Were these really Trojans?

Discussion in 'Trojan Defence Suite' started by dee, Jul 22, 2004.

Thread Status:
Not open for further replies.
  1. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Yes, Jooske, I did unzip the d/loaded file that was the backdoor trojsn & ran the executable after scanning it with NOD32 & being told it was OK. Then the fun started as in my 1st post in this thread. I didn't get ipsconfigS2.exe & I've done a search. but I got coupla ZoneLockdowns. one was running on my machine, there was a restart command - WinPatrol saved my bacon, it's all in the 1st post. Trojan also gave me a file called warpigs.exe, it was running too & I never knew until it performed an illegal op & was shut down.

    All those files are deleted now, even the ones in TDS3' unpk folder, & I've deleted the original file after NOD replied to say they already had this file.

    TDS3 has the same radius update you mention, & my folder options are set to show hidden files & every other option. My temp files are nuked, everything's clean. Except for that oh-so-sudden appearance of Adware Cydoor in TDS3 - yet rundll32.exe's last modify is April 1999. When I r/click it in TDS3, it showa no file info, name or version at all, yet the file's properties in Explorer show Microsoft, a version number & a date. TDS's scandump says "Scan Control Dumped @ 22:49:59 23-07-04
    Positive identification: Adware.Cydoor
    File: c:\windows\rundll32.exe"

    I'll zip & submit the file to Diamondcs, they'll be sick of hearing from me.

    I'll do the regedit of registry keys in the morning, I'm tired & fed up with things now. And far from being proud for submitting that nasty, I hang my head in shame at getting my 1st ever malware - perhaps this Adware Cydoor will prove to be the 2nd one. Not a good day today!
    :cool:
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I may have been part of the same package, happens a lot nowadays unfortunately.
    BTW getting your first malware is an enlightening experience that's for sure. My first and only Trojan was QAZ back in 1999 which started research into Internet security as a whole which led me to DiamondCS in very short order.
    The ones that gain from such an experience are those that learn .. :D

    Have a pleasant weekend - Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmwah... i got my first real infection (spy/adware) i remember from an online scan site so ..... things could be worse.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.warpigs.b.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.warpigs.c.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.warpigs.html
    Did you have recently a HJT log posted and cleansed or not yet?
    If not, it might be urgent to look at it now! If you can get the HiJackThis file via the [thread]15913[/thread], check all scan options and post it here?
    I'm no expert, so i will not be able to look into everything, others here will be able to help better, but i do see in the warpigs.exe description several very noticable things which need proper cleansing.
    If you prefer an AutoStartViewer log (DiamondCS site) in stead or extra, please post.
     
    Last edited: Jul 23, 2004
  4. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    It is possible that the Cydoor detection is a false positive.

    I installed the trial version of TDS-3 today, not in response to a possible infection but simply for a trial. TDS-3 identified C:\Windows\rundll32.exe as Adware.Cydoor; I'm running Windows 98. I renamed the file and restored a new version, which was again identified as Adware.Cydoor. Both files have the same properties.

    I do not have any other Cydoor files/registry items on my disk. Spybot S&D scan is clean. I have not used Internet Explorer for anything but Windows Update since my most recent clean reinstall; Firefox is my default browser. Nevertheless, my IE settings are locked down. SpywareBlaster, which, I believe, blocks Cydoor, is installed. AV scan with NOD32 is clean. No suspicious activity in firewall log (Kerio 2.1.5). No unknown activity reported by netstat. Nothing I don't recognize in my HijackThis log. So, I really don't think I have Cydoor installed.

    The only other detections in my inagural scan were of the suspicious "two many periods in the filename" variety, e.g., firefoxsetup-0.9.2.exe.

    Please let me know if you would like me to submit the old & new copies of rundll32.exe and if there are any particular guidelines for submissions.

    Hopefully, this will help make it so that you have one less thing to worry about, dee.

    pollux
     
  5. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all,
    I too had a "positive Ident" for the `adware.cydoor" after the auto update. I ran A2 scanner, and Norton, nothing found!! I am assuming this is anothre False Positive.
     
  6. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Yes, I neglected to mention that I updated after installing TDS-3. Those of us with the possible false positive seem to be using the same database.

    pollux
     
  7. FanJ

    FanJ Guest

    Yep, kudos to Dee and Pollux:

    It is a false positive !

    I'll start a new thread to make people aware of it.


    Dee:
    You can be proud of yourself !!!!! :D
    You found a new version of a nasty for DCS, you made us to have a closer look at that Cydoor alert.

    Cheers, Jan.
     
