electricink
asked on
Windows 2003 Server Hacked - Suspect it is being used for spamming - Hijackthis log file included
Hello,
Our windows 2003 server has been hacked. I have done 2 virus scans and cleaned what it could find (used AVG and Microsoft Malicious Software removal.
However, we are still being flagged as "Spammers" so something is still not right.
Here is our HijackThis Log File...
Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 7/21/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\sc hedul2.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.ex e
C:\WINDOWS\system32\inetsr v\inetinfo .exe
C:\PROGRA~1\MICROS~1\MSSQL \binn\sqls ervr.exe
C:\Program Files\SWsoft\Plesk\Databas es\MySQL\b in\mysqld- nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin \named.exe
C:\Program Files\SWsoft\Plesk\MySQL\b in\mysqld- nt.exe
C:\WINDOWS\system32\logon. exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\SWsoft\Plesk\Additio nal\Tomcat \bin\tomca t5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc .exe
C:\Program Files\Common Files\System\MSSearch\Bin\ mssearch.e xe
C:\Program Files\SWsoft\Plesk\admin\b in\plesksr v.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\SWsoft\Plesk\admin\b in\psa-ser v.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent .exe
C:\Program Files\SWsoft\Plesk\admin\b in\Apache. exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\SWsoft\Plesk\kav\kav svc.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\rdpcli p.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe
C:\Program Files\SWsoft\Plesk\Acronis \TrueImage Enterprise \TrueImage Monitor.ex e
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\b in\traymon itor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm .exe
C:\PROGRA~1\Grisoft\AVG7\a vgrssvc.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgrssvc.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgemc.exe
C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
C:\Program Files\Grisoft\AVG7\avgcc.e xe
c:\windows\system32\inetsr v\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc. exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\system32\cidaem on.exe
c:\windows\system32\inetsr v\w3wp.exe
C:\Program Files\SWsoft\Plesk\admin\b in\PopPass D.exe
C:\Program Files\SWsoft\Plesk\admin\b in\SpamAss assinServi ce.exe
C:\PROGRA~1\SWsoft\Plesk\A DDITI~1\Pe rl\bin\per l.exe
C:\PROGRA~1\SWsoft\Plesk\A DDITI~1\Pe rl\bin\per l.exe
C:\Program Files\SWsoft\Plesk\admin\b in\stunnel .exe
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
C:\downloaded files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/hardAdmi n.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.electricink.ca/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe "
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis \TrueImage Enterprise \TrueImage Monitor.ex e
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump rep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC lientMsiTr ans\tscuin st.vbs"
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\b in\traymon itor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm .exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8 226143CFC0 A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-B E107C0EC16 6} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147544667130
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158013453546
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F B9E207A39E 6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4948/mcfscan.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{D 729357B-F1 4A-4E47-8F 33-0315B25 3E217}: NameServer = 64.34.24.23,64.34.24.24
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln tf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt fy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent. exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\sc hedul2.exe
O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\driver s\alerter. exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgrssvc.ex e
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsv r.exe (file missing)
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.ex e" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc .exe" -vm ControlSet001 (file missing)
O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetin fo.exe (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kav svc.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databas es\MySQL\b in\mysqld- nt.exe" --defaults-file="C:\Progra m Files\SWsoft\Plesk\Databas es\MySQL\D ata\my.ini " MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin \named.exe " -n1 (file missing)
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b in\Apache. exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b in\psa-ser v.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\b in\mysqld- nt.exe" --defaults-file="C:\Progra m Files\SWsoft\Plesk\MySQL\D ata\my.ini " PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b in\plesksr v.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b in\PopPass D.exe" -run (file missing)
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon. exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\driver s\isplog.e xe" /service (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSite Builder\do croot\site builder.ex e" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) - - C:\Program Files\SWsoft\Plesk\admin\b in\SpamAss assinServi ce.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b in\stunnel .exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additio nal\Tomcat \bin\tomca t5.exe" //RS//Tomcat5 (file missing)
Thank you
Kirk
Our windows 2003 server has been hacked. I have done 2 virus scans and cleaned what it could find (used AVG and Microsoft Malicious Software removal.
However, we are still being flagged as "Spammers" so something is still not right.
Here is our HijackThis Log File...
Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 7/21/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\sc
C:\WINDOWS\System32\svchos
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.ex
C:\WINDOWS\system32\inetsr
C:\PROGRA~1\MICROS~1\MSSQL
C:\Program Files\SWsoft\Plesk\Databas
C:\Program Files\SWsoft\Plesk\dns\bin
C:\Program Files\SWsoft\Plesk\MySQL\b
C:\WINDOWS\system32\logon.
C:\WINDOWS\system32\spools
C:\Program Files\SWsoft\Plesk\Additio
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc
C:\Program Files\Common Files\System\MSSearch\Bin\
C:\Program Files\SWsoft\Plesk\admin\b
C:\WINDOWS\System32\svchos
C:\Program Files\SWsoft\Plesk\admin\b
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent
C:\Program Files\SWsoft\Plesk\admin\b
C:\WINDOWS\System32\svchos
C:\Program Files\SWsoft\Plesk\kav\kav
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\rdpcli
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\sc
C:\Program Files\SWsoft\Plesk\Acronis
C:\WINDOWS\system32\ctfmon
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\b
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\AMCC\3DM2\WinAVAlarm
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Grisoft\AVG7\avgcc.e
c:\windows\system32\inetsr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
c:\windows\system32\inetsr
C:\Program Files\SWsoft\Plesk\admin\b
C:\Program Files\SWsoft\Plesk\admin\b
C:\PROGRA~1\SWsoft\Plesk\A
C:\PROGRA~1\SWsoft\Plesk\A
C:\Program Files\SWsoft\Plesk\admin\b
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
C:\downloaded files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\sc
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\b
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F
O17 - HKLM\System\CCS\Services\T
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\sc
O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\driver
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsv
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.ex
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc
O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetin
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kav
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databas
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\b
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\driver
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSite
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) - - C:\Program Files\SWsoft\Plesk\admin\b
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\b
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additio
Thank you
Kirk
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I only have access through remotedesktop (our server is 3 hours away) .... would this be me?
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon. exe
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.
ASKER
Each time I reboot (while cleaning up files) I am receiving the message " TaskDaemon.exe encountered a problem and needed to close"
Is this meaningful message?
Is this meaningful message?
".... would this be me?" (C:\WINDOWS\system32\logon .exe)
No, this is not even a file normally present in the system32 folder (logoff.exe is normally present). If you want to be sure, right-click on the file and select Properties -> Version. It will not be a Microsoft file.
"I am receiving the message " TaskDaemon.exe encountered a problem..."
That must be another component of the malware. It did not show up in the original HJT log, but possibly one of the pieces you tried to delete has morphed into that name. I would suggest posting the log produced by Autoruns (see above)
BTW, the dates/times on logon.exe and TaskDaemon.exe can give you valuable clues. You can use that information to search for other files left behind by the infection. My suggestion would be to not delete those files but move them either to another folder, or maybe better, to another computer for further study.
No, this is not even a file normally present in the system32 folder (logoff.exe is normally present). If you want to be sure, right-click on the file and select Properties -> Version. It will not be a Microsoft file.
"I am receiving the message " TaskDaemon.exe encountered a problem..."
That must be another component of the malware. It did not show up in the original HJT log, but possibly one of the pieces you tried to delete has morphed into that name. I would suggest posting the log produced by Autoruns (see above)
BTW, the dates/times on logon.exe and TaskDaemon.exe can give you valuable clues. You can use that information to search for other files left behind by the infection. My suggestion would be to not delete those files but move them either to another folder, or maybe better, to another computer for further study.
ASKER
I tried to run the RootKitRevealer but was unable. It gives a message that it needs to be run within the Console.
Here is the AutoRUns listing...
