Windows 2003 Server Hacked - Suspect it is being used for spamming - Hijackthis log file included

Posted on 2007-07-21
Last Modified: 2013-12-04

Our windows 2003 server has been hacked. I have done 2 virus scans and cleaned what it could find (used AVG and Microsoft Malicious Software removal.

However, we are still being flagged as "Spammers" so something is still not right.

Here is our HijackThis Log File...

Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 7/21/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
C:\downloaded files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,2,0,4948/
O17 - HKLM\System\CCS\Services\Tcpip\..\{D729357B-F14A-4E47-8F33-0315B253E217}: NameServer =,
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\drivers\alerter.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe" -vm ControlSet001 (file missing)
O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetinfo.exe (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\Databases\MySQL\Data\my.ini" MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe" -n1 (file missing)
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\MySQL\Data\my.ini" PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe" -run (file missing)
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\isplog.exe" /service (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSiteBuilder\docroot\sitebuilder.exe" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) -   - C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Thank you


Question by:electricink
    LVL 32

    Accepted Solution

    The main problem seems to be this entry:

     O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe

    This is installed as a Service. Unless you know what this is, open the Services control panel, stop this service, and set the startup type to "disabled". Then reboot and see if the spamming stops.

    There are additional steps you should take afterwards as well to prevent reinfection, which I will post soon.
    LVL 32

    Assisted Solution

    Also, these entries need further checking:

    O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\drivers\alerter.exe (file missing)
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\isplog.exe" /service (file missing)
    O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)

    Thse files are listed as "missing", probably these were removed by earlier attempts at cleanup. If you can't explain these please see if these files exist on disk with Windows Explorer. In any case set the startup type of these services to "disabled" as well.
    LVL 32

    Assisted Solution

    This service:

     O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetinfo.exe (file missing)

    is also suspicious, even though the file is missing. I assume malware, since the normal inetinfo.exe resides in a different place.

    After you've cleaned up these items, please run "netstat -ab" from a command prompt, save the output to a text file, and copy-and-paste here, or at least examine for any open connections that appear abnormal and post those. If you like you can edit the entry to replace your own IP address with xx.xx
    LVL 32

    Assisted Solution

    Here are some additional things to do:

    (1) Examine all user accounts, disable or delete any accounts known to be fraudulent, then change passwords on all admin accounts, using at least 10 chars and avoid commin names and words.

    (2) Download RootkitRevealer ( and do a scan. Post the log here if it shows anything suspect. If the log is very long then just post the first 30 lines or so. Be sure to save the log in any case.

    (3) Download Autoruns from:
    (a) Run the program. It lists a bunch of things that start when Windows starts.
    (b) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
        Important -> Then click the Refresh button in the toolbar.
    (c) This will give you a shorter, more meaningful list.
    (d) Post the log here if anything interesting.

    (4) If you identify any files installed by the hacker, search the rest of your C: drive for any other files created/modified around that date and time. Also, rather than deleting files left behind by the hackers, move them to another disk or CD for possible later study.

    (5) After things have been cleaned up, download and run MBSA from: and do a scan and follow as many steps as reasonable.

    Author Comment

    Thank you for your replies and suggestions!

    We are going through your suggestions (had to be away for the weekend --- horrible time to have to leave) :S


    Author Comment

    I only have access through remotedesktop (our server is 3 hours away) .... would this be me?

    O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe


    Author Comment

    Each time I reboot (while cleaning up files) I am receiving the message " TaskDaemon.exe encountered a problem and needed to close"

    Is this meaningful message?

    LVL 32

    Expert Comment

    ".... would this be me?" (C:\WINDOWS\system32\logon.exe)

    No, this is not even a file normally present in the system32 folder (logoff.exe is normally present). If you want to be sure, right-click on the file and select Properties -> Version. It will not be a Microsoft file.

    "I am receiving the message " TaskDaemon.exe encountered a problem..."

    That must be another component of the malware. It did not show up in the original HJT log, but possibly one of the pieces you tried to delete has morphed into that name. I would suggest posting the log produced by Autoruns (see above)

    BTW, the dates/times on logon.exe and TaskDaemon.exe can give you valuable clues. You can use that information to search for other files left behind by the infection. My suggestion would be to not delete those files but move them either to another folder, or maybe better, to another computer for further study.

    Author Comment

    I tried to run the RootKitRevealer but was unable. It gives a message that it needs to be run within the Console.

    Here is the AutoRUns listing...

