88 replies to this topic

[scotiabahn]

At request of AndyManchesta, beginning new log for trying to remove malware wbjrwesa.txt. I've included the attached link for earlier discussions

http://forum.pirifor...?showtopic=9460


First off, response from Gromozon removal tool...

Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: \\?\C:\WINDOWS\system32\aux.frh
\\?\C:\WINDOWS\system32\aux.frh
Resetting file permissions...
Clearing attributes...
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\hlnul1.dll
Removed!


Trojan.Gromozon Removed!



Tried running CCleaner after this ran but no success, still won't run with wbjrwesa.txt in System32 folder....

Will now go try other utilities requested...

[scotiabahn]

win32delfkil.exe results...

well, it didn't actually run the way you said it would...

I ran it from the desktop and it opened a dos window which asked me to press any key... I did and it said file not found 4 times then appeared to stop. The desktop was trashed again so the malware may be affecting it...

I rebooted. There is no sign of a folder or a fix.bat, but I have found a partial log on C:\ which I paste hereafter...

WIN32DELFKIL LOGFILE - by Marckie


version 3.125
23/03/2007 17:00:07.73
running from: "C:\Documents and Settings\family\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---
winstyle32.dll

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


--- Notify key ---


--- rebooting the computer ---


Any suggestions?


Next!

[scotiabahn]

ok, next on the list is Blacklight beta... (I must be getting old - these utility names are as unfamiliar to me as the obscure bands my son listens to... )

Not a very meaningful log to the uninitiated...


03/23/07 17:14:36 [Info]: BlackLight Engine 1.0.55 initialized
03/23/07 17:14:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/23/07 17:14:37 [Note]: 7019 4
03/23/07 17:14:37 [Note]: 7005 0
03/23/07 17:14:40 [Note]: 7006 0
03/23/07 17:14:40 [Note]: 7011 1704
03/23/07 17:14:41 [Note]: 7026 0
03/23/07 17:14:41 [Note]: 7026 0
03/23/07 17:14:52 [Note]: FSRAW library version 1.7.1021


now for Kaspersky...

[scotiabahn]

Kaspersky didn't want to play... Activex control wouldn't download... tried the individual File Scanner while I was there and that didn't work either...

Hey-ho... will go and see what's next on the list...

[scotiabahn]

There's a reference to a BartPE boot disk on the other forum listing - that sounds like an interesting option, but kind of scary, so I'll not try that before someone else agrees that it's a good idea...

Besides still having 'fun' with AndyManchesta's cunning stuff

[scotiabahn]

Aaaargh!!!

Urgent help required... Done something silly...


moved my malware wbjrwesa.txt to the desktop and tried deleting from there - it worked, checked the registry was clear - it was, deleted the copy from prefetch, started running HijackThis and lost my desktop again... Now I need to get the wbjrwesa.txt file back from the recycle bin and I can't see the damn recycle... Does anyone know the name of the program that runs the recycle bin so I can restore this file????

Help!!!!

[scotiabahn]

scotiabahn, on Mar 23 2007, 05:56 PM, said:

Aaaargh!!!

Urgent help required... Done something silly...
moved my malware wbjrwesa.txt to the desktop and tried deleting from there - it worked, checked the registry was clear - it was, deleted the copy from prefetch, started running HijackThis and lost my desktop again... Now I need to get the wbjrwesa.txt file back from the recycle bin and I can't see the damn recycle... Does anyone know the name of the program that runs the recycle bin so I can restore this file????

Help!!!!

p.s. just tried Recuva, but this hasn't been deleted that far, still skulking in the recycle bin...

[AndyManchesta]

Hi Steve,

Thanks for the logs

You do have a Gromozon infection which is bad news as they are very malicious and they know how to make it very difficult to clean the machine by constantly changing the files and the method of infection, they also target alot of the tools we use such as rootkit scanners and can close them instantly if you attempt to run them, this txt file thats hooking to explorer.exe maybe a different infection but its difficult to know with the file being random named until we can get some scan results.

For win32delfkil, its fine if it shows file not found 4 times as that is just trojan files its checking for, it stops explorer.exe which is why you lose the desktop icons but if left it should then restart the pc and finish after reboot, can you try the tool again but rename it first , set windows to show file extensions

EDIT: Skip this part until you get explorer running

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Uncheck the "Hide extentions for known file types" option

Click Yes to confirm then OK

You can set this back later by opening the same page and pressing the Restore Defaults button the click Apply and OK.

