Security

Network security: Seven tips for desktop malware first responders

Mark Underwood offers seven tips for network administrators who are the first responders in desktop malware attacks.

A few months ago I was attending a conference in Orlando. It was cold by Orlando standards, and the locals, mindful of their dependence on tourism during a recession, were apologetic - that is, especially hospitable. It was a productive meeting and I had a bounty of business cards and URLs to check out. An hour before leaving the hotel for the meeting's second day, I connected to the hotel network and browsed a few sites.  One of the sites, an engaging blog, featured a lively set of comments with a blog post, so I absentmindedly clicked through the comments. I paused to answer a knock at the door, and returned to find that a bit of malware had begun to take over my Windows notebook.

This preamble explains the Windows-centric character of this blog post. The principles would be similar for non-Windows platforms, but the particulars would vary.

After the panic

Instinctively, I jerked the patch cable out (a minor plus for wired connections).  Then, as the malware's symptoms began to appear, I soon wished for access to the search engine I had just made inaccessible. Why? Because planning the mitigation tactic for the specific piece of malware, indeed properly identifying the specific attack, had probably already been done and posted in courteous detail -- somewhere.

The moments when malware is rifling through your process table are not conducive to lucid contemplation, but that's the precise moment you must don your First Responder hat. Taking the right steps early on in the infection can save hours of later remediation. These steps may be routine for full time malware warriors, but network security is only one duty among many for the typical SMB network administrator.

Rescuer advice

What advice is offered by security software providers? The security software vendors call a certain category of software "endpoint protection." Some even recognize the business opportunity:  for instance, Foundstone's contact page is appropriately titled "911 Emergency." They also offer a complement of free tools. A Windows anti-malware toolkit might also include utilities such as Sysinternals' PsTools Suite, freely available from Microsoft Technet (though as author Mark Russinovich notes, these may trigger antivirus warnings because they are tools also employed by some viruses). Sysinternals Handle and Process Explorer can also be helpful.

Counterattack

It was several long minutes before I remembered that I could use my HTC Touch 2 browser to look up the infection and plan a counterattack. I found the specific malware and, after wasting more time on several unhelpful Web pages, found a well-documented and recognizable set of tactics involving the venerable duo of SuperAntiSpyware, and MalwareBytes along with a fresh installation of the corporate antivirus package.

On the way to the day's conference session after having successfully removed the malware, I reminded myself that it wouldn't have been as easy with a zero-day attack. If several workstations or a server or two had been attacked at work, a more systematic approach would be needed. A trained First Responder team, fully briefed on how to remove the infection, would be needed, along with a more complex risk analysis. I realized that the wireless phone network, separate from our enterprise, was an important asset. The key instructions and perhaps even key binaries could be broadcast, e.g., by SMS or mobile Skype.

A FEMA-style First Responder tabletop exercise may be in order once the conference is over.

Seven tips for desktop malware first responders

#1Understand the risks

Obey the First Responder's Hippocratic Oath: Do no harm. In other words, don't make things worse. Assess whether the malware needs to be removed immediately, or a better approach is to shut down the machine and pursue remediation in a controlled environment. Consider what data is at risk of being compromised vs. the current need for the device.

#2 Carry a Web-enabled smart phone

Pay for that data plan. Get reasonably proficient with a favorite mobile browser. Store bookmarks. Most phones support flash cards where additional remediation software can be stored.

#3 Carry a big (16GB USB) stick

At a minimum, consider carrying a hefty USB drive containing favorite anti-malware utilities, if not a fully bootable OS with security tools on it, such as Slax.

#4 Check for broader attack

Determine whether the attack is an ordinary bit of malware visiting your unlucky laptop, or a feint: a sequence of attacks designed to exploit the usual remediation steps rather than succeed with the initial infection.

#5 Disaster recovery walkthrough

Even if you're fortunate enough to avoid a data loss on this occasion, it's still worth exploring the disaster recovery options that might be been taken. They may need updating.

#6 Update bookmarks

The sobering experience may turn up some useful online security Web content. Update your phone's bookmarks.

