Link to home
Start Free TrialLog in
Avatar of electricink
electricinkFlag for Canada

asked on

Windows 2003 Server Hacked - Suspect it is being used for spamming - Hijackthis log file included

Hello,

Our windows 2003 server has been hacked. I have done 2 virus scans and cleaned what it could find (used AVG and Microsoft Malicious Software removal.

However, we are still being flagged as "Spammers" so something is still not right.

Here is our HijackThis Log File...

Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 7/21/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\3ware\3DM\3dmd.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe
C:\Program Files\SWsoft\Plesk\dns\bin\named.exe
C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3ware\3DM\3dm.exe
C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe
C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\PROGRA~1\SWsoft\Plesk\ADDITI~1\Perl\bin\perl.exe
C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
C:\downloaded files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.electricink.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\SWsoft\Plesk\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - Global Startup: 3DM.lnk = ?
O4 - Global Startup: Plesk Services Monitor.lnk = C:\Program Files\SWsoft\Plesk\admin\bin\traymonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm Startup Item.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147544667130
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158013453546
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4948/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D729357B-F14A-4E47-8F33-0315B253E217}: NameServer = 64.34.24.23,64.34.24.24
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: 3DM - Unknown owner - C:\Program Files\3ware\3DM\3dmd.exe
O23 - Service: AMCC 3DM2 (3DM2) - Unknown owner - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Alerter - Unknown owner - C:\WINDOWS\system32\drivers\alerter.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\System32\clipsvr.exe (file missing)
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe" -vm ControlSet001 (file missing)
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - Unknown owner - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe" -vm ControlSet001 (file missing)
O23 - Service: IIS Administrator (iisadm) - Unknown owner - C:\WINDOWS\system32\inetinfo.exe (file missing)
O23 - Service: KasperskyTM Anti-Virus (kavsvc) - Unknown owner - C:\Program Files\SWsoft\Plesk\kav\kavsvc.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\SWsoft\Plesk\Mail Servers\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: MySQL Server (MySQL) - Unknown owner - C:\Program Files\SWsoft\Plesk\Databases\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\Databases\MySQL\Data\my.ini" MySQL (file missing)
O23 - Service: Plesk Name Server (named) - Unknown owner - C:\Program Files\SWsoft\Plesk\dns\bin\named.exe" -n1 (file missing)
O23 - Service: PleskControlPanel - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Plesk Miscellaneous Service (pleskmiscsrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\psa-serv.exe
O23 - Service: Plesk SQL Server (PleskSQLServer) - Unknown owner - C:\Program Files\SWsoft\Plesk\MySQL\bin\mysqld-nt.exe" --defaults-file="C:\Program Files\SWsoft\Plesk\MySQL\Data\my.ini" PleskSQLServer (file missing)
O23 - Service: Plesk Management Service (plesksrv) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\plesksrv.exe" -run (file missing)
O23 - Service: Plesk PopPass Service (PopPassD) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\PopPassD.exe" -run (file missing)
O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\isplog.exe" /service (file missing)
O23 - Service: SWsoft SiteBuilder (SiteBuilder) - Unknown owner - C:\Program Files\SWsoft\Plesk\WinSiteBuilder\docroot\sitebuilder.exe" -x (file missing)
O23 - Service: Plesk SpamAssassin Service (SpamAssassinService) -   - C:\Program Files\SWsoft\Plesk\admin\bin\SpamAssassinService.exe
O23 - Service: Plesk SSL Wrapper Service (stunnel) - Unknown owner - C:\Program Files\SWsoft\Plesk\admin\bin\stunnel.exe" -service (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\SWsoft\Plesk\Additional\Tomcat\bin\tomcat5.exe" //RS//Tomcat5 (file missing)




Thank you

Kirk

ASKER CERTIFIED SOLUTION
Avatar of r-k
r-k

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of electricink

ASKER

Thank you for your replies and suggestions!

We are going through your suggestions (had to be away for the weekend --- horrible time to have to leave) :S

I only have access through remotedesktop (our server is 3 hours away) .... would this be me?

O23 - Service: Primary Logon (prilogon) - Unknown owner - C:\WINDOWS\system32\logon.exe

Each time I reboot (while cleaning up files) I am receiving the message " TaskDaemon.exe encountered a problem and needed to close"

Is this meaningful message?

Avatar of r-k
r-k

".... would this be me?" (C:\WINDOWS\system32\logon.exe)

No, this is not even a file normally present in the system32 folder (logoff.exe is normally present). If you want to be sure, right-click on the file and select Properties -> Version. It will not be a Microsoft file.

"I am receiving the message " TaskDaemon.exe encountered a problem..."

