r-- c:\windows\system32\RTLCPL.EXE 2011-03-26 09:55 141,016 a----r-- c:\windows\system32\ALSNDMGR.WAV 2011-03-26 09:55 18,771,968 a----r-- c:\windows\system32\ALSNDMGR.CPL 2011-03-26 09:55 307,200 -----r-- c:\windows\alcupd.exe 2011-03-26 09:55 212,992 -----r-- c:\windows\alcrmv.exe 2011-03-26 09:48 466,944 a------- c:\windows\system32\CapabilityTable.exe 2011-03-26 09:46 356,352 a------- c:\windows\system32\NVUNINST.EXE 2011-03-26 09:46 810,056 a----r-- c:\windows\system32\SATA.bmp 2011-03-26 09:46 266 a----r-- c:\windows\system32\raidmgmt.ini 2011-03-26 09:45 2,683,904 a----r-- c:\windows\InstAll.exe 2011-03-26 09:45 1,030,656 a----r-- c:\windows\16copy.avi 2011-03-26 09:45 1,030,656 a----r-- c:\windows\copy.avi 2011-03-26 09:31 <DIR> --d----- c:\windows\system32\ReinstallBackups 2011-03-26 09:31 36,352 a------- c:\windows\system32\drivers\AmdK8.sys 2011-03-26 09:31 <DIR> --d----- c:\program files\AMD 2011-03-26 00:31 <DIR> --d----- c:\docume~1\willia~1\applic~1\Symantec 2011-03-26 00:31 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Symantec 2011-03-26 00:30 <DIR> --d----- c:\program files\common files\Symantec Shared 2011-03-26 00:28 12,800 a------- c:\windows\BS_DEF.sys 2011-03-26 00:28 306,688 a------- c:\windows\IsUninst.exe 2011-03-26 00:27 24,576 a----r-- c:\windows\system32\AsIO.dll 2011-03-26 00:27 4,962 a----r-- c:\windows\system32\drivers\AsIO.sys 2011-03-26 00:27 434,252 a------- c:\windows\system32\MSVCRTD.DLL 2011-03-26 00:27 5,120 a------- c:\windows\system32\drivers\AsInsHelp64.sys 2011-03-26 00:27 3,328 a------- c:\windows\system32\drivers\AsInsHelp32.sys 2011-03-26 00:27 962,612 a------- c:\windows\system32\mfc42d.dll 2011-03-26 00:27 <DIR> --d----- c:\program files\ASUS 2011-03-26 00:22 <DIR> --d----- c:\windows\pss 2011-03-25 21:44 26,006 a------- c:\windows\Ascd_log.ini 2011-03-25 21:43 <DIR> --d----- c:\windows\ASUSInstAll 2011-03-25 21:43 5,810 a----r-- c:\windows\system32\drivers\ASACPI.sys 2011-03-25 21:43 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS 2011-03-25 21:39 114,243 a------- c:\windows\system32\drivers\klin.dat 2011-03-25 21:39 97,859 a------- c:\windows\system32\drivers\klick.dat 2011-03-25 21:39 39,352 a------- c:\windows\system32\drivers\CSVirtualDiskDrv.sys 2011-03-25 21:39 88,632 a------- c:\windows\system32\drivers\CSCrySec.sys 2011-03-25 21:38 <DIR> --d----- c:\program files\common files\InfoWatch 2011-03-25 21:38 <DIR> --d----- c:\program files\Kaspersky Lab 2011-03-25 21:38 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab 2011-03-25 21:37 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab Setup Files 2011-03-25 21:31 <DIR> --d----- c:\documents and settings\William Osipoff 2011-03-25 21:30 <DIR> --ds---- c:\windows\system32\Microsoft 2011-03-25 21:30 8,192 a------- c:\windows\REGLOCS.OLD 2011-03-25 21:27 8,704 ac------ c:\windows\system32\dllcache\infoctrs.dll 2011-03-25 21:26 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx 2011-03-25 21:25 <DIR> --dsh--- c:\documents and settings\all users.windows\DRM 2011-03-25 21:25 488 a---hr-- c:\windows\system32\WindowsLogon.manifest 2011-03-25 21:25 488 a---hr-- c:\windows\system32\logonui.exe.manifest 2011-03-25 21:25 <DIR> --ds---- c:\windows\Downloaded Program Files 2011-03-25 21:25 <DIR> --d--r-- c:\windows\Offline Web Pages 2011-03-25 21:25 749 a---hr-- c:\windows\WindowsShell.Manifest 2011-03-25 21:25 