#7 AAR and documentation

In the military, it's called "After Action Review," or AAR. After the malware has been removed and damage corrected, assess which tools were needed and make them more convenient to access. Document what happened. Ensure that your CEO doesn't encounter the same nuisance just before she heads out to testify before a Congressional subcommittee.

About

Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from...

113 comments
centralservices
centralservices

Ludicrous that in 2010 a mainstream operating system allows an unprivileged user session to write to system files. Endpoint protection / AVS is never more than a bandaid anyway and an expensive resource-hogging kludge that wastes everybody's time and shouldn't be necessary at all.

Zenith545
Zenith545

Could be totally possible that whatever "infected" the writer's system had nothing at all to do with the internet site he was visiting. Could have been from the hotel or another person at the hotel. Recently at work, our PCs and laptops were hit with a trojan program. Due to network security, or lack of the site still being up the Trojan was trying to contact, not much happened, even though the trojan tried to infect removable media and network shares. Here's the kicker - the Enterprise AV solution from McAfee did not recognize the threat of the initial package. BUT - Malware's Anti-Malware did in fact ID it as a backdoor trojan. Even after numerous updates from McAfee, we are still cleaning up the registry autorun settings and fake Recycler folders. McAfee, to its credit, does now ID and delete the file, but does nothing about the registry settings or fake Recycler folders. Point is, funny how a free solution can ID the trojan, but one our corporation pays money for cannot.

Bob N.
Bob N.

I recently adopted Rollback RX as a first line of defense for malware attacks. When I first became acquainted with the product I thought it was just too good to be true, but once I started testing it I became convinced of its value for me and my clients. Rollback RX takes snapshots of a computer each day at boot up by default and on demand. If a computer gets an infection, recovery is easily achieved by rebooting and recovering to the previous snapshot. The program sits ahead of the normal Windows boot process, and when a recovery is initiated, it takes an emergency snapshot of the corrupted system. Once the recovery has been completed, you or your client can mount the emergency snapshot in a virtual drive and recover any documents, PST files or other items of value that were added or changed after the recovery point was created. Yesterday I had occasion to walk a client through this process. I had recently scoured the computer to clear out multiple malware agents and I insisted that we put Rollback RX on the system. It paid huge dividends yesterday when the client was attacked yet again. The one flaw that I discovered was that this particular client rarely turns his computer off. The last snapshot I had was from May 2, but I had no concerns. I restored from that snapshot, mounted the emergency snapshot in the virtual drive, located and copied the up-to-date PST file, several documents and a folder of photos and brought them into the recovered system. I also taught my client how to manually take a snapshot and I set Rollback to take a snapshot at 6 AM each morning since the client hates to turn his computer off at night. I also asked the client where he goes on the Internet to see if we could pinpoint what behavior was leading to these attacks. It turns out that he is in a fantasy baseball league. The organizer recently had his email address book hijacked which led to a virus-ladened message sent to every contact, including my client. Better yet, the fantasy baseball league's website is the likely vector for these attacks because it is managed by the same dope who had his email address book hijacked. Perhaps the most amazing thing to me about Rollback RX is the speed with which it all takes place. Snapshots usually take less than 30 seconds, restores usually take me only a minute or two and locating files from the virtual hard drive snapshot depends mostly on the organization and discipline of the client's work habits. When I saw the video about this product I thought it was too good to be true, but it has turned out to be exactly as advertised and my clients can now fix their own problems very quickly and easily if they prefer to save a tech support call to me and the invoice that follows. The product also manages fragmentation of the snapshots on its own, has a very small disk storage requirement and can handle up to 60,000 snapshots before it has to start off-loading the oldest ones to make more room. I also use Rebit (recently renamed SaveMe) on some client systems for continuous data backups and bare metal restore capabilities. I had this on my wife's computer when her one-year old hard drive died with no possibility of recovery other than a very expensive trip to Seagate or other such recovery firm. With Rebit and the USB hard drive to which it saves its snapshots, I simple replaced the hard drive, booted from the recovery CD, told Rebit what I wanted it to do with the new drive (in this case, restore the C and D partitions) and twenty minutes later on a 500 GB drive I was ready to reboot as if nothing had happened. The only thing my wife lost was two email messages. I now often use these two products in tandem - Rollback RX for instant recovery and Rebit (SaveMe) for bare metal restore and exact point in time recovery if I don't want to have to figure out what files a client needs to recovery from a Rollback RX emergency snapshot. They have saved me huge amounts of time when dealing with malware attacks and my clients have appreciated the reduced cost for recovery in the few instances where a recovery was the better solution.

desirawson
desirawson

Did anyone notice that "SLAX" is mainly tools that deal with non-Microsoft products?