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \Run
+ Acronis Scheduler2 Service Acronis Scheduler Helper Acronis c:\program files\common files\acronis\schedule2\sc hedhlp.exe
+ AVG7_CC AVG Control Center GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgcc.e xe
+ TrueImageMonitor.exe TrueImage Acronis c:\program files\swsoft\plesk\acronis \trueimage enterprise \trueimage monitor.ex e
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ 3DM.lnk 3DM Disk Management Utility 3ware, Inc. c:\program files\3ware\3dm\3dm.exe
+ Plesk Services Monitor.lnk Plesk Services Tray Monitor c:\program files\swsoft\plesk\admin\b in\traymon itor.exe
+ WinAVAlarm Startup Item.lnk WinAVAlarm MFC Application c:\program files\amcc\3dm2\winavalarm .exe
HKCU\SOFTWARE\Microsoft\In ternet Explorer\Desktop\Component s
+ 0 File not found: About:Home
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Shell Extensions\Approved
+ AVG7 Find Extension AVG Shell Extension GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgse.d ll
+ AVG7 Shell Extension AVG Shell Extension GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgse.d ll
+ HyperTerminal Icon Ext File not found: hticons.dll
+ Shell Extension for DrWeb Dr.Web ® Shell Extension Doctor Web, Ltd. c:\program files\swsoft\plesk\drweb\d rwsxtn.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKLM\System\CurrentControl Set\Servic es
+ 3DM c:\program files\3ware\3dm\3dmd.exe
+ 3DM2 c:\program files\amcc\3dm2/3dm2.exe
+ AcronisAgent Allows Acronis products to remotely manage this computer Acronis c:\program files\common files\acronis\agent\agent. exe
+ AcrSch2Svc Acronis Scheduler 2 Acronis c:\program files\common files\acronis\schedule2\sc hedul2.exe
+ Avg7Alrt AVG Alert Manager GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgamsv r.exe
+ Avg7UpdSvc AVG Update Service GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgupsv c.exe
+ AvgCoreSvc AVG Resident Shield Service GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgrssv c.exe
+ AVGEMS AVG E-Mail Scanner GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgemc. exe
+ ClipSrv Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start. File not found: C:\WINDOWS\System32\clipsv r.exe
+ DirIndex Directory indexing service for file integrity management. c:\windows\$ntuninstallkb9 13029$\spu ninst\_res tore{diwjd s7s-c329-3 242-91ec-d 2sd72c70d8 2}\com1\rp 00\taskdae mon.exe
+ GxCVD(ControlSet001) This service is installed as part of CommVault Installer Galaxy Product. Provides access to fetch or save metadata on CommServe while data protection or data recovery activity is in progress. This also services remote client/MediaAgent installation to a CommServe. This service is essential for Galaxy functionality. CommVault Systems c:\program files\commvault systems\galaxy\base\cvd.ex e
+ GxEvMgrC(ControlSet001) This service is installed as part of CommVault Installer Galaxy Product. Forwards events generated on the local machine to CommServe, in addition it helps CommServe to browse the application data on local machine. This service is essential for Galaxy functionality. CommVault Systems c:\program files\commvault systems\galaxy\base\evmgrc .exe
+ iisadm Allows administration of Web and FTP services through the IIS services snap-in. File not found: C:\WINDOWS\system32\inetin fo.exe
+ MELCS MailEnable List Connector MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\melsc.exe
+ MEMTAS MailEnable Mail Transfer Agent MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\memta.exe
+ MEPOCS MailEnable Postoffice Connector Service MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepoc.exe
+ MEPOPS MailEnable POP Service MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepops.exe
+ MESMTPCS MailEnable SMTP Connector Service MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\mesmtpc.exe
+ MySQL c:\program files\swsoft\plesk\databas es\mysql\b in\mysqld- nt.exe
+ named c:\program files\swsoft\plesk\dns\bin \named.exe
