[Conrad 678]

My wife's computer has a bug. Seems to be related to Google Chrome. When we use that as a browser, it takes me to websites I don't want to go to. If I use IE, I seem fine. I ran Malwarebytes (both in regular and safe mode), but it did not seem to help.

[Advertisements]

Hello Conrad 678,

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called (FRST.txt) in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run, it makes also another log (Addition.txt). Please also paste that into your reply.

[emeraldnzl]

Hello Conrad 678,

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called (FRST.txt) in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run, it makes also another log (Addition.txt). Please also paste that into your reply.

[Conrad 678]

I started the scan, but it seems to have hung up on "~msetup". It doesn't seem to be responding at all.

[emeraldnzl]

If the machine has Comodo firewall it will interfere with our tool so disable it and try again.

How to turn off Comodo

Double click on the Shield Icon

Click each monitor (left hand side) separately and turn them off - see Turn On and Turn Off check items in the task bar above the Component list.

If it's not Comodo then perhaps it will work in Safe Mode.

The following works for XP, Vista and Win 7. If you have Windows 8, tell me.

Boot into Safe Mode:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, tap F8 continually.
3) Instead of Windows loading as normal, a menu should appear
4) Select the option, to run Windows in Safe Mode.

If you still can't get it to run, come back and tell me.

[Conrad 678]

It worked in Safe Mode. Here are the scans.

Thanks!

Attached Files

•  Addition.txt   25.1KB   125 downloads
•  FRST.txt   40.55KB   121 downloads

[emeraldnzl]

Hello Conrad 678,

In future please post your logs in the thread. Do not attach them unless requested to do so.

Now

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Next

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right click JRT.exe and "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

After that

Download and run TFC.exe (Vista and above users right click and run as Administrator).

You may be asked to reboot when it is finished. Please do so.

Finally in this post

Please run an scan with Farbar Recovery Scan Tool and post the FRST.txt back here.

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.

[Conrad 678]

Here they are. The last thing you asked me to do still hangs up on "~msetup"

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-10-2013
Ran by The Cross Family at 2013-11-01 18:29:21 Run:1
Running from C:\Users\The Cross Family\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
AppInit_DLLs: C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL [97280 2009-07-13] ()
AppInit_DLLs-x32: c:\progra~2\optimi~1\optpro~1.dll [ ] ()
*****************

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.

==== End of Fixlog ====



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Windows 7 Home Premium x64
Ran by The Cross Family on Fri 11/01/2013 at 18:34:38.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1BB8B3AE-757D-443F-B3A4-0629E709B0D9}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\searchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\defaulttab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskHomePage_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskHomePage_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskHomePage_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskHomePage_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{65BEC620-8030-4EC4-AFD3-1133B84BFDFA}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AEEB4D6E-F934-4B71-BE9D-D6D55C3B247B}



~~~ Files

Successfully deleted: [File] "C:\end"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\conduit"
Successfully deleted: [Folder] "C:\Users\The Cross Family\AppData\Roaming\defaulttab"
Successfully deleted: [Folder] "C:\Users\The Cross Family\AppData\Roaming\optimizer pro"
Successfully deleted: [Folder] "C:\Users\The Cross Family\AppData\Roaming\searchprotect"
Successfully deleted: [Folder] "C:\Users\The Cross Family\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\The Cross Family\appdata\local\cre"
Successfully deleted: [Folder] "C:\Users\The Cross Family\appdata\local\defineext"
Successfully deleted: [Folder] "C:\Users\The Cross Family\appdata\local\swvupdater"
Successfully deleted: [Folder] "C:\Users\The Cross Family\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\The Cross Family\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"
Successfully deleted: [Folder] "C:\Program Files (x86)\searchprotect"
Successfully deleted: [Empty Folder] C:\Users\The Cross Family\appdata\local\{2E1C1693-C4D9-46CB-A998-3E1FD7887421}
Successfully deleted: [Empty Folder] C:\Users\The Cross Family\appdata\local\{44F8C8C0-5D65-46D3-AEA6-2E63807A52F2}
Successfully deleted: [Empty Folder] C:\Users\The Cross Family\appdata\local\{A8199740-A1BD-4184-AAE3-CFF9CD163390}



~~~ Chrome

Successfully deleted: [Folder] C:\Users\The Cross Family\appdata\local\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh
Successfully deleted: [Folder] C:\Users\The Cross Family\appdata\local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 11/01/2013 at 18:49:08.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[emeraldnzl]

The last thing you asked me to do still hangs up on "~msetup"

Likely McAfee getting in the way. Probably why it worked okay in Safe Mode.

Let's do this instead:

Please download ComboFix from this location:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

• Double click on ComboFix.exe & follow the prompts.
  
• If you have an older Operating System you may be asked whether you want to install the Recovery Console. Click yes and follow any prompts.
  
• Your desktop may go blank. This is normal.
  
• ComboFix may appear to be doing nothing for quite long periods, this is normal, just leave it to do it's job.
  
• ComboFix may reboot your machine. This is normal too.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Conrad 678]

Here is the ComboFix log:

Thanks!

