Hello everyone,

I've been getting a Help Assistant folder on my computer in Documents & Settings. It copies all of my files. I have been deleting it every day for the past couple of weeks since my anti-virus provider cannot solve this problem (so far).

This folder first appeared on January 23, but I did not notice it until April. On Startup, a boot screen shows up, but Windows then loads by itself. This is part of the Help Assistant problem. It has even uninstalled my firewall and I had to reinstall it. It copies my files and then makes copies of the copies, but changes the first two letters of the file name to "~$".

Any ideas? Thanks.

Recommended Answers

All 21 Replies

Please follow the steps in the linky below and post the requested scanlogs.
We'll have a look and go from there.

http://www.daniweb.com/forums/thread134865.html

Cheers :)
PP

Thank you for your time and attention. I appreciate your help. :)

I first noticed this Help Assistant Folder on my computer on April 13, but it has been there since January 10. I used ComboFix per my StopSign Antivirus provider’s instructions, but the folder remained.

I sent the following web address to StopSign because it explained my problem much better than I can:
http://social.answers.microsoft.com/Forums/en-US/xpsecurity/thread/41c1d91e-a661-4209-9641-7e352822fecb

Next, I sent StopSign the following on April 24:

“More problems with Help Assistant that I have noticed. It keeps disabling StopSign Real Time Scanning and it either disables or uninstalls the StopSign firewall upon boot.

Besides duplicating my files, it also makes new files of my old ones, but changes the names slightly by replacing the first two letters of the file with these two signs: ~$ and I am unable to read the contents of these new files. It also changes the “date modified” so that the date modified is earlier than the “date created!”

Finally, because of all of these problems, I deleted the whole Help Assistant folder, but each time I boot my computer, it reappears after a short time so I delete it again, but it is not simple to delete. I have to delete individual folders within Help Assistant and then delete the main folder in Documents and Settings. Then, I can work normally on my computer until the next boot at which time I must start all over again deleting the now newly created Help Assistant folder.

Also, it did not let me delete some of my personal folders that I have on my desktop until after I deleted the Help Assistant folder. When trying to delete the desktop folders, I would get a message that stated that I could not delete it because the file was being used by another person, etc. So, I had to quickly delete the Help Assistant folder at Startup so that I could delete its contents and then the folder itself.”

On April 27, I disabled all Remote Access in Services except for Remote Procedure Call (RPC) and since then, the Help Assistant folder has not reappeared, but the boot screen still pops up before it loads Windows. This boot screen did not appear before January 10.

On April 29, StopSign informed me that it was a Windows configuration problem rather than an infection. I replied that I never had any of these problems nor the Help Assistant folder before January 10, so what or who started Help Assistant on my computer? This is when I decided to contact your forum for help.

On May 1, StopSign contacted me again and requested that I do another ComboFix which I did and now I am waiting to hear back from StopSign. I am attaching the May 1 ComboFix log.txt to this post also in case it found part or most of the problem.

I had no problems at all with any of the scanning steps that you asked me to do.

Thank you!


DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Janet at 16:34:56.15 on 05/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.147 [GMT -7:00]

