Trojan Propogator.

[Soulmonger]

My PC is a Dell 9200 running XP home edition plus a Seagate external hard drive.

Some time ago my PC contracted a win32.bagle.hi trojan which disabled Avast, system restore, Malwarebytes, start in safe mode etc. and would not allow me to run Combofix, Hijack this, Superantispyware or any online scanner. After days of trying to sort the problem I managed to save my files using a Linux version, and totally wiped the harddrive and reinstalled XP. I reinstalled certain programmes from scratch, ie IE8 and Firefox, Avast etc and the Windows updates.
I scanned the external hard drive using several tools (Malwarebytes, Spybot S&D, etc.), then reconnected it. I soon noticed that the PC was running really slowly and yet scans revealed nothing. I downloaded the 30 day trial version of "a squared" anti virus and ran it. It revealed a host of trojans (including bagel) which it removed. I ran the SFC /Scannow command along with the Windows reinstallation disc where some of the DLL files had been corrupted. On connecting to the Net it soon became apparent that the PC was running slowly again and after a further scan it revealed another host of trojans including trojan dropper, Delf and Bagle 32. A squared av cleared the trojans yet again. Whilst not connected to the internet I needed to scan some files using the all in one HP printer, but it would not save the pdf file to the hard disc but it would to a memory stick. HP suggested reinstalling their software, but I was unable to remove the HP software using the "add or remove software" feature in XP.
It appears that the Trojan is still resident on my PC in some form, and a further scan with "a squared" revealed trojans in the HP software programme, so perhaps this is why I can't uninstall it. I have attached the scans as required and have run the Hijack this analysis tool but nothing is highlighted.

I'm totally fed up and daren't connect to the internet for fear of cantracting even more viruses.
Any suggestions would be more than welcome.

Many thanks.

[Saving space, attachment deleted by admin]

[SuperDave]

Hello Soulmonger and welcome to Computer Hope Forum. My name is Superdave but you can just call me Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Looking over your log it seems you don't have any antivirus software.

Before we continue download and install a free antivirus.

Remember to only install one antivirus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

=============================================================
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

=====================================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)
O4 - HKLM\..\Run: [WinampAgent] \"C:\Program Files\Winamp\winampa.exe\"
(Description: The WinAmp Agent. This puts a WinAmp icon is your system tray. It is completely unnecessary, and some viruses may hide in this file. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [WinampAgent] \"C:\Program Files\Winamp\winampa.exe\"
(Description: Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. If you don't use WinAmp constantly, removing this entry will free up some system resources. )
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
================================================================
There doesn't appear to be any malware in your log that would cause a slowdown. Please try all the steps in the following link to see if it will cure the slowness of your computer. If it doesn't help, please download and run ComboFix and post the log.

==================================================================
Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

===================================================================
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[Soulmonger]

Hi Dave, many thanks for your help it is much appreciated.
Firstly, I do have antivirus software - "a squared" 30 day full trial version.
I have removed Windows messenger as instructed and I ran the Hijack this "system scan only".
Several of the listed items came up but two of them do not have a "\" after the ".exe".
Are these different entries or are they the ones to delete. They are on the :-
04 - Hklm\..\Run: [Winamp agent] \"c\program files\Winamp\winampa.exe\ and
04 - Hklm\..\Run: [adobe reader speed launcher] \"C:Program files\adobe\reader9.0\reader\_sl.exe\"
files.


As for the slow running of the PC, I can fix that by running the SFC /Scannow command and using the XP reinstallation cd.  At present it is Ok. I think that this is a result of the virus/trojan changing some of the original DLL files.
Hope this helps. 
thanks, Brian.

[evilfantasy]

Just keep going with the ComboFix instructions. That's the main log that SuperDave will need to move forward with.

[Soulmonger]

Had to connect to the internet on Combofix instructions to download Windows recovery programme, so I could now have some interesting malware installed.
Requested Combofix and hjt logs attached.

[Saving space, attachment deleted by admin]

[SuperDave]

According to the logs you posted, A-Squared is only for malware. I don't believe you have an Anti-Virus program installed.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

=================================================

[Soulmonger]

Thanks Dave.