  8. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Regarding "warpigs" [wotta disgusting name!], Jooske, I visited those links at Symantec, seems only one of which affects Win98, & for that one Symantec says

    "Creates the file, %System%\pgonwe.exe, which is a copy of the SysInternals psexec utility. The worm uses this file to attempt to copy and run itself on computers that have weak administrator passwords."

    well I don't have that file so hopefully I'm OK. The rotten thing arrived with that zipfile I d/loaded, & NOD deleted all of it. I'm not confident of all this regedit stuff, so maybe it would be better if I restored an earlier registry, I have 10 registry backups, this is done for me by a small utility that runs a batch script.

    I'll be rapt if Adware Cydoor is a false positive! I renamed the file from rundll32.exe to rundll32.bak, didn't seem to break anything. TDS3 today said straightaway that file rundll32.exe didn't exist, then it gave a warning dialogue about File trace trojan filename, Worm, & said to submit it to Diamondcs, so I did that just then.

    Dunno about kudos - but it's better than feeling shattered re having more malware after that backdoor harmany thingo - I used to feel proud of my squeaky clean record up till now!

    Edit - If you think it's necessary for me to do a HTL or Autolog thingo, Jooske, I will. Don't have a clue about these, so which is small & easy, cos I don't like to install stuff unless it's absolutely necessary - being a lamer, I try to keep Windows lean & mean! And this seems to pay off, cos my last clean install was nearly 2 years ago & I haven't had a BSOD & my registry is still small.
     
    Last edited: Jul 23, 2004
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I added all three warpigs sites as i don't know which version you have. I'm trying to find out by filenames you do have; where on the site is said system32 it can be system as well, so if you don't have those you might have another warpigs version so maybe a newer combination. So it could be there could be different osamadeath combinations around or it might be updating itself via the created backdoors and thus be different on various infected systems.
    The described version consists of the two files i mentioned earlier; hope you can still remember the exact URL where you got yours and email or PM via the forum that one to Gavin, as the one most people get have no warpigs and have the zonelockdown and ipconfigS files with in total 3 key changes.

    If you remember when was the last clean registry go back to that date by all means. But you might like to wait till we know for sure about your files.
    It might help indeed if you get the HiJackThis exe from the thread i mentioned have all scanoptions checked and post it's log (just a few seconds work) so we might locate what we're looking for. Don't fix nothing, as most it displays is ok, let's call it just a kind of snapshot.
    BTW: both are nothing to install, just running the file as it is after unzipping.
     
    Last edited: Jul 24, 2004
  10. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    I did submit the original zipped file to Gavin, who said he added the variant to the TDS3 database, also to NOD, who said they already had it. I, along with many others, informed Opera newsgroups about the "poison link" that had appeared, and they removed it from all but one - it still appears in the Opera mail+news newsgroup. I already advised them of this, but got a rather irritated reply from an overworked staff member, so now I will have to inform Opera directly.

    So I, like many others, got this file off Usenet. I'm not gonna post a poison link here, so I have put two spaces between each part of the URL, it's quite obvious what I've done - but if even this is a no-no, mods feel free to remove it.

    http://24. 13. 130. 125: 89/OsamaFoundDead.zip

    I trust that no-one will be silly enough to "join the dots" unless they have very good reason. I do not even know if the file is still there at that URL, it's a small [24KB I think] zipped file, & it was safe like that, the trrouble began after I unzipped it & clicked on the small executable inside - even though NOD scanned it & said it was OK.
     
  11. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Jooske, I see on the Wilders Security forums in a few places, where it says or gives the impression that posting logs from HijackThisLog is not allowed. I don't want to do the wrong thing here, so what's the way to do this?

    And I noticed where you said that you got your 1st malware from an online scan site, I'd have been murderous if that happened to me!
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  13. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Hello there, dee.

    As I just posted in the false positive thread, it seems to me that the Hackarmy trojan detection and the adware.Cydoor detection are quite possibly 2 different issues.

    Regarding the Hackarmy trojan, I think Jooske's suggestion to use HijackThis is a very good idea at this point. Here's how I would approach the matter if it were me:

    First I would scan the system again with TDS-3. As has already been suggested, I'd disable both AMON and IMON before the TDS-3 scan and then turn them back on after the scan. I would let TDS-3 make any repairs it suggests (remember that I only installed TDS-3 yesterday...I don't know how it fixes things yet). I wouldn't worry about anything related to rundll32.exe at this point, however.

    Then I would scan the system with NOD32, especially since, according to your thread in the NOD32 forum, it seems that the trojan you've had the misfortune to encounter is detected in the latest NOD32 definitions. (It's hard to tell for sure, since people started talking about the relative merits of the beta version of NOD32 in that thread....). I'd let NOD32 fix anything it finds.