That must be another component of the malware. It did not show up in the original HJT log, but possibly one of the pieces you tried to delete has morphed into that name. I would suggest posting the log produced by Autoruns (see above)

BTW, the dates/times on logon.exe and TaskDaemon.exe can give you valuable clues. You can use that information to search for other files left behind by the infection. My suggestion would be to not delete those files but move them either to another folder, or maybe better, to another computer for further study.
I tried to run the RootKitRevealer but was unable. It gives a message that it needs to be run within the Console.

Here is the AutoRUns listing...


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  
+ Acronis Scheduler2 Service      Acronis Scheduler Helper      Acronis      c:\program files\common files\acronis\schedule2\schedhlp.exe
+ AVG7_CC      AVG Control Center      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgcc.exe
+ TrueImageMonitor.exe      TrueImage      Acronis      c:\program files\swsoft\plesk\acronis\trueimageenterprise\trueimagemonitor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup                  
+ 3DM.lnk      3DM Disk Management Utility      3ware, Inc.      c:\program files\3ware\3dm\3dm.exe
+ Plesk Services Monitor.lnk      Plesk Services Tray Monitor            c:\program files\swsoft\plesk\admin\bin\traymonitor.exe
+ WinAVAlarm Startup Item.lnk      WinAVAlarm MFC Application            c:\program files\amcc\3dm2\winavalarm.exe
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components                  
+ 0                  File not found: About:Home
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  
+ AVG7 Find Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgse.dll
+ AVG7 Shell Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgse.dll
+ HyperTerminal Icon Ext                  File not found: hticons.dll
+ Shell Extension for DrWeb      Dr.Web ® Shell Extension      Doctor Web, Ltd.      c:\program files\swsoft\plesk\drweb\drwsxtn.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll
HKLM\System\CurrentControlSet\Services                  
+ 3DM                  c:\program files\3ware\3dm\3dmd.exe
+ 3DM2                  c:\program files\amcc\3dm2/3dm2.exe
+ AcronisAgent      Allows Acronis products to remotely manage this computer      Acronis      c:\program files\common files\acronis\agent\agent.exe
+ AcrSch2Svc      Acronis Scheduler 2      Acronis      c:\program files\common files\acronis\schedule2\schedul2.exe
+ Avg7Alrt      AVG Alert Manager      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgamsvr.exe
+ Avg7UpdSvc      AVG Update Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgupsvc.exe
+ AvgCoreSvc      AVG Resident Shield Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgrssvc.exe
+ AVGEMS      AVG E-Mail Scanner      GRISOFT, s.r.o.      c:\program files\grisoft\avg7\avgemc.exe
+ ClipSrv      Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.            File not found: C:\WINDOWS\System32\clipsvr.exe
+ DirIndex      Directory indexing service for file integrity management.            c:\windows\$ntuninstallkb913029$\spuninst\_restore{diwjds7s-c329-3242-91ec-d2sd72c70d82}\com1\rp00\taskdaemon.exe
+ GxCVD(ControlSet001)      This service is installed as part of CommVault Installer Galaxy Product. Provides access to fetch or save metadata on CommServe while data protection or data recovery activity is in progress. This also services remote client/MediaAgent installation to a CommServe. This service is essential for Galaxy functionality.      CommVault Systems      c:\program files\commvault systems\galaxy\base\cvd.exe
+ GxEvMgrC(ControlSet001)      This service is installed as part of CommVault Installer Galaxy Product. Forwards events generated on the local machine to CommServe, in addition it helps CommServe to browse the application data on local machine. This service is essential for Galaxy functionality.      CommVault Systems      c:\program files\commvault systems\galaxy\base\evmgrc.exe
+ iisadm      Allows administration of Web and FTP services through the IIS services snap-in.            File not found: C:\WINDOWS\system32\inetinfo.exe
+ MELCS      MailEnable List Connector      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\melsc.exe
+ MEMTAS      MailEnable Mail Transfer Agent      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\memta.exe
+ MEPOCS      MailEnable Postoffice Connector Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepoc.exe
+ MEPOPS      MailEnable POP Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mepops.exe
+ MESMTPCS      MailEnable SMTP Connector Service      MailEnable Pty Ltd      c:\program files\swsoft\plesk\mail servers\mail enable\bin\mesmtpc.exe
+ MySQL                  c:\program files\swsoft\plesk\databases\mysql\bin\mysqld-nt.exe
+ named                  c:\program files\swsoft\plesk\dns\bin\named.exe
+ NetSecManager      Network Security Protocol (NetSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows operating system.            File not found: C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\NetSec.exe
+ PleskControlPanel      PleskControlPanel      Apache Software Foundation      c:\program files\swsoft\plesk\admin\bin\apache.exe
