Hi all,

Great forum....have been browsing it for ages and now finally have a question that a search can't answer.

I ran a scan today and NOD32 said it found a virus called Win32/ServU-Daemon. It said it is located in
C:\Windows\system32\dllcache\win32\csrss.exe.tcf

I have searched all over the internet and cannot find an answer on how to get rid of it. It is quarintined at the moment.

Do I just delete it???

Thanks in advance.

Spong

Hi Spong, welcome to Wilders.

Do you have Nod32 set up like these settings? (http://www.wilderssecurity.com/showthread.php?t=37509) If so, when you run a scan (clean) what options does it give you when it finds this file?

Cheers ;D

delete the entire win32 folder inside the dllcache it is a folder that just contains trojans and a backdoor hacker

dllcache should NEVER have any subfolders inside it at all

boot into safe mode and set the computer like this to see the files/folders

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

However if that folder has been infected it is highly likely that there are other infected files within the system

For this case I would like to see a HJT log and before you actually delete the folder please zip it & do this so I can check other files inside it and there will be other files that NOD and the other AV's should ID

please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)
please upload this folder C:\Windows\system32\dllcache\win32

the tcf suffix is a newish one for this malware

HJT from the website in my sig

by any chance have you got trojan hunter installed?

tcf is a custom extension of trojan hunter, it uses that extension when it renames detected trojans

ServU-Daemon is a file that belongs to the FTP server program Serv-U and is in no way a virus.

Kryspy

{QUOTE-> ServU-Daemon is a file that belongs to the FTP server program Serv-U and is in no way a virus.

Kryspy <-QUOTE}

when it's in the location it is on that computer it is being used as a hacktool and will 99% sure to haev other hacktools with it and it will almost certainly have stolen all sorts of information from the computer and sent it bak to the hacker

{QUOTE-> when it's in the location it is on that computer it is being used as a hacktool and will 99% sure to haev other hacktools with it <-QUOTE}

so true. serv-U is a common part of rootkits. usually it, and its process are hidden using a special program ( hacktool.hide windows or similar)
usually these rootkits consist of serv-U, backdoor.iroffer and a bot( backdoor.sdbot most often)
i'd be surprised if serv-U was the only malicious file there...

thats why i suggest downloading and installing(updating too) tds-3

do it like this:


download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
install it, but do not launch it yet

update it: right click the link below, select "save as"
http://www.diamondcs.com.au/tds/radius.td3

save it to the directory where you installed tds-3, overwriting the previous radius.td3.

then launch tds-3. in the top bar of tds window click system testing> full system scan.
detections will appear in the lower pane of tds window. after the scan is finished ( it'll take a while ) right click the list> select save as txt. save it and post the contents of the scandump.txt here

After posting the scanlog go ahead and right click the list again, this time select delete! Delete everything labelled positive identification

there possibly is somthing that gets detected as suspicious, or as positive identification( ADV) -->do not delete those

a combination of trojan hunter/tds-3 should nail it :D

Well, Serv-U is a legitimate FTP server (see http://www.serv-u.com ), but it has been pirated and used as a hacker tool so much that it can be thought of as "guilt by association". If you know that it is supposed to be there, then fine, you can set an exception for it if you have to. However, if you are surprised to find it on your computer, then you have been hacked.

I remember working on a computer one time that had this FTP server on it, illegitimately. It turns out that the FTP server was used to manage a ripped DVD collection hidden in "C:\System Volume Information", where it was practically indetectable. That explained why about 50 GB were apparently missing from the hard drive. In this case, none of the antivirus/trojan programs would detect the payload, since ripped DVDs are neither viruses not trojans. I had to figure out how to find and read the Serv-U config file to figure out where the data was being stored.

By the way, the owner of this computer had no idea about any of this. I tend to believe him, since he is originally from Mexico, and these were German DVDs.

Hi all,

Thanks for the helpful replies.... :)

@ Blackspear: yes I have used those settings for no32. When options I get for the virus are quarintine or delete.

