Windows 2003 Server Hacked - Suspect it is being used for spamming - Hijackthis log file included


Our windows 2003 server has been hacked. I have done 2 virus scans and cleaned what it could find (used AVG and Microsoft Malicious Software removal.

However, we are still being flagged as "Spammers" so something is still not right.

Here is our HijackThis Log File...

Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 7/21/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
C:\downloaded files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,2,0,4948/
O17 - HKLM\System\CCS\Services\Tcpip\..\{D729357B-F14A-4E47-8F33-0315B253E217}: NameServer =,
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\drivers\alerter.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe" -vm ControlSet001 (file missing)
O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetinfo.exe (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\Databases\MySQL\Data\my.ini" MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe" -n1 (file missing)
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\MySQL\Data\my.ini" PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe" -run (file missing)
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\isplog.exe" /service (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSiteBuilder\docroot\sitebuilder.exe" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) -   - C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Thank you


Who is Participating?
r-kConnect With a Mentor Commented:
The main problem seems to be this entry:

 O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe

This is installed as a Service. Unless you know what this is, open the Services control panel, stop this service, and set the startup type to "disabled". Then reboot and see if the spamming stops.

There are additional steps you should take afterwards as well to prevent reinfection, which I will post soon.
r-kConnect With a Mentor Commented:
Also, these entries need further checking:

O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\drivers\alerter.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\isplog.exe" /service (file missing)
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)

Thse files are listed as "missing", probably these were removed by earlier attempts at cleanup. If you can't explain these please see if these files exist on disk with Windows Explorer. In any case set the startup type of these services to "disabled" as well.
r-kConnect With a Mentor Commented:
This service:

 O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetinfo.exe (file missing)

is also suspicious, even though the file is missing. I assume malware, since the normal inetinfo.exe resides in a different place.

After you've cleaned up these items, please run "netstat -ab" from a command prompt, save the output to a text file, and copy-and-paste here, or at least examine for any open connections that appear abnormal and post those. If you like you can edit the entry to replace your own IP address with xx.xx
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

r-kConnect With a Mentor Commented:
Here are some additional things to do:

(1) Examine all user accounts, disable or delete any accounts known to be fraudulent, then change passwords on all admin accounts, using at least 10 chars and avoid commin names and words.

(2) Download RootkitRevealer ( and do a scan. Post the log here if it shows anything suspect. If the log is very long then just post the first 30 lines or so. Be sure to save the log in any case.

(3) Download Autoruns from:
(a) Run the program. It lists a bunch of things that start when Windows starts.
(b) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(c) This will give you a shorter, more meaningful list.
(d) Post the log here if anything interesting.

(4) If you identify any files installed by the hacker, search the rest of your C: drive for any other files created/modified around that date and time. Also, rather than deleting files left behind by the hackers, move them to another disk or CD for possible later study.

(5) After things have been cleaned up, download and run MBSA from: and do a scan and follow as many steps as reasonable.
electricinkAuthor Commented:
Thank you for your replies and suggestions!

We are going through your suggestions (had to be away for the weekend --- horrible time to have to leave) :S

electricinkAuthor Commented:
I only have access through remotedesktop (our server is 3 hours away) .... would this be me?

O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe

electricinkAuthor Commented:
Each time I reboot (while cleaning up files) I am receiving the message " TaskDaemon.exe encountered a problem and needed to close"

Is this meaningful message?

".... would this be me?" (C:\WINDOWS\system32\logon.exe)

No, this is not even a file normally present in the system32 folder (logoff.exe is normally present). If you want to be sure, right-click on the file and select Properties -> Version. It will not be a Microsoft file.

"I am receiving the message " TaskDaemon.exe encountered a problem..."

That must be another component of the malware. It did not show up in the original HJT log, but possibly one of the pieces you tried to delete has morphed into that name. I would suggest posting the log produced by Autoruns (see above)

BTW, the dates/times on logon.exe and TaskDaemon.exe can give you valuable clues. You can use that information to search for other files left behind by the infection. My suggestion would be to not delete those files but move them either to another folder, or maybe better, to another computer for further study.
electricinkAuthor Commented:
I tried to run the RootKitRevealer but was unable. It gives a message that it needs to be run within the Console.

Here is the AutoRUns listing...