Tink!
Tink!

is the 7 tips. They all have validity and should be duly noted. As for the blog post and the story itself, we could spend all day nitpicking the details, but in the end, where does it get us? The 7 tips are still the same no matter if we prove the story bogus or not.

mattpam99
mattpam99

I just had a horrifying experience! Have a 5-computer wireless network & use AVG protection. I was playing online poker on a Win.7 unit and received a a fake Microsoft screen advising of a virus infection and offering to remove it by purchasing AV software called "Antivirus Soft" for $45. I attempted to remove it using 'ControlPanel' with no success; rebooted and ran AVG, which showed no virus infection! However, I now could not access Explorer. I switched to a XP/sp3 computer and reached MS. 7/24 support. I explained the problem to a very patient technician who took over my Win.7 computer and removed the fake AV program. He recommended removing AVG and downloading Win. Security Esentials. Which I did. Over the past 25 years Ihave few kind things to about Microsoft - but this time they came through for me. Now my Win 7 computer is clean and back on line!

Nkohen
Nkohen

Malwarebytes will remove the worst of the worst and our Support Desk continues to relie on it when standard (and robust mind you) AV apps like Symantec or VIPRE fail to prevent/recover from an attack. Even in cases were the malware blocks access to the internet except for its own ransomware site, the mbam software can be introduced via USB stick or remote control (LogMeIn, anyone?). Even in the cases where it isn't possible to run any .exe files (like the mbam installer), running the machine in safe mode and then installing and running mbam works everytime and hopefully will continue to do so(fingers crossed).

XnavyDK
XnavyDK

I thought some of his tips were on the money and yes, some malware like xp anti-virus does do a takeover of sorts. And since I'm a "first Responder" (only responder) I deal with this on a regular basis. My "corporate av" which will remain nameless from a end point of view... hint hint, does what its supposed to do ( sort of, not really). are there tools that work better? sure there are. are there people with different opinions about which is better? Sure there are. I see no reason to blast the writer, someone can see this as good information and it appears as though from a user point of view some worth while information. Like point 1, yes, try to do no more damage than you have to. 2. or use another pc if available, but makes sense. 3. yup keep on on me at all times, synced to a file on my pc which I update frequently. 4. mostly dont get this one, but web malware for the most point is central to the users pc that is infected, as in the fake AV crap, they don't infect others on a network they are just annoying and trying to make money off unsuspecting "users". 5. Sure, check your vulnerabilities and the rest make sense I guess, but why be rude?

T Mike
T Mike

yea, sounds a bit like a fairy tale to start- well, at least it reopens the conversation as to what to do -again-eh

Timbo Zimbabwe
Timbo Zimbabwe

As others have already asked, I wonder how you identified that malware was "taking over your Windows notebook". Seriously, bud, I don't think that *any* of us buy this story...

SlvrBulet
SlvrBulet

In dealing with small business users with various degrees of operating systems, they demand that they be the local administrator on their machine. The owners usually don't care what their employees install on their computer and doesn't want to pay me to come out everytime an employee wants to make a change or install some software. They understand the risks and even the costs of me coming out to repair an infected machine, but they don't want to hear their users complaining about it. Microsoft - being driven by (average) users (not IT), has continually attempted to appease the end user's experience while at the same time attempting to protect the operating system from the user's "ignorance". I remember a time when, in order to install a program, one had to log out completely and log in as the administrator. That restriction is still possible, it is simply not the default and requires intentional configuration for it.

AnsuGisalas
AnsuGisalas

A lot of people seem to think McAfee is a joke.