Then delete these files from C:\Drive if they exist

_files.txt
win32delfkil.exe
windelf.txt

and the _backupD Folder if its there and then right click the win32delfkil.exe file on your desktop and rename it to test.exe then run it again, if it doesnt reboot or finish the clean up then just post the log which it created and we can manually remove anything that was found,

The Blacklight log is fine and its nice to see no hidden items were found, we will be running more rootkit scans though to be sure of that, BartPE methods are fine when you know what your going after but in this case we dont , the only file that we know about is wbjrwesa.txt and that will not be by itself so removing it may cause problems until we find out what put it there and for what reason

scotiabahn, on Mar 23 2007, 05:56 PM, said:

Aaaargh!!!

Urgent help required... Done something silly...
moved my malware wbjrwesa.txt to the desktop and tried deleting from there - it worked, checked the registry was clear - it was, deleted the copy from prefetch, started running HijackThis and lost my desktop again... Now I need to get the wbjrwesa.txt file back from the recycle bin and I can't see the damn recycle... Does anyone know the name of the program that runs the recycle bin so I can restore this file????

Help!!!!

Painful , Im really not sure how to get round this, until we know what changes its made its going to be difficult to repair, please start task manager > new task > type regedit and press ok

When regedit opens check for the explorer.exe value in Image File Execution Options again and remove it if found, then try start explorer, if that doesnt work go back to regedit , on the left pane click My Computer then click Edit and Find, in the Find What: area type wbjrwesa.txt then click Find Next, make a note of any area's where wbjrwesa.txt is found (press F3 to continue the search after each one is found until it shows 'finished searching through registry') let us know where its located,

For the recycle bin problem try this , bring up Task Manager > New Task > click Browse then goto the Windows folder and double click explorer.exe to load the path into the new task window then press ok, if it shows that explorer.exe cannot be found then try this, browse back into the windows folder and right click explorer.exe then choose copy, right click an empty space in the Windows folder and choose Paste and it will add a file named copy of explorer.exe, now double click that so it loads the path into the new task window and click OK, if explorer.exe doesnt start then it should open My Documents and in the menu on the left it shows the recycle bin , left click that and locate the file then right click it and choose copy, navigate back to system32 and right click an empty space and choose paste to add it back in there,

Let me know how it goes then we can continue with the scans

Andy

[AndyManchesta]

Dont worry about making a note of all the locations in the registry that wbjrwesa.txt is found in, if you can get explorer running again then we can download a reg search tool to do that for us,

Andy

[scotiabahn]

AndyManchesta, on Mar 23 2007, 07:57 PM, said:

Hi Steve,

Thanks for the logs

You do have a Gromozon infection which is bad news as they are very malicious and they know how to make it very difficult to clean the machine by constantly changing the files and the method of infection, they also target alot of the tools we use such as rootkit scanners and can close them instantly if you attempt to run them, this txt file thats hooking to explorer.exe maybe a different infection but its difficult to know with the file being random named until we can get some scan results.

For win32delfkil, its fine if it shows file not found 4 times as that is just trojan files its checking for, it stops explorer.exe which is why you lose the desktop icons but if left it should then restart the pc and finish after reboot, can you try the tool again but rename it first , set windows to show file extensions

EDIT: Skip this part until you get explorer running

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Uncheck the "Hide extentions for known file types" option

Click Yes to confirm then OK

You can set this back later by opening the same page and pressing the Restore Defaults button the click Apply and OK.

Then delete these files from C:\Drive if they exist

_files.txt
win32delfkil.exe
windelf.txt

and the _backupD Folder if its there and then right click the win32delfkil.exe file on your desktop and rename it to test.exe then run it again, if it doesnt reboot or finish the clean up then just post the log which it created and we can manually remove anything that was found,

The Blacklight log is fine and its nice to see no hidden items were found, we will be running more rootkit scans though to be sure of that, BartPE methods are fine when you know what your going after but in this case we dont , the only file that we know about is wbjrwesa.txt and that will not be by itself so removing it may cause problems until we find out what put it there and for what reason
Painful , Im really not sure how to get round this, until we know what changes its made its going to be difficult to repair, please start task manager > new task > type regedit and press ok