+ Acronis Scheduler2 Service      Acronis Scheduler Helper      Acronis      c:\program files\common files\acronis\schedule2\schedhlp.exe
+ AVG7_CC      AVG Control Center      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgcc.exe
+ TrueImageMonitor.exe      TrueImage      Acronis      c:\program files\swsoft\plesk\acronis\trueimageenterprise\trueimagemonitor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup                  
+ 3DM.lnk      3DM Disk Management Utility      3ware, Inc.      c:\program files\3ware\3dm\3dm.exe
+ Plesk Services Monitor.lnk      Plesk Services Tray Monitor            c:\program files\swsoft\plesk\admin\bin\traymonitor.exe
+ WinAVAlarm Startup Item.lnk      WinAVAlarm MFC Application            c:\program files\amcc\3dm2\winavalarm.exe
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components                  
+ 0                  File not found: About:Home
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  
+ AVG7 Find Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgse.dll
+ AVG7 Shell Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgse.dll
+ HyperTerminal Icon Ext                  File not found: hticons.dll
+ Shell Extension for DrWeb      Dr.Web ® Shell Extension      Doctor Web, Ltd.      c:\program files\swsoft\plesk\drweb\drwsxtn.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
+ 3DM                  c:\program files\3ware\3dm\3dmd.exe
+ 3DM2                  c:\program files\amcc\3dm2/3dm2.exe
+ AcronisAgent      Allows Acronis products to remotely manage this computer      Acronis      c:\program files\common files\acronis\agent\agent.exe
+ AcrSch2Svc      Acronis Scheduler 2      Acronis      c:\program files\common files\acronis\schedule2\schedul2.exe
+ Avg7Alrt      AVG Alert Manager      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgamsvr.exe
+ Avg7UpdSvc      AVG Update Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgupsvc.exe
+ AvgCoreSvc      AVG Resident Shield Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgrssvc.exe
+ AVGEMS      AVG E-Mail Scanner      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgemc.exe
+ ClipSrv      Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.            File not found: C:\WINDOWS\System32\clipsvr.exe
+ DirIndex      Directory indexing service for file integrity management.            c:\windows\$ntuninstallkb913029$\spuninst\_restore{diwjds7s-c329-3242-91ec-d2sd72c70d82}\com1\rp00\taskdaemon.exe
+ GxCVD(ControlSet001)      This service is installed as part of CommVault Installer Galaxy Product. Provides access to fetch or save metadata on CommServe while data protection or data recovery activity is in progress. This also services remote client/MediaAgent installation to a CommServe. This service is essential for Galaxy functionality.      CommVault Systems      c:\program files\commvault systems\galaxy\base\cvd.exe
+ GxEvMgrC(ControlSet001)      This service is installed as part of CommVault Installer Galaxy Product. Forwards events generated on the local machine to CommServe, in addition it helps CommServe to browse the application data on local machine. This service is essential for Galaxy functionality.      CommVault Systems      c:\program files\commvault systems\galaxy\base\evmgrc.exe
+ iisadm      Allows administration of Web and FTP services through the IIS services snap-in.            File not found: C:\WINDOWS\system32\inetinfo.exe
+ MELCS      MailEnable List Connector      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\melsc.exe
+ MEMTAS      MailEnable Mail Transfer Agent      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\memta.exe
+ MEPOCS      MailEnable Postoffice Connector Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepoc.exe
+ MEPOPS      MailEnable POP Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepops.exe
+ MESMTPCS      MailEnable SMTP Connector Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mesmtpc.exe
+ MySQL                  c:\program files\swsoft\plesk\databases\mysql\bin\mysqld-nt.exe
+ named                  c:\program files\swsoft\plesk\dns\bin\named.exe
+ NetSecManager      Network Security Protocol (NetSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows operating system.            File not found: C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\NetSec.exe
+ PleskControlPanel      PleskControlPanel      Apache Software Foundation      c:\program files\swsoft\plesk\admin\bin\apache.exe
+ pleskmiscsrv      Plesk ip, 'run as' and some other management functionality service            c:\program files\swsoft\plesk\admin\bin\psa-serv.exe
+ PleskSQLServer      Plesk SQL (MySql) server installed with PLESK            c:\program files\swsoft\plesk\mysql\bin\mysqld-nt.exe
+ plesksrv      Plesk Management Service            c:\program files\swsoft\plesk\admin\bin\plesksrv.exe