ComboFix 13-11-01.03 - The Cross Family 11/01/2013 20:01:29.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3831.1894 [GMT -5:00]
Running from: c:\users\The Cross Family\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\The Cross Family\AppData\Roaming\Microsoft\Windows\taskhost.exe
c:\users\The Cross Family\Documents\~WRL0005.tmp
c:\users\The Cross Family\Documents\~WRL0610.tmp
c:\users\The Cross Family\Documents\~WRL2018.tmp
c:\users\The Cross Family\Documents\~WRL3262.tmp
c:\users\The Cross Family\Documents\~WRL3775.tmp
c:\windows\SysWow64\frapsvid.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ACPIService
.
.
((((((((((((((((((((((((( Files Created from 2013-10-02 to 2013-11-02 )))))))))))))))))))))))))))))))
.
.
2013-11-02 01:17 . 2013-11-02 01:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-02 01:17 . 2013-11-02 01:17 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-11-01 23:34 . 2013-11-01 23:34 -------- d-----w- c:\windows\ERUNT
2013-11-01 01:08 . 2013-11-01 01:08 -------- d-----w- C:\FRST
2013-10-26 14:24 . 2013-09-23 18:49 197704 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2013-10-11 04:10 . 2013-10-11 04:12 -------- d-----w- C:\5aada5dd173ed984557eff
2013-10-10 12:33 . 2013-08-29 00:49 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-10-10 12:33 . 2013-08-29 01:50 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-10-10 12:33 . 2013-08-29 00:49 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-10-10 12:33 . 2013-08-29 00:49 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-10-10 12:33 . 2013-08-29 00:49 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-10-10 12:33 . 2013-07-20 10:33 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2013-10-10 12:33 . 2013-07-20 10:33 124112 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-10 12:33 . 2013-08-01 12:09 983488 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-10-10 12:33 . 2013-08-28 01:12 461312 ----a-w- c:\windows\system32\scavengeui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-11 04:10 . 2012-01-20 15:11 80541720 ----a-w- c:\windows\system32\MRT.exe
2013-10-09 14:19 . 2012-03-30 12:18 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-10-09 14:19 . 2012-02-05 23:31 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-25 01:29 . 2012-11-09 12:40 70112 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-09-25 01:25 . 2012-11-09 12:37 343568 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-09-25 01:25 . 2013-01-05 16:46 182752 ----a-w- c:\windows\system32\mfevtps.exe
2013-09-25 01:22 . 2012-11-09 12:35 781312 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-09-25 01:21 . 2012-11-09 12:34 519192 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-09-25 01:20 . 2012-11-09 12:34 310224 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-09-25 01:19 . 2012-11-09 12:33 179664 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-09-20 14:38 . 2013-09-20 14:38 10856 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2013-09-20 14:38 . 2013-09-20 14:38 95984 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2013-09-20 14:37 . 2013-09-20 14:37 390552 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2013-08-29 01:48 . 2013-10-10 12:33 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-08-09 04:59 . 2013-08-09 04:59 829264 ----a-w- c:\users\The Cross Family\AppData\Roaming\Microsoft\Windows\msvcr100.dll
2013-08-09 04:59 . 2013-08-09 04:59 608080 ----a-w- c:\users\The Cross Family\AppData\Roaming\Microsoft\Windows\msvcp100.dll
2013-08-09 04:59 . 2013-08-09 04:59 557568 ----a-w- c:\users\The Cross Family\AppData\Roaming\Microsoft\Windows\mpir.dll
2013-08-05 02:25 . 2013-09-15 00:59 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-07-25 20686704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-09-03 840568]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-09-03 41336]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-09-24 537512]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-09-24 537512]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2013-06-20 295512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files (x86)\The Print Shop 23\Remind.exe [2008-7-16 344064]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R2 0218031383303501mcinstcleanup;McAfee Application Installer Cleanup (0218031383303501);c:\windows\TEMP\021803~1.EXE;c:\windows\TEMP\021803~1.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys;c:\windows\SYSNATIVE\DRIVERS\mfencrk.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys;c:\windows\SYSNATIVE\DRIVERS\MOBK.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE;c:\program files\Realtek\Audio\HDA\AERTSr64.EXE [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
S2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe;c:\program files\McAfee\MSC\McAPExe.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 MOBKbackup;McAfee Online Backup;c:\program files (x86)\McAfee Online Backup\MOBKbackup.exe;c:\program files (x86)\McAfee Online Backup\MOBKbackup.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S3 AVerAVF2;AVerAVF2;c:\windows\system32\DRIVERS\AVerAVF2.sys;c:\windows\SYSNATIVE\DRIVERS\AVerAVF2.sys [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
S3 FintekCIR;Fintek eHome Transceiver;c:\windows\system32\DRIVERS\FintekCIR.sys;c:\windows\SYSNATIVE\DRIVERS\FintekCIR.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 hidkmdf;Microsoft HID Class Shim for KMDF;c:\windows\system32\DRIVERS\hidkmdf.sys;c:\windows\SYSNATIVE\DRIVERS\hidkmdf.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys;c:\windows\SYSNATIVE\DRIVERS\mfencbdc.sys [x]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 NW1950;NextWindow 1950 Touch Screen;c:\windows\system32\DRIVERS\NW1950.sys;c:\windows\SYSNATIVE\DRIVERS\NW1950.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mferkdet
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-26 20:09 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 14:19]
.
2013-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-11 20:08]
.
2013-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-11 20:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-25 10081312]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2010-02-25 1833504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://my.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-{574E78B1-E6B0-45A1-9BCE-E0906F572583}_is1 - c:\retrocopy\unins000.exe
AddRemove-Define Ext - c:\users\The Cross Family\AppData\Local\DefineExt\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
.
**************************************************************************
.
Completion time: 2013-11-01 20:51:34 - machine was rebooted
ComboFix-quarantined-files.txt 2013-11-02 01:51
.
Pre-Run: 26,113,351,680 bytes free
Post-Run: 32,770,031,616 bytes free
.
- - End Of File - - DABCD43810962D7FE69DF762F934D1F5
A36C5E4F47E84449FF07ED3517B43A31