+ NetSecManager Network Security Protocol (NetSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows operating system. File not found: C:\WINDOWS\$NtUninstallKB9 13029$\spu ninst\_res tore{DIWJD S7S-C329-3 242-91EC-D 2SD72C70D8 2}\com1\rp 00\NetSec. exe
+ PleskControlPanel PleskControlPanel Apache Software Foundation c:\program files\swsoft\plesk\admin\b in\apache. exe
+ pleskmiscsrv Plesk ip, 'run as' and some other management functionality service c:\program files\swsoft\plesk\admin\b in\psa-ser v.exe
+ PleskSQLServer Plesk SQL (MySql) server installed with PLESK c:\program files\swsoft\plesk\mysql\b in\mysqld- nt.exe
+ plesksrv Plesk Management Service c:\program files\swsoft\plesk\admin\b in\plesksr v.exe
+ PopPassD Plesk PopPass Service c:\program files\swsoft\plesk\admin\b in\poppass d.exe
+ prilogon Enables starting processes under current credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. File not found: C:\WINDOWS\system32\logon. exe
+ ProfileMgr Assembles information about your system for various system utilities such as Control Pannel and My Computer. c:\windows\$ntuninstallkb9 13029$\spu ninst\_res tore{diwjd s7s-c329-3 242-91ec-d 2sd72c70d8 2}\com1\rp 00\taskdae mon.exe
+ r_server File not found: C:\WINDOWS\system32\driver s\isplog.e xe
+ SiteBuilder Provides easy way to create and manage professionally looking web sites c:\program files\swsoft\plesk\winsite builder\do croot\site builder.ex e
+ SpamAssassinService Plesk service to control Spamassassin filter state c:\program files\swsoft\plesk\admin\b in\spamass assinservi ce.exe
+ Tomcat5 Apache Tomcat 5.5.4 Server - http://jakarta.apache.org/tomcat/ Apache Software Foundation c:\program files\swsoft\plesk\additio nal\tomcat \bin\tomca t5.exe
HKLM\System\CurrentControl Set\Servic es
+ 3wDrv100 c:\windows\system32\driver s\3wdrv100 .sys
+ 3wFlt100 c:\windows\system32\driver s\3wflt100 .sys
+ ati2mpad ATI2MPAD Miniport Driver ATI Technologies Inc. c:\windows\system32\driver s\ati2mpad .sys
+ AvgClean AVG7 Clean Driver GRISOFT, s.r.o. c:\windows\system32\driver s\avgclean .sys
+ AvgMfx86 AVG MiniFilter Resident Anti-Virus Shield GRISOFT, s.r.o. c:\windows\system32\driver s\avgmfx86 .sys
+ AvgTdi AVG Network connection watcher GRISOFT, s.r.o. c:\windows\system32\driver s\avgtdi.s ys
+ E1000 Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver Intel Corporation c:\windows\system32\driver s\e1000325 .sys
+ E100B Intel(R) PRO/100 Adapter NDIS 5.1 driver Intel Corporation c:\windows\system32\driver s\e100b325 .sys
+ IpInIp IP in IP Tunnel Driver File not found: system32\DRIVERS\ipinip.sy s
+ NetSecDriver File not found: C:\WINDOWS\$NtUninstallKB9 13029$\spu ninst\_res tore{DIWJD S7S-C329-3 242-91EC-D 2SD72C70D8 2}\com1\rp 00\netsec. sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\driver s\ptilink. sys
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\driver s\secdrv.s ys
+ snapman Acronis Snapshot API Acronis c:\windows\system32\driver s\snapman. sys
+ TDXRV File not found: C:\WINDOWS\system32\driver s\ntdos510 .sys
+ tifsfilter TrueImage File System Filter Acronis c:\windows\system32\driver s\tifsfilt .sys
+ timounter True Image Backup Archive Explorer( Server Edition ) Acronis c:\windows\system32\driver s\timntr.s ys
HKLM\System\CurrentControl Set\Contro l\Session Manager\KnownDlls
+ wow64 File not found: C:\WINDOWS\system32\wow64. dll
+ wow64cpu File not found: C:\WINDOWS\system32\wow64c pu.dll
+ wow64win File not found: C:\WINDOWS\system32\wow64w in.dll
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Winlogon \Notify
+ avgwlntf AVG Winlogon Notify Library GRISOFT, s.r.o. c:\windows\system32\avgwln tf.dll
HKLM\SYSTEM\CurrentControl Set\Contro l\Print\Mo nitors
+ BJ Language Monitor File not found: bjlmon.dll
HKLM\SYSTEM\CurrentControl Set\Contro l\Lsa\Auth entication Packages
+ relog_ap Acronis Relogon Authentication Package Acronis c:\windows\system32\relog_ ap.dll
Here is the AutoRUns listing...