+ PopPassD      Plesk PopPass Service            c:\program files\swsoft\plesk\admin\bin\poppassd.exe
+ prilogon      Enables starting processes under current credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.            File not found: C:\WINDOWS\system32\logon.exe
+ ProfileMgr      Assembles information about your system for various system utilities such as Control Pannel and My Computer.            c:\windows\$ntuninstallkb913029$\spuninst\_restore{diwjds7s-c329-3242-91ec-d2sd72c70d82}\com1\rp00\taskdaemon.exe
+ r_server                  File not found: C:\WINDOWS\system32\drivers\isplog.exe
+ SiteBuilder      Provides easy way to create and manage professionally looking web sites            c:\program files\swsoft\plesk\winsitebuilder\docroot\sitebuilder.exe
+ SpamAssassinService      Plesk service to control Spamassassin filter state             c:\program files\swsoft\plesk\admin\bin\spamassassinservice.exe
+ Tomcat5      Apache Tomcat 5.5.4 Server -      Apache Software Foundation      c:\program files\swsoft\plesk\additional\tomcat\bin\tomcat5.exe
+ 3wDrv100                  c:\windows\system32\drivers\3wdrv100.sys
+ 3wFlt100                  c:\windows\system32\drivers\3wflt100.sys
+ ati2mpad      ATI2MPAD Miniport Driver      ATI Technologies Inc.      c:\windows\system32\drivers\ati2mpad.sys
+ AvgClean      AVG7 Clean Driver      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgclean.sys
+ AvgMfx86      AVG MiniFilter Resident Anti-Virus Shield      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgmfx86.sys
+ AvgTdi      AVG Network connection watcher      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgtdi.sys
+ E1000      Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver      Intel Corporation      c:\windows\system32\drivers\e1000325.sys
+ E100B      Intel(R) PRO/100 Adapter NDIS 5.1 driver      Intel Corporation      c:\windows\system32\drivers\e100b325.sys
+ IpInIp      IP in IP Tunnel Driver            File not found: system32\DRIVERS\ipinip.sys
+ NetSecDriver                  File not found: C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\netsec.sys
+ Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys
+ Secdrv      SafeDisc driver      Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.      c:\windows\system32\drivers\secdrv.sys
+ snapman      Acronis Snapshot API      Acronis      c:\windows\system32\drivers\snapman.sys
+ TDXRV                  File not found: C:\WINDOWS\system32\drivers\ntdos510.sys
+ tifsfilter      TrueImage File System Filter      Acronis      c:\windows\system32\drivers\tifsfilt.sys
+ timounter      True Image Backup Archive Explorer( Server Edition )      Acronis      c:\windows\system32\drivers\timntr.sys
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                  
+ wow64                  File not found: C:\WINDOWS\system32\wow64.dll
+ wow64cpu                  File not found: C:\WINDOWS\system32\wow64cpu.dll
+ wow64win                  File not found: C:\WINDOWS\system32\wow64win.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  
+ avgwlntf      AVG Winlogon Notify Library      GRISOFT, s.r.o.      c:\windows\system32\avgwlntf.dll
+ BJ Language Monitor                  File not found: bjlmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages                  
+ relog_ap      Acronis Relogon Authentication Package      Acronis      c:\windows\system32\relog_ap.dll

electricinkAuthor Commented:
I moved LOGON.EXE and a file called LOGON.SCR off of the server (out of the C:\WINDOWS\system32\ folder)
Both of these file had no name attributed to the (IE : Microsoft) and had strange dates... Modified in 2006 but created Feb 17 2007 at 3:21 AM... there are hundreds of files in the same folder created on that same day within minutes of each other.

After copying them to my local computer, it would not let me delete the LOGON.EXE until after a reboot.

I am still getting the TaskDaemon error each time i reboot.

Can i use the Autoruns program to edit out things that should no longer be there?

logon.scr is a valid Windows file, please don't move that.

I think in general the files modified on Feb. 17 are part of an update from MS and should not be moved.

Yes, if you like you can "un-check" specific items in Autoruns you are suspicious of, then reboot. You should be able to re-enable the ones that you later discover as harmless. But don't disable items that are from Microsoft.

I have to run now but will check back later. Thanks.
Thanks. Hope you got it cleared up.
electricinkAuthor Commented:
yes things have been "quiet" ever since we implemented the many things you suggested.. not sure which was the exact solution... which is why i marked several of your comments... one or all seem to have worked :)

thanks for your help!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.