[emeraldnzl]

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

• Click the green ESET Online Scanner box
• Tick the box next to YES, I accept the Terms of Use
  then click on: Start
• You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • If during the process you are asked if items found should be quarantined please say yes.
• Click on Start
• The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close, make sure you copy the logfile first!
• Then click on: Finish
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic and tell me how the machine is now.

[Conrad 678]

Here is the log. Thanks for all your help.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=8
# IEXPLORE.EXE=10.00.9200.16521 (win8_gdr_soc_ie.130216-2100)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=290c0d64be9b8c4e9ac5a9096377850b
# engine=15736
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-11-03 08:11:59
# local_time=2013-11-03 02:11:59 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5122 16777214 66 88 0 145372897 0 0
# compatibility_mode=5893 16776574 100 94 9236161 135052969 0 0
# scanned=259042
# found=4
# cleaned=4
# scan_time=26873
sh=802CCA8B96EB8752B6D0A936BD58B1D78F545A81 ft=1 fh=c71c00119847bb01 vn="a variant of Win64/BitCoinMiner.H application (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Users\The Cross Family\AppData\Roaming\Microsoft\Windows\taskhost.exe.vir"
sh=72023DC590D0FED80B401DCFE8ECD248A70046FB ft=0 fh=0000000000000000 vn="a variant of Win64/BitCoinMiner.H application (deleted - quarantined)" ac=C fn="C:\Users\The Cross Family\AppData\Roaming\Microsoft\Windows\taskhost.zip"
sh=F8D0E61E9DD1EFD8FC351F942EC11731794452A5 ft=0 fh=0000000000000000 vn="Win32/OpenCandy application (deleted - quarantined)" ac=C fn="C:\Users\The Cross Family\Downloads\soldat163.zip"
sh=7BBDF0F041F1D3FA09C666B746A039749CF1F56C ft=1 fh=3c6f46549d682a03 vn="a variant of Win32/InstallCore.AZ application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\The Cross Family\Downloads\windows live movie maker setup.exe"

[emeraldnzl]

Hello Conrad 678,

How is your machine now?

[Conrad 678]

Right now, she seems to be OK.

Thanks!

[emeraldnzl]

Hello again Conrad 678,

Right now, she seems to be OK.

I think you are good to go now.

We have a couple of last steps to perform and then you're all set.

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.

• Go to Start > Programs > Accessories and click on Run
• Copy and paste the the bolded text below in the box then hit OK
  
  Combofix /Uninstall
  
  

Step 2

• Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Any other tools remaining may be deleted.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to (re-install if uninstalled during cleaning) update and turn back on any anti-malware programs you may have turned off during the cleaning process.
-------------------------------------------------------------------------------------------------------------------

Here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them.

----------------------------------------------------------------------------------------------------------------------

Java warning

Java is a popular point of entry to your computer for malicous programs. The United States Department of Homeland Security recommends that computer users disable Java, see here. Unless you need it to run an important software the safest approach is to completely uninstall Java. Where you do require it, then the next safest option is to disable it in your browsers until you need it, then enable it.

How to disable Java in your web browser and How to unplug Java from the browser

If you do still need Java then regularly check that it is up to date. Older versions are the most vulnerable to malicious attack.

• Download Java for Windows
  
  Reboot your computer.
  You also need to unininstall older versions of Java.
  
• Click Start > Control Panel > Add or Remove Programs
• Remove all Java updates except the latest one you have just installed.

--------------------------------------------------------------------------------------------------------------------

CryptoLocker Warning

There is a particularly nasty infection out there at the moment.

Go here for information about CryptoLocker Ransomeware

Download CryptoPrevent free for home use.

--------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future:



If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.

* Click Start > Control Panel > System and Security > Windows Update
* Under Windows Update click on Turn automatic updating on or off
* Check items shown to ensure you receive updates automatically. Click OK.

Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

A fun way to check your online safety literacy.

Quiz - getsafeonline

Have a safe and happy computing day!

[Conrad 678]

Looks good.

Thank you for all your help!

Conrad