You are correct about the antimalware programme, but I was sure that it said in the advertising blurb that "antivirus was the past and antimalware the future".
What's more galling is the fact that I uninstalled Avast in favour of "a squared" so that there would be no conflict between the two. My apologies. I have now redownloaded Avast and it now runs alongside "a squared". Apparently the two should run together with no problems.
Please find attached the log you requested.
By the way I have run these checks with the external hard drive off. If this is incorrect should I run all these checks again and post fresh logs?
Once again my apologies.

[Saving space, attachment deleted by admin]

[SuperDave]

Once again my apologies.

Not a problem. MSE is my personal favourite because of it's 98% efficiency and not being a resource hog. One more scan to run.

By the way I have run these checks with the external hard drive off. If this is incorrect should I run all these checks again and post fresh logs?

If you just use your external drive for storage the only way it would be infected is if you transferred an infected file to it. You can configure SAS, MBAM and Avast to scan this drive, if you wish.
=================================

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Soulmonger]

Hi Dave.

I ran the Eset online scanner and it reported no threats found.
No report to post. So far so good.

[SuperDave]

How's your computer running now? Any problems like before?

[Soulmonger]

Hi Dave,

Booted up the PC this morning and it is running very slowly, ie, click on "start" and it will take approx 6 or 7 seconds before the window opens. If I then close the window and click "start" again, it will come up almost immediately. This goes for anything else as well. I haven't run any other scans but it doesn't look promising. These are the symtoms it was exhibiting before. Shall I run an "a squared" scan and post the log, or HJT?

Thanks, Brian.

[SuperDave]

How much RAM do you have on your computer? Did you do all the steps in that link about slow computers? Please try this program to see what's running on start-up.You may have too many programs starting.

StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.

[Soulmonger]

Hello Dave,

thanks for your time and efforts.

My PC has 2G of Ram and normally it responds very quickly.
Since I reinstalled XP I only have a skeleton of programs running at present.
I read and followed the instructions in the "slow computer" link, many of which I run already.
As I stated before, if I run the SFC command I need to use the reinstallation disc to repair or replace some Dll files. This restores the speed to normal. However very soon after a restart it is back to slow, unless I disconnect the wireless link to the router and thus the internet before starting the PC.
I downloaded and ran the startlite program but it has made little or no difference.
I suspect that a new scan would reveal an infected system, but I haven't run any as per your instruction.

[SuperDave]

All the scans you have run so far do not show any infections but we'll try another.

Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

•Double click on RSIT.exe to run.

•Click Continue at the disclaimer screen.

•Once it has finished, two logs will open.
•log.txt <will be maximized and info.txt <will be minimized

•Please post the contents of both logs in the next reply.

[Soulmonger]

Thanks for persevering.

Logs attached as requested.
Hope they help.

Regards

Brian

[Saving space, attachment deleted by admin]

[SuperDave]

I'm really puzzled. I can't see any signs of malware that would cause a slowdown.

but I was sure that it said in the advertising blurb that "antivirus was the past and antimalware the future".

But, you still need to protect against both.
=============================

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

=================================
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky.fr and save it to your Desktop.

• Please close all other applications running on your system.
• Please double click GetSystemInfo.exe to open it.
  
• Click the Settings button.
  
• Set it to Maximum
  
• IMPORTANT! Then please click Customize - choose Driver / Ports tab and Uncheck Scan Ports.
  
• Click Create Report to run it.
  
• It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.
  

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

[Soulmonger]

Hi Dave,
Sorry, haven't been around for much of the day.
I ran the Kapersky GSI, but was unable to configure it the way you suggested. I could set to max or uncheck port box, but not the two together. The report at this URL is for a medium setting with the unchecked port box.
http://www.getsysteminfo.com/read.php?file=1119df933a96f252387084347f734145

I have noticed that the PC retuirns to normal speed a significant time after I boot it up, typically 20 mins. (Not using it at present due to the persistent problem), however within that period it took just over a minute between clicking on the "run " command and the window appearing. Combofix took two attempts and 13 mins to uninstall. This is very unusual behaviour since it ran pretty *censored* quick with all my previous applications loaded and fighting for memory.

Many thanks,
Brian.

[SuperDave]

One more scan please.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

•Double-click on drweb-cureit.exe and then click Start

•An information notice will appear, click OK.

•This starts a short scan that will scan the files currently running in memory.
•If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version

•If or when something is found, click the Yes button when it asks you if you want to cure it.
•Once the short scan has finished, Click Settings > Change Settings

•Under the Scanning tab UNcheck Heuristic analysis and click OK

•Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.