@dvk01: I have zipped the folder and posted on your website. Also, here is my HJK log
-------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:53:11 PM, on 1/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Java\j2re1.4.2_05\bin\jusched.exe
C:\NOD32\nod32kui.exe
C:\Quicktime\iTunesHelper.exe
C:\Rage3DTweak\RegTwk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Acrobat 6.0\Distillr\acrotray.exe
C:\Diskeeper\DkService.exe
C:\VCOM\Fix-It\mxtask.exe
C:\NOD32\nod32krn.exe
c:\windows\system32\dllcache\win32\winlogon.exe
c:\WINDOWS\$NtServicePackUninstall$\services.exe
C:\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\alg.exe
C:\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] C:\Quicktime\iTunesHelper.exe
O4 - HKLM\..\Run: [RegTweak] C:\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Acrobat Assistant.lnk = C:\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096970806515
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Diskeeper\DkService.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\VCOM\Fix-It\mxtask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\NOD32\nod32krn.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\OUTPOS~1\outpost.exe
------------------------------------------------------------------------

@illuka: yes I use TrojanHunter ;) downloaded TDS3 demo and did a full scan

Here is the scandump.txt
------------------------------------------------------------------------
Scan Control Dumped @ 19:51:49 01-03-05
Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\dllcache\win32\winlogon.exe

Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\dllcache\win32\winlogon.exe

Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\dllcache\win32\winlogon.exe

Positive identification: Riskware.FTP.Serv-U.4100a
File: c:\windows\system32\dllcache\win32\csrss.exe.tcf

Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\dllcache\win32\winlogon.exe
-----------------------------------------------------------------------

Again, thanks for the help... ;D

Spong

removed!

he's yours Derek ;)

first please upload this folder as it will be full of trojans c:\WINDOWS\$NtServicePackUninstall$\

be careful as there will be genuine folders with a lot of letters and numbers after the $NtServicePackUninstall$ only send the plain $NtServicePackUninstall$ folder

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe

now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

c:\WINDOWS\$NtServicePackUninstall$\services.exe
c:\windows\system32\winmgnt.dll
c:\windows\system32\spoolvc.dll
c:\windows\system32\schost.dll


Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

delete this folder that is marked in bold

c:\windows\system32\dllcache\win32\

then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then

reboot

Edit to add additional files to delete

Derek,

The C:\WINDOWS\$NtServicePackUninstall$ folder is 340mb. It has 2,521 files. Do you still want me to upload the folder to your website?

Spong

That is a bit too big

even an sp2 folder isn't that big

have you got any other $NtServicePackUninstall$ folders on the computer, they should have numbers and letters after them

It is possible I suppose that it's the genuine XPSP2 uninstall folder, but it shouldn't have anything running from it

Right click the folder and check it's creation date and compare that to any SP2 files inside system32 and see if they match up

I checked the different $NtServicePackUninstall$ folders and most of them are only a few mb at most (largest being roughly 11mb).

Most of the folders are modified on 5th Oct 04. A few are 28th Jan 05. The original C:\WINDOWS\$NtServicePackUninstall$ folder was modified on 2nd Nov 04.

Spong

Doing some more research it could be the genuine XP SP2 uninstall folder but theree are a few new worms/triojans/viruses that are known to overwrite legitimate files in that folder and that looks like what has hapened here

I think the next step is to do a series of online scans to determine if there are anymore infected files in there. I woukd suggest at least the top 3 on this list with this

I know it will take some time, but it is likely to be important

The good thing is that if you are happy with SP2 then that folder isn't needed as it is only the uninstall instructions for SP2 and the backup of the old files that were backed up in case you want to uninstall SP2 which hopefully you don't

Do trhe scans first and see what is found, but if there was 1 file running from there, then I strongly suspect that there wil be some more infected files

Run an online antivirus check from at least one and preferably 2 of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/onlineviruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

to see which worm/virus it is killbox should have made backups in C:\!submit

please zip any files inside there and upload to spykiller

If c:\WINDOWS\$NtServicePackUninstall$\services.exe was infected and I don't know of any legitimate reason for any file to ever run from athe uninstall folder then we can soon find out what it is & hopefully determine what other ones are infected along with it

Sorry for the late reply :-[

Here is my progress....I used all the online scanners that dvk01 posted and results were all nil virus' found.

@dvk01: I have done all that you advised and there is no sign of the virus according to the online scanners. I have posted the zipped C:\!submit file on spykiller.