AV: StopSign Antivirus *On-access scanning enabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\StopSign\OnAccess\onaccess.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\StopSign\Firewall\FWService.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://idm.east.cox.net/coxlogin/ui/internettools?TYPE=33554432&REALMOID=06-b6c69bf3-75c3-1017-a6a3-84a733520cb3&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-a6gsmx1Vq9NIYcRcbL7P%2fDCE8%2bkzVnKzxsULW0ckVZpBzTswo5n0BmH436d6SiVV&TARGET=-SM-http%3a%2f%2fmyaccount%2ecox%2enet%2finternettools%2fhome%2ecox
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\tbSwag.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
mRun: [webscan] "c:\program files\acceleration software\anti-virus\stopsignav.exe" -k
mRun: [SoftwareStation] "c:\program files\eacceleration\station\station.exe" /b Startup
mRun: [OnAccess] "c:\program files\stopsign\onaccess\onaccess.exe" -erk
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRunOnce: [WDM_MIDISYNTH0] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{2EB07EA0-7E70-11D0-A5D6-28DB04C10000},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH1] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{DFF220F3-F70F-11D0-B917-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH2] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{6994AD04-93EF-11D0-A3CC-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137981281312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {88CC5220-829C-4D14-8723-9C5CC8A54805} = 208.67.222.222,208.67.220.220
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ExecuteMonitorShellHook Class: {42dd0873-5fa9-465d-90de-0826020416a5} - c:\program files\stopsign\onaccess\onaccess_hk32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janet\applic~1\mozilla\firefox\profiles\ehdp24rb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&q=
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2010-2-9 109664]
R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [2010-1-23 263504]
R2 FWService;FWService;c:\program files\stopsign\firewall\fwservice.exe -service --> c:\program files\stopsign\firewall\FWService.exe -Service [?]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [2005-11-1 105124]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-05-02 22:34:58 0 d-----w- c:\docume~1\janet\applic~1\Malwarebytes
2010-05-02 22:34:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 22:34:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 22:34:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 22:34:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 16:02:09 3924810 ----a-r- C:\cure.com
2010-04-20 15:30:07 0 d-----w- c:\program files\common files\xing shared
2010-04-13 23:48:44 0 d-sha-r- C:\cmdcons
2010-04-13 23:47:25 98816 ----a-w- c:\windows\sed.exe
2010-04-13 23:47:25 77312 ----a-w- c:\windows\MBR.exe
2010-04-13 23:47:25 256512 ----a-w- c:\windows\PEV.exe
2010-04-13 23:47:25 161792 ----a-w- c:\windows\SWREG.exe
2010-04-13 23:09:26 0 d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2010-04-10 00:02:15 0 d-----w- c:\windows\system32\NtmsData
2010-04-03 16:20:07 0 d-----w- c:\program files\Conduit
2010-04-03 16:20:06 0 d-----w- c:\program files\Swag_Bucks

==================== Find3M ====================

2010-04-03 18:09:04 2000000 ----atw- c:\windows\system32\HJSMEM.DAT
2010-03-15 17:30:06 109664 ----a-w- c:\windows\system32\drivers\fwcore.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2007-02-21 19:14:58 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-12-13 15:09:20 3278 ----a-w- c:\program files\EULA.rtf
2004-12-13 10:34:12 415 ----a-w- c:\program files\readme.txt
2004-09-10 20:40:38 75264 ----a-w- c:\program files\DECCHECK.exe
2004-09-10 20:40:38 5970 ----a-w- c:\program files\eula.txt
1999-10-31 05:54:32 561152 ----a-w- c:\program files\convert.exe
2009-10-14 00:47:21 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:35:53.48 ===============

I sent the following web address to StopSign because it explained my problem much better than I can:
http://social.answers.microsoft.com/Forums/en-US/xpsecurity/thread/41c1d91e-a661-4209-9641-7e352822fecb

Right - this is a well known issue. That link illuminates it well.

On May 1, StopSign contacted me again and requested that I do another ComboFix which I did and now I am waiting to hear back from StopSign. I am attaching the May 1 ComboFix log.txt to this post also in case it found part or most of the problem.

A few things ( and please bear in mind that this is solely my opinion ):
I am not particularly enamored with StopSign. You can do a lot better. Especially if you are going to spend money on protection (though there are free options that perform better than StopSign...).

Since you are dealing with them, it would be counterproductive for me to jump into the middle of the mess - too confusing.

-- It looks as though combofix has addressed the MBR issue. Likewise, the GMER scans are clean - I don't see anything there.
We'll see what the fresh run of combofix does (BTW - combofix should be run from Desktop), but I'd like to hold off while StopSign is advising you.

-- You have a number of security risks showing. Risky programs and legit items that need updating (Adobe Reader / Java / etc...).
Again, I'll wait until StopSign has spoken before jumping in.

Cheers :)
PP

Hi PP,

I finished StopSign's new "fix" today, but Real Time scanning still becomes disabled while I use it. I've uninstalled it and re-installed it per their instructions, but the problem still remains after the "fix."

I now have a separate limited acct. that I surf the net with that supposedly will not give anyone access to my system files (per StopSign's advice). Your comment, please?

I disabled all remote access services except for Remote Procedure Call (RPC) (a couple of weeks ago) while I was waiting for help from StopSign. I need RPC enabled in order to get Windows updates, etc.?

StopSign does not recommend RegCure or My Bugfree PC or any other registry cleaners. Your comment, please?

Security risks showing? Update legit programs? I'd like to learn what to do next, but not from StopSign if possible. StopSign is solely my husband's idea although I did get this Trojan or whatever it is while I was using McAfee.

Help would definitely be appreciated. :) Thank you!

