Really Nasty Infection - OKFawEgyTV.exe

Hello, I wasn't able to run ComboFix because I can't see the desktop items in safe mode or otherwise. Malwarebytes' did get rid of some registry hijacks, but most of them respawn upon reboot. I have a "System Fix" icon embedded into the quick launch portion of the taskbar and it won't budge. The only way I can even function in normal mode is to quickly delete a startup executable by the name of OKFawEgyTV.exe which I believe is at the heart of the problem. I also always have to unhide all the folders and files every time I restart and the only way I can open them is by the right-click 'open' method. Hope someone can help, thanks.

 

I forgot to mention that every time I open a new IE window it always stalls by detecting proxy settings before the page can load. I also get redirected from google search results.

 

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 29.
• Click the "Download JRE" button to the right.
• Accept the license agreement.
• Click on the download link for your system and save it to your desktop.
  Windows x86 Offline (jre-6u29-windows-i586.exe)
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

-----------------------------------------------------------

The installed version of Adobe Flash Player on this computer is out-dated. Install the latest version of Adobe Flash Player available from Adobe. (Do this using both IE and Firefox)

-----------------------------------------------------------

http://img38.imageshack.us/img38/7284/yse.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Shut down your protection software now to avoid possible conflicts.
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

Code:

R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [OKFawhEgyTV.exe] C:\Documents and Settings\All Users\Application Data\OKFawhEgyTV.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

-----------------------------------------------------------

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
  Now we need to use ComboFix to remove some stuff.
  
  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it
  
  (make sure you scroll all the way down in the code box to get all lines selected ):
  
  Code:

  KillAll::
  
  File::
  C:\Documents and Settings\All Users\Application Data\CuhPz9dOOoceNI
  C:\Documents and Settings\All Users\Application Data\CuhPz9dOOoceNI.exe
  C:\Documents and Settings\All Users\Application Data\OKFawhEgyTV.exe
  C:\Documents and Settings\All Users\Application Data\CuhPz9dOOoceNI
  C:\Documents and Settings\All Users\Application Data\CuhPz9dOOoceNIr
  C:\Documents and Settings\demigod\Local Settings\temp\2147483647.dat
  
  

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe
    http://f.imagehost.org/0093/th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
  Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.
  
  The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.
  
  -----------------------------------------------------------
  
  Attach logs for:
  
  • ComboFix (C:\combofix.txt)
  Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  
  

 

Hello, I followed everything to the letter and everything worked out except for ComboFix. I did everything with the script and the hyphen between combo and fix, but it just wouldn't budge beyond the initial phase of telling me that scanning times could easily double. I left it running for well over 3 hours before I eventually had to do a force shutdown because the entire system froze.

On the plus side, it looks as though OKFawhEgyTV.exe is gone for good, but I'm still getting redirected from google results as well as IE windows always detecting proxy settings for an extended period of time when I open one. Also, When I don't have IE open, an invisible IE page randomly spawns and the only way to get rid of it is to kill it in Task Manager. Hope there's a way to get around this with regard to ComboFix.

 

OK, sounds like TDSS is present.

The images below will probably vary slightly for what you see when you run the tool.

Read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Double-click on TDSSKiller.exe to run the application, then on Start Scan.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png
  
• If no reboot is require, click on Report. A log file should appear. Save the log somewhere where you can find it.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.(Version)_(Date)_(Time)_log.txt".
• Attach the TDSSKiller log.

 

TDSSKiller won't run. After I double-click it, the hourglass flashes for a split second but nothing happens. I tried to rename it, still nothing.

 

OK, let's try it this way.

Download and run Win32kDiag per the below instructions:

• Download Win32kDiag.exe and save to C:\Win32kDiag.exe. You must save it here!!!!
• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• Then copy the below text and paste it into the Open: text-field and press ENTER.
  Code:

  C:\win32kdiag.exe -f -r

• When it's finished, there will be a log named Win32kDiag.txt on your desktop.

Read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Double-click on TDSSKiller.exe to run the application, then on Start Scan.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png
• If no reboot is require, click on Report. A log file should appear. Save the log somewhere where you can find it.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.(Version)_(Date)_(Time)_log.txt".

Close all windows

Do the following:
Start -> Run
type cmd
Click "OK"

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

Code:

netsh int ip reset reset.log
netsh winsock reset catalog
ipconfig /flushdns
exit

Re-boot your PC.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• TDSSKiller (C:\TDSSKiller.(Version)_(Date)_(Time)_log.txt)
• Win32kDiag.txt

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

TDSSKiller still won't run and the ipconfig /flushdns command failed.

 

OK, let's see what you have for partitions.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

 

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 2MB
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.

You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot from the Windows XP Recovery Console CD and execute the following commands:

• fixmbr \Device\HardDisk0
• fixboot c:
• exit

Once back in Windows.

Download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Attach that file.

 

Ok, I deleted the 1.94 MB partition with no problems. Just as a sidebar, another 1.95 MB unallocated partition popped up in its place as soon as I clicked on apply.

There is one thing about the Recovery Console CD I'd like to mention. When it booted to the "Welcome to Setup" screen, I assume that I was supposed to go along with the second option of repairing the Windows XP installation using Recovery Console. After I pressed R and typed in the first command, I received the following message: "This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your boot partitions if you proceed. This could cause all the partitions on the current hard disk to become inaccessible. If you are not having problems accessing your drives, do not continue. Are you sure you want to write a new MBR?" So, just as a precautionary measure, unless I completely misinterpreted your instructions and wasn't supposed to be where I wound up, I'd like to get confirmation from you that I should proceed.