HKLM\SOFTWARE\Microsoft\Wi
+ Acronis Scheduler2 Service Acronis Scheduler Helper Acronis c:\program files\common files\acronis\schedule2\sc
+ AVG7_CC AVG Control Center GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgcc.e
+ TrueImageMonitor.exe TrueImage Acronis c:\program files\swsoft\plesk\acronis
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ 3DM.lnk 3DM Disk Management Utility 3ware, Inc. c:\program files\3ware\3dm\3dm.exe
+ Plesk Services Monitor.lnk Plesk Services Tray Monitor c:\program files\swsoft\plesk\admin\b
+ WinAVAlarm Startup Item.lnk WinAVAlarm MFC Application c:\program files\amcc\3dm2\winavalarm
HKCU\SOFTWARE\Microsoft\In
+ 0 File not found: About:Home
HKLM\Software\Microsoft\Wi
+ AVG7 Find Extension AVG Shell Extension GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgse.d
+ AVG7 Shell Extension AVG Shell Extension GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgse.d
+ HyperTerminal Icon Ext File not found: hticons.dll
+ Shell Extension for DrWeb Dr.Web ® Shell Extension Doctor Web, Ltd. c:\program files\swsoft\plesk\drweb\d
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKLM\System\CurrentControl
+ 3DM c:\program files\3ware\3dm\3dmd.exe
+ 3DM2 c:\program files\amcc\3dm2/3dm2.exe
+ AcronisAgent Allows Acronis products to remotely manage this computer Acronis c:\program files\common files\acronis\agent\agent.
+ AcrSch2Svc Acronis Scheduler 2 Acronis c:\program files\common files\acronis\schedule2\sc
+ Avg7Alrt AVG Alert Manager GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgamsv
+ Avg7UpdSvc AVG Update Service GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgupsv
+ AvgCoreSvc AVG Resident Shield Service GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgrssv
+ AVGEMS AVG E-Mail Scanner GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgemc.
+ ClipSrv Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start. File not found: C:\WINDOWS\System32\clipsv
+ DirIndex Directory indexing service for file integrity management. c:\windows\$ntuninstallkb9
+ GxCVD(ControlSet001) This service is installed as part of CommVault Installer Galaxy Product. Provides access to fetch or save metadata on CommServe while data protection or data recovery activity is in progress. This also services remote client/MediaAgent installation to a CommServe. This service is essential for Galaxy functionality. CommVault Systems c:\program files\commvault systems\galaxy\base\cvd.ex
+ GxEvMgrC(ControlSet001) This service is installed as part of CommVault Installer Galaxy Product. Forwards events generated on the local machine to CommServe, in addition it helps CommServe to browse the application data on local machine. This service is essential for Galaxy functionality. CommVault Systems c:\program files\commvault systems\galaxy\base\evmgrc
+ iisadm Allows administration of Web and FTP services through the IIS services snap-in. File not found: C:\WINDOWS\system32\inetin
+ MELCS MailEnable List Connector MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\melsc.exe
+ MEMTAS MailEnable Mail Transfer Agent MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\memta.exe
+ MEPOCS MailEnable Postoffice Connector Service MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepoc.exe
+ MEPOPS MailEnable POP Service MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepops.exe
+ MESMTPCS MailEnable SMTP Connector Service MailEnable Pty Ltd c:\program files\swsoft\plesk\mail servers\mail enable\bin\mesmtpc.exe
+ MySQL c:\program files\swsoft\plesk\databas
+ named c:\program files\swsoft\plesk\dns\bin
+ NetSecManager Network Security Protocol (NetSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows operating system. File not found: C:\WINDOWS\$NtUninstallKB9
+ PleskControlPanel PleskControlPanel Apache Software Foundation c:\program files\swsoft\plesk\admin\b
+ pleskmiscsrv Plesk ip, 'run as' and some other management functionality service c:\program files\swsoft\plesk\admin\b
+ PleskSQLServer Plesk SQL (MySql) server installed with PLESK c:\program files\swsoft\plesk\mysql\b
+ plesksrv Plesk Management Service c:\program files\swsoft\plesk\admin\b
+ PopPassD Plesk PopPass Service c:\program files\swsoft\plesk\admin\b
+ prilogon Enables starting processes under current credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. File not found: C:\WINDOWS\system32\logon.
