Member Avatar for andy_s

I have followed the recommendations from the many threads on this topic, but regret that I can't get rid of this malware with yor expert help.

I have repeatedly booted in safe-mode, run Adaware-6, Spybot, CWShreader, rebooted, done it all again, cleared all IE history, off-line content, temp files, recycle bin. I am not winning :-(

I strongly suspect (but I am certainly an amateur) that WMDHINA.DLL detected repeatedly by FINDnFIX is a nasty, but I can't even find it! In windows explorer I have view set to everything (not system files hidden etc.). WMDHINA.DLL is also not in the c:\windows\system32\dllcache.

I append HJT & FINDnFIX logs after running Adaware-6, Spybot, CWShreader, rebooted, done it all again etc., but before it all came back again (at least 1 entry, anyway, on a precautionary extra running of Ad-Aware.

I had hoped not to need to bother you, but regret I am at a loss. Any assistance would be greatly appreciated.

Thanks,
Andy_S

Logfile of HijackThis v1.98.0
Scan saved at 7:47:02 PM, on 23/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\AntiVirus\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.8:4000
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{457C40E7-7428-4C9D-9904-B10CDB7209C4}: NameServer = 192.168.8.1,192.168.0.3

==========================================================
FINDnFIX log
==========================================================

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»»»(*6*)»»»»»
fgrep: can't open input C:\WINDOWS\SYSTEM32\WDMHINA.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINDOWS\SYSTEM32\
wdmhina.dll Thu 10 Jun 2004 20:40:58 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WDMHINA.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group ALS-HOME\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»»»»»Backups created...»»»»»»
7:48pm up 0 days, 0:02
Fri 23 Jul 04 19:48:51

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-22-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-22-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Thu 22 Jul 2004 23:58:20 .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: vk @ f AppInit_
000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ w d m h i n
00001210:a . d l l B vk X UDeviceNotSelecte
00001250:dTimeout 1 5 9 0 N vk ' z
00001290:GDIProcessHandleQuota" vk Spooler2 y e
000012D0:s _ ( x vk 5swapdisk
00001310: vk h . TransmissionRetryTimeout ( x
00001350: ` vk ' USERProcessHandleQuota
00001390:p
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
fùAppInit_DLLsÖæG¸ÿÿÿC
--------------
--------------
$011C8: AppInit_DLLs
$0123F: UDeviceNotSelectedTimeout
$0128F: zGDIProcessHandleQuota
$01328: TransmissionRetryTimeout
$01378: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\wdmhina.dll
--------------
--------------
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\wdmhina.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 77 00 64 00 6d 00 68 00 | m.3.2.\.w.d.m.h.
0030 69 00 6e 00 61 00 2e 00 64 00 6c 00 6c 00 00 00 | i.n.a...d.l.l...

  • 3 Contributors
  • 9 Replies
  • 247 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by andy_s
Member Avatar for crunchie

Unfortunately this forum is not authorized in the use of FindnFix. Can you try this instead.

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode. Post a fresh hijackthis log after doing that.

Member Avatar for andy_s

I have done as you suggest. About:buster did not find anything to fix. The HJT log after finally running Ad-Aware is:

Logfile of HijackThis v1.98.0
Scan saved at 9:22:49 AM, on 24/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVirus\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.8:4000
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{457C40E7-7428-4C9D-9904-B10CDB7209C4}: NameServer = 192.168.8.1,192.168.0.3


Thank you very much for your help.
Andy_S

Member Avatar for crunchie

That looks fine to me. Are you still having problems?

Member Avatar for andy_s

Yep. It is back again almost immediately (and the only websites I've accessed were daniweb and the about:blaster link you gave me). He is the HJT log now (I have not done all the standard cleanup again with Ad-aware etc. I have done them so often, gradually adding extra steps so it is now always in Safe Mode, clear temp files, IE history, temp internet files, CWShredder and run Spybot for good measure.)

It is horribly frustrating, as I am sure you would well know!!