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest 2011-03-25 21:25 749 a---hr-- c:\windows\system32\sapi.cpl.manifest 2011-03-25 21:25 749 a---hr-- c:\windows\system32\nwc.cpl.manifest 2011-03-25 21:25 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest 2011-03-25 21:25 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest 2011-03-25 21:25 <DIR> --d-h--- c:\program files\WindowsUpdate 2011-03-25 21:25 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex 2011-03-25 21:25 <DIR> --d----- c:\windows\system32\DirectX 2011-03-25 21:24 <DIR> --d----- c:\program files\common files\MSSoap 2011-03-25 21:22 <DIR> --d----- c:\program files\Online Services 2011-03-25 21:22 <DIR> --d----- c:\program files\Messenger 2011-03-25 21:22 <DIR> --d----- c:\program files\MSN Gaming Zone 2011-03-25 21:21 <DIR> --d----- c:\program files\Windows NT 2011-03-25 16:13 <DIR> --d--r-- c:\documents and settings\all users.windows\Documents 2011-03-25 12:01 <DIR> --d----- c:\program files\common files\ODBC 2011-03-25 12:00 <DIR> --d----- c:\program files\common files\SpeechEngines ==================== Find3M ==================== 2011-03-27 19:35 252,080 a------- c:\windows\system32\nvdrsdb1.bin 2011-03-27 19:35 252,080 a------- c:\windows\system32\nvdrsdb0.bin 2011-03-26 11:39 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2011-03-25 21:22 21,640 a------- c:\windows\system32\emptyregdb.dat 2011-03-05 13:39 323,624 a------- c:\windows\system32\wiaaut.dll 2011-02-09 09:53 270,848 a------- c:\windows\system32\sbe.dll 2011-02-09 09:53 186,880 a------- c:\windows\system32\encdec.dll 2011-02-02 03:58 2,067,456 a------- c:\windows\system32\mstscax.dll 2011-01-27 07:57 677,888 a------- c:\windows\system32\mstsc.exe 2011-01-21 10:44 439,296 a------- c:\windows\system32\shimgvw.dll 2011-01-07 23:27 14,671,872 a------- c:\windows\system32\nvoglnt.dll 2011-01-07 23:27 13,004,800 a------- c:\windows\system32\nvcompiler.dll 2011-01-07 23:27 6,397,824 a------- c:\windows\system32\nv4_disp.dll 2011-01-07 23:27 4,980,736 a------- c:\windows\system32\nvcuda.dll 2011-01-07 23:27 2,916,968 a------- c:\windows\system32\nvcuvid.dll 2011-01-07 23:27 2,292,678 a------- c:\windows\system32\nvdata.bin 2011-01-07 23:27 2,251,368 a------- c:\windows\system32\nvcuvenc.dll 2011-01-07 23:27 1,958,400 a------- c:\windows\system32\nvapi.dll 2011-01-07 23:27 941,160 a------- c:\windows\system32\nvdispco322090.dll 2011-01-07 23:27 837,736 a------- c:\windows\system32\nvgenco322040.dll 2011-01-07 23:27 61,440 a------- c:\windows\system32\OpenCL.dll 2011-01-07 19:56 81,920 a------- c:\windows\system32\nvwddi.dll 2011-01-07 19:56 580,200 a------- c:\windows\system32\easyUpdatusAPIU.dll 2011-01-07 19:56 13,880,424 a------- c:\windows\system32\nvcpl.dll 2011-01-07 19:56 277,608 a------- c:\windows\system32\nvmccs.dll 2011-01-07 19:56 156,776 a------- c:\windows\system32\nvsvc32.exe 2011-01-07 19:56 145,000 a------- c:\windows\system32\nvcolor.exe 2011-01-07 19:56 111,208 a------- c:\windows\system32\nvmctray.dll 2011-01-07 10:09 290,048 a------- c:\windows\system32\atmfd.dll 2010-12-31 09:10 1,854,976 a------- c:\windows\system32\win32k.sys ============= FINISH: 21:06:53.09 ===============
-
So then you are saying that the tool we ran the other day would have shown it if there were any rootkits on my machine? I certainly hope you are right, I am getting weary of being wary.