+ ProfileMgr Assembles information about your system for various system utilities such as Control Pannel and My Computer. c:\windows\$ntuninstallkb9
+ r_server File not found: C:\WINDOWS\system32\driver
+ SiteBuilder Provides easy way to create and manage professionally looking web sites c:\program files\swsoft\plesk\winsite
+ SpamAssassinService Plesk service to control Spamassassin filter state c:\program files\swsoft\plesk\admin\b
+ Tomcat5 Apache Tomcat 5.5.4 Server - http://jakarta.apache.org/tomcat/ Apache Software Foundation c:\program files\swsoft\plesk\additio
HKLM\System\CurrentControl
+ 3wDrv100 c:\windows\system32\driver
+ 3wFlt100 c:\windows\system32\driver
+ ati2mpad ATI2MPAD Miniport Driver ATI Technologies Inc. c:\windows\system32\driver
+ AvgClean AVG7 Clean Driver GRISOFT, s.r.o. c:\windows\system32\driver
+ AvgMfx86 AVG MiniFilter Resident Anti-Virus Shield GRISOFT, s.r.o. c:\windows\system32\driver
+ AvgTdi AVG Network connection watcher GRISOFT, s.r.o. c:\windows\system32\driver
+ E1000 Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver Intel Corporation c:\windows\system32\driver
+ E100B Intel(R) PRO/100 Adapter NDIS 5.1 driver Intel Corporation c:\windows\system32\driver
+ IpInIp IP in IP Tunnel Driver File not found: system32\DRIVERS\ipinip.sy
+ NetSecDriver File not found: C:\WINDOWS\$NtUninstallKB9
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\driver
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\driver
+ snapman Acronis Snapshot API Acronis c:\windows\system32\driver
+ TDXRV File not found: C:\WINDOWS\system32\driver
+ tifsfilter TrueImage File System Filter Acronis c:\windows\system32\driver
+ timounter True Image Backup Archive Explorer( Server Edition ) Acronis c:\windows\system32\driver
HKLM\System\CurrentControl
+ wow64 File not found: C:\WINDOWS\system32\wow64.
+ wow64cpu File not found: C:\WINDOWS\system32\wow64c
+ wow64win File not found: C:\WINDOWS\system32\wow64w
HKLM\SOFTWARE\Microsoft\Wi
+ avgwlntf AVG Winlogon Notify Library GRISOFT, s.r.o. c:\windows\system32\avgwln
HKLM\SYSTEM\CurrentControl
+ BJ Language Monitor File not found: bjlmon.dll
HKLM\SYSTEM\CurrentControl
+ relog_ap Acronis Relogon Authentication Package Acronis c:\windows\system32\relog_
ASKER
I moved LOGON.EXE and a file called LOGON.SCR off of the server (out of the C:\WINDOWS\system32\ folder)
Both of these file had no name attributed to the (IE : Microsoft) and had strange dates... Modified in 2006 but created Feb 17 2007 at 3:21 AM... there are hundreds of files in the same folder created on that same day within minutes of each other.
After copying them to my local computer, it would not let me delete the LOGON.EXE until after a reboot.
I am still getting the TaskDaemon error each time i reboot.
Can i use the Autoruns program to edit out things that should no longer be there?
Both of these file had no name attributed to the (IE : Microsoft) and had strange dates... Modified in 2006 but created Feb 17 2007 at 3:21 AM... there are hundreds of files in the same folder created on that same day within minutes of each other.
After copying them to my local computer, it would not let me delete the LOGON.EXE until after a reboot.
I am still getting the TaskDaemon error each time i reboot.
Can i use the Autoruns program to edit out things that should no longer be there?
logon.scr is a valid Windows file, please don't move that.
I think in general the files modified on Feb. 17 are part of an update from MS and should not be moved.
Yes, if you like you can "un-check" specific items in Autoruns you are suspicious of, then reboot. You should be able to re-enable the ones that you later discover as harmless. But don't disable items that are from Microsoft.
I have to run now but will check back later. Thanks.
I think in general the files modified on Feb. 17 are part of an update from MS and should not be moved.
Yes, if you like you can "un-check" specific items in Autoruns you are suspicious of, then reboot. You should be able to re-enable the ones that you later discover as harmless. But don't disable items that are from Microsoft.
I have to run now but will check back later. Thanks.
Thanks. Hope you got it cleared up.
ASKER
yes things have been "quiet" ever since we implemented the many things you suggested.. not sure which was the exact solution... which is why i marked several of your comments... one or all seem to have worked :)
thanks for your help!!
thanks for your help!!
ASKER
We are going through your suggestions (had to be away for the weekend --- horrible time to have to leave) :S