My Bugfree PC by eSunsoft Technologies is likely a very dangerous program. Even their home website gets a google warning that the website may be dangerous to your computer. Certainly wouldn't trust ANY software whose home website is considered dangerous, in fact I am totally blocked from even checking out the site by my security software, and the WOT rating for the site is a "1". The absolute lowest possible out of 100. I have never seen one with that low a rating, so NO on that. If you do have it installed on your computer uninstall it IMMEDIATELY.
RegCure? It's home website ALSO ranks way at the bottom by WOT and others. It is known for Phishing, Scam software, Rogue software, Bad Customer Experience. So you choose.If you want to cause more damage to your computer then use one of these automated cleaners.

No automated registry cleaner ever gives solid proof that their programs work. Millions of people every day all over the world use their computers without ever having one of these useless programs on their computers and the computers move along just fine.

YIKES! I have uninstalled both Registry cleaner programs.

I set up other identities (non-admin. user accts.) to surf online per StopSign's advice, but they kept freezing up my computer so I deleted them. I tried several times, but each time the new identity would freeze up my computer.

Do you use your own admin. acct. to surf online? If so, how do you protect your computer?

Please, I'd like your advice if you have time, on how to clean my computer of all present malware since StopSign's advice has not solved all the problems. I have dealt with them for over a month, but I am still having problems. Their Real Time virus scanning component keeps disabling even while I am using it.

Thank you!

Quite honestly here I am somewhat confused. Have none of your difficulties been corrected?
I would like to see the second Combofix log that you say you sent to StopSign or whoever it was who asked you to do another run with it. I am not clear as to WHY they requested a second log. This really isn't the usual way to use combofix, unless they had given you a script to run using combofix, was this the case?
Didn't they give you any specific instructions on the running of combofix? As PP stated it should be run from the desktop, you show it running from something called C:\cure.com. What is this? Your firewall was also enabled during the run. The accepted and normally used instructions for the running of combofix state that it must be run from the desktop and ALL security programs, including anti-virus and firewalls must be disabled. So it wasn't run correctly to begin with. I think it did it's work as PP stated but we have not seen this second log or given a reason WHY it was run again.

I would like to see a HiJackThis system scan log if you don't mind. Here is the link for HiJackThis Version 2.0.4 that is the one you need to use.http://free.antivirus.com/hijackthis/
Please run that scan, save the log and post back here with it and also please answer my questions.

Hi Judy,

Thanks for jumping in :) - I've been a bit preoccupied with work lately.

-- I did not see any evidence of the MBR infection in previous scanlogs. Did not want to get in the way of the Stop Sign people ( and vice versa ).

If Janet is still having trouble with this baddie, there are a couple relatively painless avenues we can follow to try to remove it once and for all.

I, too, would like to see the latest logs.

PP:)

Hello everyone,

After I disabled all Remote Access except for Remote Procedure Call (RPC), the Help Assistant (HA) file and folder finally did not reappear again when I deleted them again (for the umpteenth time).

Do I need RPC in order for my computer to access the internet and to receive Windows updates, etc.?

Something is still not quite right since StopSign's Real Time virus scanner keeps disabling while I am using it.

C:\Cure.com is part of StopSign's custom cure procedure and apparently includes ComboFix.

I'd like to generate new logs to send to you to analyze with both the firewall and virus protection disabled so I will follow the procedure outlined on this website and send you the new logs.

Thanks! :)

Until later...

FYI: This was the last communication that I received from StopSign and I did as instructed with their Custom Cure.

** If you have not done so recently, I would highly recommend backing
up any important data such as pictures, music, documents etc. before
proceeding. **

1. Click the link below.
RUN THIS FILE ONLY AFTER YOU HAVE BACKED UP YOUR DATA!

http://www2.gmer.net/mbr/mbr.exe

2. Choose to SAVE or SAVE AS and choose to save it to
LOCAL DISK C:\

3. Click START>RUN and in the run box type "CMD"

A black window will open.

4. In that windows, type "CD\"

5. Now type "mbr.exe -f" and follow the prompts.

Proceed to the custom cure directions below.


*************************************************************

Your System Snapshot has been analyzed and we have created a
CUSTOM CURE (TM) to correct the problems you are experiencing.
**There are four sections in this cleaning process, please follow
all steps below to ensure your system is fully clean.

------------------------------------------------------------
Note: Text in UPPERCASE or "phrases in quotes" indicate text
you will see on your computer screen.

Please print these instructions before beginning so you have
a reference during the cleaning process.
------------------------------------------------------------

SECTION 1 - DOWNLOADING THE CUSTOM CURE (TM):

1) Click the link below and select SAVE. When you are asked
where to save the file, select DESKTOP. When the download is
complete you will have a new icon on your desktop.

http://www.avcleaner.eacceleration.com/download/qa/hartmannjanetCustomCure.exe

2) Double-click the new icon on your desktop to execute the
cleaning operation. You will see a box asking if you would
like to run the CUSTOM CURE (TM). Choose YES. Note: During the Cleaning
process, you will see a progress bar indicating that your Custom
CUSTOM CURE (TM) is working.