-
Since you asked... To begin with, my fresh install of Windows XP SP3 on a brand new hard drive shows disk activity blinking the hard disk LED multiple times per second in a seemingly rhythmic manner. ProcessMonitor 2.94 shows activity from explorer.exe, lsass.exe. avp.exe, winlogon.exe, svchost.exe and others with results of "BUFFER OVERFLOW" & "NAME NOT FOUND" almost exclusively (except when I open a program or close one or when some known process is accessing the drives). Most of the Explorer.exe and avp.exe accesses are to HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind. Also, prior to putting in the new drive I used a USB boot drive to boot and flashed the BIOS with a known good BIOS. After installing WIN XP SP#, when I run any of the ASUS update tools it give error indicating "no ASUS motherboard found" or just garbage characters returned and the update tool crashes. Also, prior to the restaging of the PC Kaspersky Pure would find Trojan.Downloader.Win32.codecpack.sjt on an occasional basis when other tools were run to find rootkits. For instance, if I ran RootKit Unhooker LE and told Kaspersky to ignore the startup of the tools (drivers) it uses, Kaspersky would detect services running that were infected with the trojan mentioned. From what I understand that particular trojan is the payload of a rootkit in many instances. Again, I can't say for sure, but since I do not participate in illegal downloading and I have my system locked down pretty well, I can't see how I can keep getting infected or seeing signs of infection, especially since I am the only user of the machine. And then there is the "MS User Assist" loop that was occurring until I found out how to turn it off. How did that get started on a brand new clean install?
-
Thank you for stepping in on this issue. I followed the instructions and here are the log results: aswMBR version 0.9.4 Copyright© 2011 AVAST Software Run date: 2011-03-27 18:01:08 ----------------------------- 18:01:08.500 OS Version: Windows 5.1.2600 Service Pack 3 18:01:08.500 Number of processors: 2 586 0x2B01 18:01:08.500 ComputerName: BILLZMAIN4 UserName: 18:01:17.015 Initialize success 18:01:35.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000068 18:01:35.406 Disk 0 Vendor: WDC_WD5000AAKS-00UU3A0 01.03B01 Size: 476940MB BusType: 3 18:01:35.421 Disk 0 MBR read successfully 18:01:35.421 Disk 0 MBR scan 18:01:35.421 Disk 0 scanning sectors +976752000 18:01:35.453 Disk 0 scanning C:\WINDOWS\system32\drivers 18:01:41.000 Service scanning 18:01:41.843 Disk 0 trace - called modules: 18:01:41.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 18:01:41.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a328ab8] 18:01:41.843 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000069[0x8a325ac0] 18:01:41.843 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\00000068[0x8a323030] 18:01:41.843 Scan finished successfully Please let me know what to try next.
-
Just a follow up to my last posting - I pulled my hard drive from my system, booted from a usb drive and reflashed the board bios with a known good bios. Then I installed Windows XP SP3, Kaspersky Pure, and the activity has persisted! One of the things I found out - some of the activity I was seeing was due to the rootkit and trojan using Microsoft's User Assist technology. I was able to turn that off using a tool by Didier Stevens UserAssist. However, I am still seeing hard disk activity, specifically activity from explorer.exe, lsass.exe and csrss.exe that I can't find an explanation for - the main culprit now seems to be explorer.exe, which keeps looking at the registry entries for tcpip. In any case, I will work on this as time allows - hopefully you or one of the other experts can come up with something to help me to stop this unnecessary and suspicious drive activity.
-
So I guess this means I do have a rootkit that no one know how to clean. Interesting. In that case, it appears my only choice is to remove the drive, attach it as a second or third drive to another PC and run a complete scan on it. If the drive comes out clean I have a couple of options afterwards, including backing up the now "clean" c drive with clonezilla. 1. Format it and then "restore" the backup using clonezilla. 2. Replace it and restore to a new drive. 3. get new drive and reinstall everything (about 2 weeks work in my "spare time"). In the meantime, I can use a boot disk and reflash my main board BIOS to clear out any rootkits before I attempt to get any hard drive working with the motherboard again. Does this sound like a reasonable approach?
-
I realize you have other responsibilities so I can be patient. However, we have worked on this for 6 weeks now. Are you saying it is time to give up and declare the bad guys the victors?