Thanks for all your help everyone. :-*

Spong

{QUOTE-> The C:\WINDOWS\$NtServicePackUninstall$ folder is 340mb. It has 2,521 files. Do you still want me to upload the folder to your website? <-QUOTE}


Humm... for what its worth.. my directory is 450 mb.... but all is well and working good. But I must have 100mb more crap than you do... :o

Well the services.exe file is scanning clean, but I have absolutely no idea why it was runniung or attempting to run from the service pack files when NOTHING should run from there

All the other files you sent are known to be part of the SERVU FTP server that was being used as a backdoor

It looks like you are clean now and as I said before if you DO not intend to uninstall SP2 then it is perfectly safe to delete the entire $NtServicePackUninstall$ folder
I have on mine and many other people have as soon as they were sure that SP2 didn't cause any problems on their system

{QUOTE-> It looks like you are clean now and as I said before if you DO not intend to uninstall SP2 then it is perfectly safe to delete the entire $NtServicePackUninstall$ folder <-QUOTE}

That sounds like a good idea....
no problem with SP2 updates after deleting those either?

Since its an uninstall dir.. I don't suppose it will affect future service pack installs either?

Well I deleted mine... but there are two files that want to stay because they say they are being used?....
1. hidserv.dll
2. hid.dll
I looked them up on Google and it appears they are part of hid audio?
LINK (http://www.e-systems.ro/download-dll/hidserv.dll/)
I also have that file in windows\system32 and windows\system32\dllcache
as well as my service pack file in windows\servicepackfiles\i386

It appears to be related to the screensaver also?
link (http://support.microsoft.com/default.aspx?scid=kb;en-us;326719#kb2)

I agree... nothing should be running from that folder.... Ill try some other things..

hidserv.dll
and hid.dll can also be malware files that are part of a hidden server and that is what I suspect has happened

if they are running from the $NtServicePackUninstall$ flder than it is highly likely taht they are malicious or being used by a malicious application even if they are innocent files

They should be able to be deleted from taht folder in safe mode

do not delete the copies in the other folders which are the latest versions and will be needed

{QUOTE-> f you DO not intend to uninstall SP2 then it is perfectly safe to delete the entire $NtServicePackUninstall$ folder <-QUOTE}

Thanks Derek.... I was able to delete them in safe mode.... however then my HID service would not start......
All that seemed to be dependant upon that file running is the "remote procedure call"

Heres the tricky part! After a reboot it wouldn't start either! but I have a program your prob familiar with called "Reghealer".
I am curious to know if this other fellow that had a program running from the update files has used this program??????

anyway.... I ran regclean and after a reboot... then it was up and running just fine!!!! It is apparently using one of my ofher "hid.dll" files I mentioned.

The reason I mentions "regclean".. is that that program will see entries in the registry and ofter "fix" and reroute pathways that it thinks are in error.

1. That could have been how mine and the other fellas started running out of such a peculiar place in the first place?
2.That also could have been what corrected mine, once it saw that those files were deleted, it "had" to find an alternate pathway for it to run???

Of course the other alternative is that I really had something funky running from there..... I don't think so.... I scan my system reasonably thouough with the latest of pestpatrol, spybot, rootkitrevealer, VX2 finder, adaware, spyware blaster, and registry protection.
But I"m not ruling that out!!! But all seems to work well.

IN case I haven't made myself clear... all I am saying is that its possible that "reghealer" is what got that file running from the wrong place, and if so... its prob the best way to fix it "once its deleted in safe mode"

thanks for your help on this matter!!!

I suppose it's possible for the SP2 installation to go wrong and for some reason the HID files were in use and stayed in use despite the reboot & windows just followed them to where they moved to instead of being updated to the newer versions in teh SP" update

The only way I can see taht happening is if you were using some device that depended on it like a strange mouse or keyboard

H I D = human interface device

EDIT:

or as you say you and he both used a registry cleaner originally that misread the info & pointed to the wrong place

Reg cleaners can be good or can be dangerous

Glad it all worked out for you in the end

Humm.. I don't know... I have 4 computers in my house.. I updated them all with a downloaded sp2 file... we all use laser mouses..... I do have a steering wheel that could have been plugged in????
But usually its unplugged....

I don't know?
But thanks for the brainstorm!!