I really appreciate your suggestions.
Regards,
Andy_S

Logfile of HijackThis v1.98.0
Scan saved at 6:50:27 PM, on 24/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AntiVirus\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.8:4000
O2 - BHO: (no name) - {56BA9913-0BB4-47FB-8245-6B6EAF31738F} - C:\WINDOWS\System32\ooffkn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{457C40E7-7428-4C9D-9904-B10CDB7209C4}: NameServer = 192.168.8.1,192.168.0.3
O18 - Filter: text/html - {F86A5770-F25F-4FE7-9C35-6544AE3D209A} - C:\WINDOWS\System32\ooffkn.dll
O18 - Filter: text/plain - {F86A5770-F25F-4FE7-9C35-6544AE3D209A} - C:\WINDOWS\System32\ooffkn.dll

Member Avatar for crunchie 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\als\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


O2 - BHO: (no name) - {56BA9913-0BB4-47FB-8245-6B6EAF31738F} - C:\WINDOWS\System32\ooffkn.dll


O18 - Filter: text/html - {F86A5770-F25F-4FE7-9C35-6544AE3D209A} - C:\WINDOWS\System32\ooffkn.dll
O18 - Filter: text/plain - {F86A5770-F25F-4FE7-9C35-6544AE3D209A} - C:\WINDOWS\System32\ooffkn.dll

*********************************

Download and install APM

Close all windows except HijackThis and fix the lines above.

In the upper window of APM select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log (This is the one we are after ooffkn.dll
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware to remove the txt and html protocol association.

Delete the contents of this folder; C:\DOCUME~1\als\LOCALS~1\Temp

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Clean out the temp internet files too.

Edited by happygeek because: fixed formatting
Member Avatar for andy_s

Thanks Crunchie,

I might put that on hold for an hour or two, as I think it is fixed, after several weeks of pain :-)

I am in Australia so time zone differences mean there are times when you guys sleep and I am awake and searching for answers. (NOt much time you sleep though!)

I can certainly understand that you must be confident that any tools you suggest on your forums are not, in fact, malware/scumware in disguise.

I actually got the suggestion of FINDnFIX on your forum (DJ_Sneak JUly 6, 2004). It seemed so likely to me that WDMHINA.DLL from this log was the core problem, that I explored further. I found the solution (translated for my discovered file):
------------------------------------------------------------------------
FINDnFIX finds the suspect DLL in c:\windowsNT\system32
to be WDMHINA.DLL
------------------------------------------------------------------------
I unplugged my ethernet cable connection to the internet while I did the
next steps
------------------------------------------------------------------------
*Get ready to restart:
- DoubleClick on the "FIX.bat" file in the 'FINDnFIX' folder.
- Wait for the popup alert to restart your computer in 15 seconds.
-------------------------------------------------------------------------
On restart, navigate to System32 folder:
-Locate and select the "WDMHINA.DLL " file (as it will now be visible)
And use the folder's top menu>edit>move to folder...
Select the C:\FIXnFIND\junkxxx as destination and move
the "WDMHINA.DLL " there.
-------------------------------------------------------------------------
Run the "RESTORE.bat", file (which twice zips WDMHINA.DLL, I think).
Wait for the 'log1.txt' file, which indicates the WDMHINA.DLL has indeeed gone!
-------------------------------------------------------------------------
I was so anxious that I then ran CWShredder and Ad-Aware again!
-------------------------------------------------------------------------

I have since run AD-Aware (and FINDnFIX too) many times, and rebooted and gone in and out of IE. Still no return of About:blank. It has been so quick to resurface for the last few weeks that I am becoming convinced that this has at last fixed it!!

I am most grateful for your rapid help with this most unnerving problem. I will use the internet heavily for a while and post again re ruturn/non-return of about:blank.

Thank you again for your assistance.

Andy_S

Member Avatar for andy_s

After considerable web activity and reboots to test for the re-appearance of about:blank, I am delighted to be able to say that it really is cleared from my system.

It was certainly wierd that if in Regedit I navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
and highlighted AppInit_Dlls in the right-hand pane and right clicked to choose 'Modify Binary Data' , I only saw 0 0 0 0 . This was despite FINDnFIX finding the nasty DLL there. Maybe the 'absent trailing NULL' tricks the system ?? (I have no idea - I am just glad it is fixed!!)

Anyway, it got fixed and I am most relieved. By the way, all the things I mentioned in this post and in my last post as finally fixing the mess were done after booting in safe mode.

Thanks again
Andy_S

Member Avatar for andy_s

Thanks for the suggestion Caperjack.
I installed Spywareblaster and IE-SPYAD some days ago, but will add SpywareGuard.
(My system remains clean!!)
Regards,
Andy_S

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.