•Click Yes to all if it asks if you want to cure/move any file(s).

•When the scan is done.
•In the Dr.Web CureIt menu on top left, click File and choose Save report list.

•Save the DrWeb.csv report to your Desktop.

•Exit Dr.Web Cureit.
•Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

[Soulmonger]

Dr Web has at least confirmed that I am not going mad.
On the first scan it highlighted "Hosts File modified" which it cleared.
On the second part of the scan it Identified three trojans and some adware.
The first Trojan was on the C drive: Trojan Startpage.1505
The second was on the external hard drive: Trojan Stinger and I did not note the third.
I cannot remember any more details of it I'm afraid.
Unfortunately I cannot post any logs since the utility hung and then crashed the PC at approx 80% complete (whilst scanning the J drive):
J:\...B}\RP27\A0015521.exe/Cab/00317882.cab

I tried again and the same thing happened.
Technical details as follows:

A Problem was detected
Kernel_Data_Inpage_Error

Stop: 0x0000007A (0xE1D2C910, 0xC0000185, 0xBF919D3D, 0x6728D860)

WIN32.SYS - Address BF919D3D base at BF800000 Datestamp 4A8564C7


The system was running abysmally slowly prior to the crash. The two scans took several hours to complete.

Sorry I can't provide any logs; when I tried right clicking the icon I did not get an "open with" option, I guess because the scan did not finish.
Thanks Dave.

[SuperDave]

* Please uninstall your current version of SUPERAntiSpyware. <- This is important!
* Download and install the new version of SUPERAntiSpyware
* After installing the new version, it may tell you that you need to reboot to complete the installation. You must reboot at this time!
* After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get any available updates.
* Now run a new full scan of your system.
* Post the log in your next reply.

Re-run MBAM:

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply..

[Soulmonger]

Hello Dave,
uninstalled, then reinstalled the latest version of SAS as requested, (seems to be the same). Ran scans, logs attached.

[Saving space, attachment deleted by admin]

[Soulmonger]

Oops, forgot to update Malwarebytes before running the scan, so ignore the last scan.
Ran updates and rescanned.
Log attacned.

[Saving space, attachment deleted by admin]

[evilfantasy]

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
C:\WINDOWS\SET26.tmp
C:\WINDOWS\SET25.tmp
C:\WINDOWS\SET8.tmp
C:\WINDOWS\SET4.tmp
C:\WINDOWS\SET3.tmp
C:\DOCUME~1\Bri\LOCALS~1\Temp\catchme.sys

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

----------

When did these errors start happening?
Have you added any new hardware recently?

Is a-squared what reported the malware? What all did you let a-squared fix?

[Soulmonger]

Log attached as requested.
These errors only happened when I ran the Dr Web scan and I haven't added any new hardware recently.
Thanks
Brian

[Saving space, attachment deleted by admin]

[Soulmonger]

I don't know if it's of any consequence, but somehow the external hard drive designation has been changed from "K" to "J"  at some point recently.

[evilfantasy]

None of the scanners are finding anything so I think it's safe to say that this is not a malware issue.

[Soulmonger]

Just noticed your final question in your last post.
Spybot search and destroy is what alerted me to the trojan originally, but it could not get rid of it. I tried several other tools but they found nothing. I then tried "a squared" which found a host of trojans including the original: bagle.hi
It removed them, but I then noticed other anomalies such as slow running and inability to delete the HP software, when a trojan had been found in its software. "a squared" also alerted me to several attempts to contact "known malware distribution sites" whilst using Firefox. Although "a squared"got rid of the malware, my PC became reinfected every time I used it, to the  extent it found 42 instances of trojans (ie,maybe nine trojans in 42 total locations). Then I contacted you guys. I don't think that "a squared" is at fault since my wife uses it (since I started using it) with no problems or evident false positives.

[evilfantasy]

a-squared is not a something that should be used by just anyone. It has many false positives and if you don't know what you're doing with it you can damage the OS which is what I think happened here.

Look in a-squared and see if you can restore what it removed from quarantine. Then uninstall a-squared.

Or at least see if you can get me a log from a-squared.

[Soulmonger]

Dr Web did find three trojans as I indicated before, but crashed before it finished and hence no log, but I can only tell you what I know.
I appreciate immensely your time and trouble in trying to resolve my problem and I can understand your frustration at being unable to find a solution, or indeed, a problem.
Are there any housecleaning issues to deal with, re uninstalling programmes
etc.?