+ pleskmiscsrv      Plesk ip, 'run as' and some other management functionality service            c:\program files\swsoft\plesk\admin\bin\psa-serv.exe
+ PleskSQLServer      Plesk SQL (MySql) server installed with PLESK            c:\program files\swsoft\plesk\mysql\bin\mysqld-nt.exe
+ plesksrv      Plesk Management Service            c:\program files\swsoft\plesk\admin\bin\plesksrv.exe
+ PopPassD      Plesk PopPass Service            c:\program files\swsoft\plesk\admin\bin\poppassd.exe
+ prilogon      Enables starting processes under current credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.            File not found: C:\WINDOWS\system32\logon.exe
+ ProfileMgr      Assembles information about your system for various system utilities such as Control Pannel and My Computer.            c:\windows\$ntuninstallkb913029$\spuninst\_restore{diwjds7s-c329-3242-91ec-d2sd72c70d82}\com1\rp00\taskdaemon.exe
+ r_server                  File not found: C:\WINDOWS\system32\drivers\isplog.exe
+ SiteBuilder      Provides easy way to create and manage professionally looking web sites            c:\program files\swsoft\plesk\winsitebuilder\docroot\sitebuilder.exe
+ SpamAssassinService      Plesk service to control Spamassassin filter state             c:\program files\swsoft\plesk\admin\bin\spamassassinservice.exe
+ Tomcat5      Apache Tomcat 5.5.4 Server - http://jakarta.apache.org/tomcat/      Apache Software Foundation      c:\program files\swsoft\plesk\additional\tomcat\bin\tomcat5.exe
HKLM\System\CurrentControlSet\Services                  
+ 3wDrv100                  c:\windows\system32\drivers\3wdrv100.sys
+ 3wFlt100                  c:\windows\system32\drivers\3wflt100.sys
+ ati2mpad      ATI2MPAD Miniport Driver      ATI Technologies Inc.      c:\windows\system32\drivers\ati2mpad.sys
+ AvgClean      AVG7 Clean Driver      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgclean.sys
+ AvgMfx86      AVG MiniFilter Resident Anti-Virus Shield      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgmfx86.sys
+ AvgTdi      AVG Network connection watcher      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgtdi.sys
+ E1000      Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver      Intel Corporation      c:\windows\system32\drivers\e1000325.sys
+ E100B      Intel(R) PRO/100 Adapter NDIS 5.1 driver      Intel Corporation      c:\windows\system32\drivers\e100b325.sys
+ IpInIp      IP in IP Tunnel Driver            File not found: system32\DRIVERS\ipinip.sys
+ NetSecDriver                  File not found: C:\WINDOWS\$NtUninstallKB913029$\spuninst\_restore{DIWJDS7S-C329-3242-91EC-D2SD72C70D82}\com1\rp00\netsec.sys
+ Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys
+ Secdrv      SafeDisc driver      Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.      c:\windows\system32\drivers\secdrv.sys
+ snapman      Acronis Snapshot API      Acronis      c:\windows\system32\drivers\snapman.sys
+ TDXRV                  File not found: C:\WINDOWS\system32\drivers\ntdos510.sys
+ tifsfilter      TrueImage File System Filter      Acronis      c:\windows\system32\drivers\tifsfilt.sys
+ timounter      True Image Backup Archive Explorer( Server Edition )      Acronis      c:\windows\system32\drivers\timntr.sys
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls                  
+ wow64                  File not found: C:\WINDOWS\system32\wow64.dll
+ wow64cpu                  File not found: C:\WINDOWS\system32\wow64cpu.dll
+ wow64win                  File not found: C:\WINDOWS\system32\wow64win.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  
+ avgwlntf      AVG Winlogon Notify Library      GRISOFT, s.r.o.      c:\windows\system32\avgwlntf.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors                  
+ BJ Language Monitor                  File not found: bjlmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages                  
+ relog_ap      Acronis Relogon Authentication Package      Acronis      c:\windows\system32\relog_ap.dll

I moved LOGON.EXE and a file called LOGON.SCR off of the server (out of the C:\WINDOWS\system32\ folder)
Both of these file had no name attributed to the (IE : Microsoft) and had strange dates... Modified in 2006 but created Feb 17 2007 at 3:21 AM... there are hundreds of files in the same folder created on that same day within minutes of each other.

After copying them to my local computer, it would not let me delete the LOGON.EXE until after a reboot.

I am still getting the TaskDaemon error each time i reboot.

Can i use the Autoruns program to edit out things that should no longer be there?

logon.scr is a valid Windows file, please don't move that.

I think in general the files modified on Feb. 17 are part of an update from MS and should not be moved.

Yes, if you like you can "un-check" specific items in Autoruns you are suspicious of, then reboot. You should be able to re-enable the ones that you later discover as harmless. But don't disable items that are from Microsoft.


I have to run now but will check back later. Thanks.
Thanks. Hope you got it cleared up.
yes things have been "quiet" ever since we implemented the many things you suggested.. not sure which was the exact solution... which is why i marked several of your comments... one or all seem to have worked :)

thanks for your help!!