 

That's a standard warning. Continue with the instructions.

 

Log.

 

Now we need to run TDSSKiller by Kaspersky

Follow the instructions here except use the Change Parameters feature and select "Detect TDLFS File system" before scanning. Leave the other option uNchecked.

Attach your log when you are finished. (How to attach items to your post)

 

Just wanted to point out that there's no "Update" tab in Java Control Panel. Thought that was kind of strange because it was always there before.

 

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 29.
• Click the "Download JRE" button to the right.
• Accept the license agreement.
• Click on the download link for your system and save it to your desktop.
  Windows x86 Offline (jre-6u29-windows-i586.exe)
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

-----------------------------------------------------------

The installed version of Adobe Flash Player on this computer is out-dated. Install the latest version of Adobe Flash Player available from Adobe.

-----------------------------------------------------------

Run Malwarebytes Anti-Malware, update, and then run a scan. Delete everything it finds.

Attach the MBAM results log when done.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

I upgraded to the up-to-date versions of both apps 3 days ago when you first instructed me to do so.

Few things that are still off-kilter. IE window access continues to hang when I open multiple windows with the whole "Detecting proxy settings" business before the page can load.

When I try to toggle System Restore it tells me that it encountered an error trying to enable/disable one or more drives. Also, when I try to open System Restore a prompt pops up saying that System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again. I, of course, have done this a handful of times already to no avail.

 

OK, let's see what's going on.

Download -->> OTL <<-- to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Attach both logs with your next reply.

 

The logs were saved to desktop. I have a Combo-Fix folder in C:\ as a "My Computer" icon. Can I delete that?

 

Not just yet. We may still need to use ComboFix.

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  Code:

  :OTL
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
  O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
  O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
  O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
  [2011/11/16 23:12:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\demigod\Start Menu\Programs\System Fix
  [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [2011/11/16 23:12:25 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~CuhPz9dOOoceNI
  [2011/11/16 23:12:25 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~CuhPz9dOOoceNIr
  [2011/11/16 23:12:20 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\CuhPz9dOOoceNI
  [2011/04/30 23:46:27 | 000,007,730 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\vhf6a7ab7h335d07ur33rbd5x6cjdqx1gr8iu
  [2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
  [2011/03/22 20:55:03 | 000,008,974 | -HS- | C] () -- C:\Documents and Settings\demigod\Local Settings\Application Data\f78v4p5x5s0g3t1w47316ljd50m8r
  [2011/03/22 20:55:03 | 000,008,974 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\f78v4p5x5s0g3t1w47316ljd50m8r
  [2010/09/04 23:33:06 | 000,004,990 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
  [2010/10/19 18:36:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\demigod\Application Data\FCTB000060497 
  @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2BE9FEFC
  @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CE7F3C9
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Where is the "More Reply Options" button? I can't seem to find it.

System Restore is still inaccessible and every other hiccup I've mentioned remains unchanged.

 

I use the same posting template for a couple of other boards. I simply forgot to edit that part.

Do a scan with OTL and attach the new log.

 

Same settings as last time, right?

 

OK, your OTL log looks fine. How are things running?

 

The good news is no more redirects, but all of the above still apply.

 

OK, as far as this is concerned, all I had to do was uncheck "Automatically detect settings" in Internet Options under the "Connections" tab for this to stop happening. It's odd because it was always checked prior to infection and it still never tried to detect proxy settings unless, of course, I had to recycle my modem.

 

That option should have been turned off, if you not using a proxy. So, it being on before and not display the "Detecting proxy settings" message, is actually the odd thing.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Still can't access System Restore nor can I toggle it. I'll figure something out. Important thing is no malware. I'm very grateful for all your help, Shadow_Puter_Dude. Thanks, again.

 

http://img24.imagevenue.com/loc105/th_274341488_untitled_122_105lo.JPG

I tried that yesterday. Happened every time I tried.

 

First let's try repairing areas of the system that can be damaged by malware.

Download Windows Repair by Tweaking.com to your desktop.

• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  • Reset Registry Permissions
  • Reset File Permissions
  • Remove Policies Set By Infections
  • Repair Windows Updates
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

OK, now try accessing System Restore.

 

Still no go, unfortunately.

 

Let's try reinstalling System Restore.

Do the following

Start -> Run
type cmd
Click "OK"

The Command Console will open

Enter the following commands, at the Command Prompt.

Press the Enter Key after each command

Code:

%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %SystemRoot%\inf\sr.inf

Wait for the above command to finish, you may be promted for your Wndows CD, then type:

Code:

exit

The Command Console will close.

 

I believe just about every file needed from the Windows CD was not able to be copied. I continued Setup without copying the files until the end of the process. It appeared as though it did manage to copy something at the very end right before an auto reboot. Lo and behold! I was able to access System Restore as well as toggle it. I wasn't expecting to be able to do so because, as mentioned above, almost every file that it asked for was not successfully transmitted from the CD. Either way, everything seems to be working fine now. Thank you for your patience, chaslang and SPD.

Oh yea, I almost forgot, I have a 'subinacl' application in C:\. Can I delete that?

 

You're welcome, glad to be of assistance

Yes, you can delete subinacl.