I have got Event and Quarantine logs for "a squared", but I don't know how to retrieve/copy them to you other than by screenshot. Any ideas?

Thanks
Brian

[Soulmonger]

Sorry it's not an event log, it's a Malware IDS log. Not much use I don't think.
Brian.

[evilfantasy]

I only want the quarantined items log if it is there. Can you save it as a text file or in some other format and (if needed) upload it to www.filedropper.com and post the link to it back here.

Dr Web did find three trojans as I indicated before, but crashed before it finished and hence no log

Finding something... We need to see file paths. It could be something that isn't actually a threat.

[Soulmonger]

Hi Evilfantasy.

I couldn't find any way of copying the quarantine log either to a text file, notepad or otherwise. I had to use screenshots in jpg format and Filedropper as suggested.
Iv'e adjusted the screen to enable you to see as much detail as possible of the file paths, to the detriment of the date column and the "event" column, (Move to or delete from Quarantine). Hope this is ok. I had to do it in three parts as you can appreciate.
Relevant urls:
http://www.filedropper.com/asquaredshot1
http://www.filedropper.com/asquaredshot2
http://www.filedropper.com/asquaredshot3

Sorry about the format.

Regards
Brian

[evilfantasy]

Does your printer still work?

[Soulmonger]

The printer works fine, but the scanner has a problem.
This however may be my fault as I tried to uninstall the software after the malware was found in its files. It wouldn't uninstall so I deleted some of the files. Stupid now I think about it.

[evilfantasy]

The only thing I saw that might be a problem is the printer software. What kind of printer is it?

[Soulmonger]

It's an HP Photosmart 3210 all in one.

[evilfantasy]

HP Photosmart 3210 All-in-One Printer  >  Microsoft Windows XP http://h10025.www1.hp.com/ewfrf/wc/softwareList?os=228&lc=en&dlc=en&cc=us&lang=en&product=439488

Go to that page and download then install the HP Photosmart Full Feature Software and Drivers. (Third from the top under the Driver category)

That should replace any files/folders that may have been accidentally deleted.

[Soulmonger]

Thanks I'll try that.
I do have the original installation disc which is how I reinstalled the software as I posted earlier. I then updated from the HP website. How would a trojan have become resident in the printer software, when reinstalled from a disc?

[evilfantasy]

I'm thinking it's a false positive. If you haven't already, I would uninstall it completely and then use the disk to install it new.

[Soulmonger]

I haven't tried uninstalling it since I started posting on this thread, so I'll give it another go.

Do you consider that all or most of the reported trojans by "a squared"were false positives then, or that it removed them to start with and then reported false positives subsequent to that? It scared the *censored* out of me.

[Soulmonger]

Your censorship filters are very sensitive, no offence.

[evilfantasy]

Most of it was not a threat. Some I'm not sure of but nothing jumped out to me as being malicious.

[Soulmonger]

I uninstalled the printer software and prior to reinstalling the software ran a malwarebytes scan. I've attached the log for you. I haven't done anything with the infections as yet.
Thanks
Brian.

[Saving space, attachment deleted by admin]

[evilfantasy]

Those aren't actually infections and can be taken care of easily with resetting System Restore.

Disable/Enable the System Restore Utility to flush old infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

[Soulmonger]

Do I need to remove them with Malwarebytes first (I haven't shut it down yet), and where have they appeared from? The PC has been on today but I only updated Malwarebytes and removed the printer software. Avast has been running the whole time.

Thanks

Brian.

[evilfantasy]

You can remove them with MBAM or not. The next step is going to remove them and any more that may not have been found.

[Soulmonger]

Ok system restore disabled and re-enabled.

[evilfantasy]

You should be good to go as far as malware is concerned.

Any other issues will need to be addressed in the respective forum.

[Soulmonger]

That is wonderful news to hear. What about uninstalling hijack this, RSIT, avenger, etc; are there any special procedures or just uninstall them?

[evilfantasy]

Uninstall HijackThis and just delete the others.

[Soulmonger]

Many thanks for your help and expertise, and many thanks as well to Superdave.
Words like trojan and rootkit bring fear into us mere mortals.
Your help is much appreciated.

Regards

Brian.

[evilfantasy]

Your welcome.

Safe surfing...