    + Acronis Scheduler2 Service      Acronis Scheduler Helper      Acronis      c:\program files\common files\acronis\schedule2\schedhlp.exe
    + AVG7_CC      AVG Control Center      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgcc.exe
    + TrueImageMonitor.exe      TrueImage      Acronis      c:\program files\swsoft\plesk\acronis\trueimageenterprise\trueimagemonitor.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup                  
    + 3DM.lnk      3DM Disk Management Utility      3ware, Inc.      c:\program files\3ware\3dm\3dm.exe
    + Plesk Services Monitor.lnk      Plesk Services Tray Monitor            c:\program files\swsoft\plesk\admin\bin\traymonitor.exe
    + WinAVAlarm Startup Item.lnk      WinAVAlarm MFC Application            c:\program files\amcc\3dm2\winavalarm.exe
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components                  
    + 0                  File not found: About:Home
    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  
    + AVG7 Find Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgse.dll
    + AVG7 Shell Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgse.dll
    + HyperTerminal Icon Ext                  File not found: hticons.dll
    + Shell Extension for DrWeb      Dr.Web ® Shell Extension      Doctor Web, Ltd.      c:\program files\swsoft\plesk\drweb\drwsxtn.dll
    + WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
    + WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
    + WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
    + WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
    + 3DM                  c:\program files\3ware\3dm\3dmd.exe
    + 3DM2                  c:\program files\amcc\3dm2/3dm2.exe
    + AcronisAgent      Allows Acronis products to remotely manage this computer      Acronis      c:\program files\common files\acronis\agent\agent.exe
    + AcrSch2Svc      Acronis Scheduler 2      Acronis      c:\program files\common files\acronis\schedule2\schedul2.exe
    + Avg7Alrt      AVG Alert Manager      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgamsvr.exe
    + Avg7UpdSvc      AVG Update Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgupsvc.exe
    + AvgCoreSvc      AVG Resident Shield Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgrssvc.exe
    + AVGEMS      AVG E-Mail Scanner      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgemc.exe
    + ClipSrv      Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.            File not found: C:\WINDOWS\System32\clipsvr.exe
    + DirIndex      Directory indexing service for file integrity management.            c:\windows\$ntuninstallkb913029$\spuninst\_restore{diwjds7s-c329-3242-91ec-d2sd72c70d82}\com1\rp00\taskdaemon.exe
    + GxCVD(ControlSet001)      This service is installed as part of CommVault Installer Galaxy Product. Provides access to fetch or save metadata on CommServe while data protection or data recovery activity is in progress. This also services remote client/MediaAgent installation to a CommServe. This service is essential for Galaxy functionality.      CommVault Systems      c:\program files\commvault systems\galaxy\base\cvd.exe
    + GxEvMgrC(ControlSet001)      This service is installed as part of CommVault Installer Galaxy Product. Forwards events generated on the local machine to CommServe, in addition it helps CommServe to browse the application data on local machine. This service is essential for Galaxy functionality.      CommVault Systems      c:\program files\commvault systems\galaxy\base\evmgrc.exe
    + iisadm      Allows administration of Web and FTP services through the IIS services snap-in.            File not found: C:\WINDOWS\system32\inetinfo.exe
    + MELCS      MailEnable List Connector      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\melsc.exe
    + MEMTAS      MailEnable Mail Transfer Agent      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\memta.exe
    + MEPOCS      MailEnable Postoffice Connector Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepoc.exe
    + MEPOPS      MailEnable POP Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepops.exe
    + MESMTPCS      MailEnable SMTP Connector Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mesmtpc.exe
    + MySQL                  c:\program files\swsoft\plesk\databases\mysql\bin\mysqld-nt.exe
    + named                  c:\program files\swsoft\plesk\dns\bin\named.exe
    + NetSecManager      Network Security Protocol (NetSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows operating system.            File not found: C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\NetSec.exe
    + PleskControlPanel      PleskControlPanel      Apache Software Foundation      c:\program files\swsoft\plesk\admin\bin\apache.exe
    + pleskmiscsrv      Plesk ip, 'run as' and some other management functionality service            c:\program files\swsoft\plesk\admin\bin\psa-serv.exe
    + PleskSQLServer      Plesk SQL (MySql) server installed with PLESK            c:\program files\swsoft\plesk\mysql\bin\mysqld-nt.exe
    + plesksrv      Plesk Management Service            c:\program files\swsoft\plesk\admin\bin\plesksrv.exe