    I'd also try running an online scanner like TrendMicro HouseCall, again allowing any problems that are found to be fixed. I also wouldn't worry about getting infected from HouseCall. While it is true that many things can happen, it is also true that certain things are not probable: HouseCall is a reputable site.

    The idea behind doing all of these scans (again) is just to make absolutely sure that everything that can be cleaned up automatically has been, before HijackThis. Maybe other people will advise you to just skip to posting a HijackThis log...

    Well, I just got notified of Pilli's post...

    Anyway, and here was the point I wanted to make initially, a HijackThis log will enable people to see if the Hackarmy trojan has changed any of your system settings, and if so, correct them.

    Sorry if I went on and on about scanning unnecessarily. Good luck, dee!

    pollux
     
    Last edited: Jul 24, 2004
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That was on the panda free online scanner site:
    the download console has an advertisement banner running, which you can't block or you don't get the database to be able to do your scan;
    i was not aware the normal popup asking confirmation for the necessary download included the Gator/GAIN infection. If not granted, no download of the databases.
    So i thought Pandasoftware is a respectable site with security etc so it can't be they infected my system but it did via those obliged advertisements.
    I was absolutely sure as i did a search/find in windows, caches, temp files recent files, created files, modified files and the time was really the same everywhere, i looked in the Port Explorer logfile and also there the same time, SpybotS&D found it, so there i went searching.
    The unfortunate thing was due to o_O i had not got my online scan at all, not sure if the databases were properly updated or the site was too busy, anyway, ........
    The Panda site owners never reacted on my questions about the gator/GAIN thing, they might not have been aware of it as part of the advertisement stream, or maybe they are and see it as some payment for their free services, i don't know, but i was really shocked this could happen on a security site which is there to protect people.
    I went back there after some time and did not get infected but again i had deep trouble getting the databases so i am hardly going there.

    The Housecall site is very ok; only they changed something in their pages settings and since i can't in no way get an online scan anymore and since they can't figure out and are not changing those page settings, no online scan for me.
    But they have a free downloadable tool, which you install, get back for the latest definitions and the dcs tool (forgot the long name for that dcs, has nothing to do with DiamondCS) and scan it all. Takes lots of time, but it is a nice second opinion.


    I know about the forum policy about posting logs not asked for, but i asked for it in this thread :)
    It might show us finally which warpigs version is there, what to look for and where and what to advice more, which HKEYs to look for etc.


    One very important thing:
    your computer is a tool, not a goal on it's own. It is nice to work with it in a secure way, but security must never become a frustration at all, everybody can get infected unexpectedly like Pilli and i have shown you, but we also have the tools to get rid of it the quickest and safest way and we have a feeling when something is wrong to look immediately.
    At times i am very happy with infected emails and being able to be among the first to submit nasties to Gavin for the database. I just zip the things and keep them in a special place, -- i would be very surprised if there shows up anything else but a "double extension" warning outside that place.
    Anyway TDS is there to help you to make security FUN again, to enjoy using your system and playing around with it beside the other functions you might have your system for. This is one of the reasons why i created several fun scripts to play on our systems with msagents via TDS, which you might have tried yourself in the meantime. Especially recommended to make sure all msagent stuff is enabled and installed from the www.microsoft.com/msagent site including the various msagent characters there, and in from the TDS site get the scripts zip to be unzipped in the TDS-3 directory, in TDS go to SS3 > Load Script > Usersubmitted > Jooske > InnerPeace.ss3 doubleclick the thing to play it and if you're all msagent ready enjoy the little fun.
    TDS is there to make you all happy, and should never be a frustration!

    In the Network options you have that UDP Broadcast thingy: if you see a portscanner too often knocking your ports, why not paste his IP in that UDP broadcast and put in the same port he is using for instance or a few others and just type "Boo!!" or something more friendly like "would you like fries with that ma'am while hacking my system?" which might show up on their system.
    If you have speech enabled for TDS, in the bottom type something like
    speak "boo!" and hear the difference with speak "BOOO!!"
    It's my best pronounciation tool, always at hand.

    Anyway, hope you got your logs by now, looking forward to them.
     