When regedit opens check for the explorer.exe value in Image File Execution Options again and remove it if found, then try start explorer, if that doesnt work go back to regedit , on the left pane click My Computer then click Edit and Find, in the Find What: area type wbjrwesa.txt then click Find Next, make a note of any area's where wbjrwesa.txt is found (press F3 to continue the search after each one is found until it shows 'finished searching through registry') let us know where its located,

For the recycle bin problem try this , bring up Task Manager > New Task > click Browse then goto the Windows folder and double click explorer.exe to load the path into the new task window then press ok, if it shows that explorer.exe cannot be found then try this, browse back into the windows folder and right click explorer.exe then choose copy, right click an empty space in the Windows folder and choose Paste and it will add a file named copy of explorer.exe, now double click that so it loads the path into the new task window and click OK, if explorer.exe doesnt start then it should open My Documents and in the menu on the left it shows the recycle bin , left click that and locate the file then right click it and choose copy, navigate back to system32 and right click an empty space and choose paste to add it back in there,

Let me know how it goes then we can continue with the scans

Andy

All hail Andy!

The copy of explorer worked - I got wbfrwesa.txt back into system32 and desktop is restored so I can get on with the real stuff...

Like the next run of HJT, with the full scan and selected rows. I actually ran this earlier while the desktop was inactive from the txt file removal...

Here we are:-


Logfile of HijackThis v1.99.1
Scan saved at 17:46:42, on 23/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe


It's shorter at least this time...


Just reading your latest response above about win32delfkil, looks like I acted a bit hastily on that so will go give that another try and give it time to run this time (frightened the bejeebers out of me when it killed explorer - assumed it was my manky malware at work...)

Once more unto the breach!

[scotiabahn]

AndyManchesta, on Mar 23 2007, 08:17 PM, said:

Dont worry about making a note of all the locations in the registry that wbjrwesa.txt is found in, if you can get explorer running again then we can download a reg search tool to do that for us,

Andy

only just seen this - will check out what's about and let you know...

[scotiabahn]

AndyManchesta, on Mar 23 2007, 08:17 PM, said:

Dont worry about making a note of all the locations in the registry that wbjrwesa.txt is found in, if you can get explorer running again then we can download a reg search tool to do that for us,

Andy

there are registry entries for wbjrwesa.txt...

[scotiabahn]

re Win32delfkil...

just tried a simple rerun... after 10-15 mins I maunally rebooted and let it continue. I have a log but I'm not sure whether that's acceptable or you would prefer me to go through the more detailed process above...


WIN32DELFKIL LOGFILE - by Marckie


version 3.125
23/03/2007 20:24:10.09
running from: "C:\Documents and Settings\family\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---
winstyle32.dll

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!


I'll go see if I can get the registry keys, I think there are only a couple

[AndyManchesta]

The logs looking alot better, please repeat the gromozon remover step again and post back the log, can you also run this remover from Symantec

http://www.symantec.com/content/en/us/glob.../FixLinkopt.exe

That removal tool should be run in Safe Mode

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

After you run the tool it will show a message indicating whether its found any infection, let me know if it does remove anything.

For the registry search download Regsearch from Bobbi Flekman

http://www.xs4all.nl...gsearch-us.html

Its simple to use, just run the program and enter wbjrwesa.txt click OK and it will search the registry and save the details to a text file named RegSearch.txt which you can then post back

EDIT:
(Use the button at the bottom of the page when you post as that doesnt quote mine)

Andy

[scotiabahn]

ok, I'm on this last lot now... and using Add Reply...

[scotiabahn]

Gromozon log...




Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files


Trojan.Gromozon does not exist - your system is clean.

[AndyManchesta]

Thats a good start

[scotiabahn]

FixLinkOpt didn't give a message it just finished, but it did create a log file, which had the name of the program and was otherwise empty...

Is that ok?

[AndyManchesta]

Yes thats fine, just the reg search results now to see and then we can move on

Cheers

[scotiabahn]

Regsearch log


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 23/03/2007 21:37:18 for strings:
; 'wbjrwesa.txt'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"b"="C:\\WINDOWS\\system32\\wbjrwesa.txt"

; End Of The Log...


I think that's the end of the list....

I'll keep an eye on this a bit longer this evening, but having been online since just after 7 this morning, I'm not as alert as I was... I'm grateful for all the time you're putting in on this as well. If there's nowt more in a wee while, I'll check again tomorrow...

Many, many thanks...