    + PopPassD      Plesk PopPass Service            c:\program files\swsoft\plesk\admin\bin\poppassd.exe
    + prilogon      Enables starting processes under current credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.            File not found: C:\WINDOWS\system32\logon.exe
    + ProfileMgr      Assembles information about your system for various system utilities such as Control Pannel and My Computer.            c:\windows\$ntuninstallkb913029$\spuninst\_restore{diwjds7s-c329-3242-91ec-d2sd72c70d82}\com1\rp00\taskdaemon.exe
    + r_server                  File not found: C:\WINDOWS\system32\drivers\isplog.exe
    + SiteBuilder      Provides easy way to create and manage professionally looking web sites            c:\program files\swsoft\plesk\winsitebuilder\docroot\sitebuilder.exe
    + SpamAssassinService      Plesk service to control Spamassassin filter state             c:\program files\swsoft\plesk\admin\bin\spamassassinservice.exe
    + Tomcat5      Apache Tomcat 5.5.4 Server -      Apache Software Foundation      c:\program files\swsoft\plesk\additional\tomcat\bin\tomcat5.exe
    + 3wDrv100                  c:\windows\system32\drivers\3wdrv100.sys
    + 3wFlt100                  c:\windows\system32\drivers\3wflt100.sys
    + ati2mpad      ATI2MPAD Miniport Driver      ATI Technologies Inc.      c:\windows\system32\drivers\ati2mpad.sys
    + AvgClean      AVG7 Clean Driver      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgclean.sys
    + AvgMfx86      AVG MiniFilter Resident Anti-Virus Shield      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgmfx86.sys
    + AvgTdi      AVG Network connection watcher      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgtdi.sys
    + E1000      Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver      Intel Corporation      c:\windows\system32\drivers\e1000325.sys
    + E100B      Intel(R) PRO/100 Adapter NDIS 5.1 driver      Intel Corporation      c:\windows\system32\drivers\e100b325.sys
    + IpInIp      IP in IP Tunnel Driver            File not found: system32\DRIVERS\ipinip.sys
    + NetSecDriver                  File not found: C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\netsec.sys
    + Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys
    + Secdrv      SafeDisc driver      Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.      c:\windows\system32\drivers\secdrv.sys
    + snapman      Acronis Snapshot API      Acronis      c:\windows\system32\drivers\snapman.sys
    + TDXRV                  File not found: C:\WINDOWS\system32\drivers\ntdos510.sys
    + tifsfilter      TrueImage File System Filter      Acronis      c:\windows\system32\drivers\tifsfilt.sys
    + timounter      True Image Backup Archive Explorer( Server Edition )      Acronis      c:\windows\system32\drivers\timntr.sys
    HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                  
    + wow64                  File not found: C:\WINDOWS\system32\wow64.dll
    + wow64cpu                  File not found: C:\WINDOWS\system32\wow64cpu.dll
    + wow64win                  File not found: C:\WINDOWS\system32\wow64win.dll
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  
    + avgwlntf      AVG Winlogon Notify Library      GRISOFT, s.r.o.      c:\windows\system32\avgwlntf.dll
    + BJ Language Monitor                  File not found: bjlmon.dll
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages                  
    + relog_ap      Acronis Relogon Authentication Package      Acronis      c:\windows\system32\relog_ap.dll


    Author Comment

    I moved LOGON.EXE and a file called LOGON.SCR off of the server (out of the C:\WINDOWS\system32\ folder)
    Both of these file had no name attributed to the (IE : Microsoft) and had strange dates... Modified in 2006 but created Feb 17 2007 at 3:21 AM... there are hundreds of files in the same folder created on that same day within minutes of each other.

    After copying them to my local computer, it would not let me delete the LOGON.EXE until after a reboot.

    I am still getting the TaskDaemon error each time i reboot.

    Can i use the Autoruns program to edit out things that should no longer be there?

    LVL 32

    Expert Comment

    logon.scr is a valid Windows file, please don't move that.

    I think in general the files modified on Feb. 17 are part of an update from MS and should not be moved.

    Yes, if you like you can "un-check" specific items in Autoruns you are suspicious of, then reboot. You should be able to re-enable the ones that you later discover as harmless. But don't disable items that are from Microsoft.

    I have to run now but will check back later. Thanks.
    LVL 32

    Expert Comment

    Thanks. Hope you got it cleared up.

    Author Comment

    yes things have been "quiet" ever since we implemented the many things you suggested.. not sure which was the exact solution... which is why i marked several of your comments... one or all seem to have worked :)

    thanks for your help!!

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
    Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now