  15. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    OK, here's my HJT log, Jooske - I followed the instructions exactly, including updating AdAware [which I already had]. Aso I always get the same result from AAW about 2 possible browser hijacks, then when I let AAW remove the keys, I find my IE start page has been changed to MSN, so I change it back to about blank, & AAW always objects. Maybe I should change IE's start page to google?
    And after Windows boots, I manually start TDS3 & NOD32[Nod32kui.exe]

    Logfile of HijackThis v1.97.7
    Scan saved at 8:50:01 PM, on 24/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\LS3\LS3.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\ESET\NOD32KRN.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\DU METER\DUMETER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\SEARCH.HTM
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\SEARCH.HTM
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\SEARCH.HTM
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = file://c:\search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\SEARCH.HTM
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = file://C:\SEARCH.HTM
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [DU Meter] C:\PROGRAM FILES\DU METER\DUMETER.EXE
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [LanSafe III] C:\LS3\LS3.EXE /NoPop
    O4 - HKLM\..\RunServices: [IECleanAux] IEBOOT6.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\ESET\NOD32KRN.EXE
    O4 - Startup: BACKUP.PIF = C:\WRPALL3\BACKUP.BAT
    O4 - Global Startup: Power Monitor.lnk = C:\LS3\LS3.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .xmpskin: C:\Program Files\Opera\PLUGINS\npfd.dll
    O12 - Plugin for .exe: C:\Program Files\Opera\PLUGINS\npfd.dll
    O15 - Trusted Zone: www.garageband.com
    O15 - Trusted Zone: http://www.urbandoggrooming.com.au
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  17. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Hello, all.

    I ran dee's HJT log through the automated HJT log analyzer at this site.

    Here are the results.

    Maybe this will be useful for you, although the automated analysis is still a new tool so there can be false positives and other errors. I'm just thinking it might save some time and effort.

    pollux
     
    Last edited: Jul 24, 2004
  18. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Hmm, I just tried to double-check the link to the results in my previous post, and I got an empty page. It worked fine when I previewed the post. Will see if I can correct that.

    pollux
     
  19. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Ok, let's try this link for the results of the automated analysis.

    If there is still trouble, note that C:\LS3\LS3.EXE was identified as nasty (down in the 04/Global Startup entries section).

    pollux

    (link seems to be working now - I hope it is useful)
     
    Last edited: Jul 24, 2004
  20. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Dammit, seems I need the current version of HJT, so maybe I should get that & re-do the scan. For example, the LS3 entry is something to do with my monitor. Aa-argh, back to the drawing-board, will get the new HJT, told you I'm a lamer!
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's a nice analyser thing!
    It confirms my feeling about questioning the being there of all those R1 and R0 search.htm lines.

    It has problems with the LS3 process. I suppose you did install that yourself?
    Or was that part of the nasty?

    The O10 LSP about NOD is a known issue, you can ignore.
    The O1 HOSTS file entry is OK, that is TDS's known entry, but the IP address should be changed for 64.91.255.87
    (easiest way open TDS > System Analysis > View File > Network Hosts, change that entry and save)

    That O2 thing Pilli mentioned, is that the FreshDevices download thing or one of their other programs? There is a real drama posted soemwhere in a very long thread with myself as a main player and the real forum and internet expert to get my system working again which was almost completely ruined thanks to that software. I run with a large bow around anything from them!

    Here's another horror thread featuring freshdevices stuff
    https://www.wilderssecurity.com/archive/index.php/t-11956.html
    http://216.239.59.104/search?q=cach...p/t-229.html jooske wilders fresh right&hl=nl
    https://www.wilderssecurity.com/showthread.php?t=23858&highlight=freshdevices <<=== * * * * * rating for among others Mosaic1's help, a real horror story about FreshDevices on my system!
    I don't even want to see their annoying advertisement in my mailbox which even doesn't stop after a polite unsubscribe request.
     
    Last edited: Jul 24, 2004
  22. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    The LS3 bit was installed when I got my new monitor - it's part of its power management, I never use it, I just switch off the monitor when I'm not at the computer.

    I did install Fresh Downloader [download utility] 18 months ago. I installed it by using Total Uninstall, a free utility that monitors my installs & can be used to uninstall those same installs. So shall I uninstall Fresh Download?

    What if I change IE's start page to www.google.com.au - I actually never use IE except for Win updates.

    And is there anything else in that logfile that needs to be nuked?
     
  23. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    The automated analyzer is pretty nifty, isn't it! No substitute for the specialized skills needed to really anaylze a HJT log, though. I don't have these skills, so I generally bow out once a log is on the page.

    The divergence of opinion concerning the LS3 process and startup entries seems important. Is it software for a monitor or something else?

    As far as having the newest version of the HJT program, well, it does seem a good idea but I don't think it will change the results from the automated analyzer - I'm sure there's only one database. (And dee, don't be so hard on yourself! You're doing great, especially considering you were using the layered security of AV + AT when all of this happened! I mean, it just goes to show that this kind of thing can happen to any of us, especially when using IE.)

    At this point, I will defer to the experts. Hang in there, dee!

    pollux
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    How about setting it to blank? Tools - Options - Blank :)
     
  25. pollux

    pollux Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    84
    Location:
    Grenoble, France
    Pardon me, dee, what I said was not only presumptuous, it was also untrue.

    pollux
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.