3) When prompted to Restart your computer, choose Yes. Allow
the computer to restart normally, and fully load. Wait until
you see your desktop icons before proceeding.

NOTE: In some cases, it may take a few hours for the CUSTOM CURE (TM)
to run, depending on the severity of the infection. However,
the CUSTOM CURE (TM) may run in less than an hour.

SECTION 2 - RUNNING CUSTOM CURE (TM) IN SAFE MODE:

To start your computer in SAFE MODE and complete the required
tasks, follow these instructions:

1) Restart your computer.

2) As your computer is restarting, press the F8 key repeatedly.

3) At the menu, use the Arrow Keys to start up in SAFE MODE.
Select your current Operating System and press Enter.

4) Log in with the User Profile you normally use.

5) Double-click the CUSTOM CURE (TM) icon and click YES to run the CUSTOM CURE (TM).

6) When prompted to Restart your computer, choose NO.

NOTE: In some cases, it may take a few hours for the CUSTOM CURE (TM)
to run, depending on the severity of the infection. However,
the CUSTOM CURE (TM) may run in less than an hour.

SECTION 3 - RUN A STOPSIGN SCAN IN SAFE MODE

7) Run a StopSign Threat Scan. Click START > PROGRAMS >
EACCELERATION > STOP-SIGN > START SCAN. Allow the scan to
finish and clean up any remaining files.

8) Restart the computer and allow it to start normally.

SECTION 4 - FINAL SCAN:

After rebooting your system normally, run an eAcceleration Anti-
Virus scan.

1) Click START > PROGRAMS > EACCELERATION > STOP-SIGN > START
SCAN.

2) Verify that your computer is clean.


You may now delete your CUSTOM CURE (TM) icon from your computer.

I am sorry. But you need to stick with them. It would do no good for two places to be analyzing logs and making comments. You began with them then that is where you should be posting.

I've stuck with them, but I still have problems even though it seems that one major problem was fixed by StopSign according to the mbr.log from May 12th that I have enclosed below. I've spent over a month waiting for them to solve the problems and now I'd like someone else's expertise, if possible, instead of continuing with them.

StopSign's Custom Cure: May 12th mbr.log:

[Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !]

Today, after I disabled the firewalls in order to run the tools required by Daniweb for diagnosis, the computer made new folders and files in Documents and Settings for two of the new identities that I had created and then deleted yesterday in "user accounts." I had deleted all files concerning them yesterday, yet they showed up again today. Help Assistant folder did not show up again. I deleted the new user accts. because when I tried to use them, each of those new accounts kept freezing up my computer.

My computer also started duplicating files again after StopSign's "cure." It made a new "duplicated" file called "~$aniweb.doc" on my desktop right underneath the legitimate file called "daniweb.doc". I opened it, but it showed only shapes like rectangles. This new file then disappeared a few hours later without me deleting it. It looked like a hidden file. I used explorer and searched for it, but turned up nothing.

This is crazy, but, now, it is back again on my desktop while I am uploading files so I am uploading it for you along with the other files requested.

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Janet at 22:06:26.28 on 05/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.371 [GMT -7:00]

AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OpenDNS Updater\Marcs Updater\Marcs Updater.exe
C:\Program Files\OpenDNS Updater\Marcs Updater\Marcs Updater.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenDNS Updater\Marcs Updater\Marcs Updater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\StopSign\Firewall\FWService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://idm.east.cox.net/coxlogin/ui/internettools?TYPE=33554432&REALMOID=06-b6c69bf3-75c3-1017-a6a3-84a733520cb3&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-a6gsmx1Vq9NIYcRcbL7P%2fDCE8%2bkzVnKzxsULW0ckVZpBzTswo5n0BmH436d6SiVV&TARGET=-SM-http%3a%2f%2fmyaccount%2ecox%2enet%2finternettools%2fhome%2ecox
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [webscan] "c:\program files\acceleration software\anti-virus\stopsignav.exe" -k
mRun: [SoftwareStation] "c:\program files\eacceleration\station\station.exe" /b Startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [OnAccess] "c:\program files\stopsign\onaccess\onaccess.exe" -erk
mRun: [Marcs Updater] "c:\program files\opendns updater\marcs updater\Marcs Updater.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [WDM_MIDISYNTH0] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{2EB07EA0-7E70-11D0-A5D6-28DB04C10000},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH1] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{DFF220F3-F70F-11D0-B917-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
mRunOnce: [WDM_MIDISYNTH2] rundll32.exe streamci.dll,StreamingDeviceSetup {B0C2EBA2-1099-4e80-A7F1-984910EB435E},MidiSyn,{6994AD04-93EF-11D0-A3CC-00A0C9223196},d:\software\drivers\audio\analog_devices__soundmax__cadenza_\5.12.01.3630_sm4_sf\sm_synth\sys\MidiSyn.inf,MIDI_SYNTH.Interface.Install
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137981281312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {88CC5220-829C-4D14-8723-9C5CC8A54805} = 208.67.222.222,208.67.220.220
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ExecuteMonitorShellHook Class: {42dd0873-5fa9-465d-90de-0826020416a5} - c:\program files\stopsign\onaccess\onaccess_hk32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janet\applic~1\mozilla\firefox\profiles\ehdp24rb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\janet\application data\mozilla\firefox\profiles\ehdp24rb.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2010-2-9 109664]
R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [2010-1-23 263504]
R2 FWService;FWService;c:\program files\stopsign\firewall\fwservice.exe -service --> c:\program files\stopsign\firewall\FWService.exe -Service [?]
R2 Marcs Updater;Marcs Updater;c:\program files\opendns updater\marcs updater\Marcs Updater.exe [2010-5-13 607512]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2010-1-23 113920]
R3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [2005-11-1 105124]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-05-14 02:35:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-14 02:35:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 01:13:50 0 d-----w- C:\Desktop
2010-05-13 07:13:53 774144 ----a-w- c:\program files\RngInterstitial.dll
2010-05-12 16:30:17 77312 ----a-w- C:\mbr.exe
2010-05-02 22:34:58 0 d-----w- c:\docume~1\janet\applic~1\Malwarebytes
2010-05-02 22:34:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 22:34:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 22:34:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 22:34:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 16:02:09 3924810 ----a-r- C:\cure.com
2010-04-20 15:30:07 0 d-----w- c:\program files\common files\xing shared

==================== Find3M ====================

2010-04-26 22:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 00:47:21 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 22:07:06.76 ===============


All help is greatly appreciated. Thank you! :) Perhaps my computer is haunted by gremlins. :icon_eek:

Thank you for your help. I thought that I may have to do this in order to solve the problem. Can you point me to instructions on the best way to do this? :)

This link is excellent.

http://michaelstevenstech.com/cleanxpinstall.html

Read it carefully. It gives step by step. Remember, you will need to reinstall all updates, programs, etc. AFTER the reformat and reinstall.
Also, if you have important items you don't wan to lose...pictures, personal papers, etc. You need to back these up some place OFF the computer otherwise these will all be lost with the reformat. The drive IS wiped clean.

Thank you very much! :) I'll be working on this "project" next week.

A reformat and reload takes a couple hours to get the computer back up and running. Then do the Windows Updates. Then put on a decent Anti-virus program.
Avira FREE is excellent. Then put all your programs back on there, updating any which need updating.
As far as printer, scanner and whatever else you have on there I would update the computer first. You likely though will have to download new drivers for the printer, etc. Do it from that manufacturers website not some odd website that supposedly has all drivers.

Thank you for the recommendation for Avira (Free). I had been wondering which Anti-virus program to use. I will let you know how this clean install process worked out for me after I get it finished. Is it possible to download software programs such as JAVA from the internet without using the admin. acct.? Every time I tried to use a different "user" other than the "admin.," it would not let me download.

You are running XP so Admin account would not be needed. The Java download won't be needed until you have done your full reformat and reinstall.
Here is where you should ALWAYS go for the latest Java. http://www.java.com/en/download/manual.jsp

Always choose the Offline Install and save it to the desktop. Once the download is complete then close all browsers and double click to install.
Watch install carefully. Very often extra and unneeded toolbars may be included unless you remove the check from the permission box before the install.

Success! The Clean Install of XP is now working great. I installed Avira, too.

My XP Home Edition does require Admin acct. privileges in order to download programs from the internet so now I only go online with the Admin acct. to download the programs and then I log off the Admin. acct. again in order to go back online.

Now, I am having "fun" re-organizing my personal files. This needed to be done l-o-n-g ago. :)

Thank you for all your help. It is much appreciated!

Sometimes a good cleaning is needed with everything. Glad this all worked so well.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.