Zenith545
Zenith545

Since Rollback RX itself acts like a rootkit, loading before the OS does, it may be unusable in situations or even ID'd as a root kit by some AV or anti-malware programs. For example, where I work, the laptops have encryption software on them that runs before the OS loads. Adding another such "rootkit" program will not be good and probably break the encryption software, rendering the computer hard drive useless to the immediate user. To its credit, GMER did in fact ID the encryption software as a possible rootkit threat.

alexisgarcia72
alexisgarcia72

I don't know the product but seems to be a good one. Start making the system secure by limiting user permissions. This is the first line of defense, not having a good disaster recovery routine.

knowlengr
knowlengr

Thanks for the extensive post. I don't know enough about this solution to address its suitability for my (ahem, nonfictional) use case, but you make a case for a deeper dive.

knowlengr
knowlengr

It's nothing fancier than a non-Win place to host files that *may* be less vulnerable when attaching to an infected machine. It was intended as an example of that approach.

dayen
dayen

being parnoid ex cop firefighter medic front line tech I carrie A laptop with a 300 GB drive setup with VMWARE DVD burner for virus scanning I have USB drives 3 32GB with with antivirus and malware tools I care drive bays USB for IDE and SATA so I can scan and back up infected drives. I have blank DVD burn for ubcdwin4 2 bootable USB DVD DRIVES just in case one extra computer incase their does not have enought MEM. my first priority is to see if any info left the system backdoor, keyloger password thief or data miner. if so letter will be mailed out to all who may have been compromise. all info is back up (remeber I don't lose data)then I use drive wipe from a cold boot and it reinstall time. for computer with software we don't have no wipe take more hours to check and test if ever thing is working. like Michael Kassner said a list of what to is hard I will try but it a big mabe. would probely be better as a group effort

XnavyDK
XnavyDK

Ms Security Essentials is a great tool. I even recommend it to people i do side work for, and everyone else I come into contact with. But as always, dont rely on any one tool. SuperAntispyware, Malwarebytes free, AVG portable ( yes they have some new tools check em out) and Spybot S&D are my tools for first response.

mcswan454
mcswan454

I will repeat myself... I apologize. The tips are very worthwhile. I said so, and will defend that statement. I was wrong to go on the attack, as many of you chastised me for. I take full responsibility for leading the topic away from a tech discussion, into a d**k-swinging contest. We're better than that, and we've all read too many posts in that direction. Now, what do we do collectively, with our collective experience, to hammer out some really good methods of handling this issue? Isn't THAT after all, why we're here? And I DO sincerely apologize (checks self, danglies still intact, feels good to admit he's wrong sometimes...) M.

jdclyde
jdclyde

no one tool can do it all. I have found other infections with S&D and a few other apps AFTER clearing out the worst of it with Malwarebytes. I run at least three different utilities, all in safe mode, one after another until after a reboot I can run all three without any of them finding anything.

zenodaddy
zenodaddy

We have found that most anti-viruses either detect infected files and refuses to remove them or ignores them altogether. We use a corporate mainstream anti-virus that most companies use (unfortunately) and have never never seen it remove or detect a single malware infection (or trojan for that matter). Malwarebytes has been my number one tool to remove malware infections over the past few years. On average we tend to find at least 4 infected files on every single scan.

knowlengr
knowlengr

As a regular First Responder, you're probably in a better position to rank the seven most important tips.

mcswan454
mcswan454

Guess I did come off rather wrong there. We're IT Professionals. I anticipate the articles written to be delivered in a certain fashion. Remember your audience. I'm disappointed only as I'd rather the author simply outlined his points, than provide what just whiffs as a beginning. I actually had to make myself read the remainder of the article because I couldn't rationalize the silliness of the situation. When I send you out with a company laptop, I expect the worst. Thus, your AV solution is going to be updated, you WILL be instructed on what to and what not to do with it (without making you feel like a child). Why? You get your work done, and I get to sleep, or play with my wife (leave that alone) as your trip will be a success, and I don't have to take a phone call at 3:00 am after something just ate the presentation you need to give tomorrow at 9:00 am. If you're going to use a case study, state so. I doubt very highly many end users are here at TechRepublic looking for tips. But us Techs are! Remember your audience. Again, I apologize. M.

SlvrBulet
SlvrBulet

After working on a variety of different businesses' PCs and removing numerous trojans, viruses, etc. I found myself searching for these causes to mimic the end-user. Most of the time, my end-users encountered the attack by browsing forums or social networking sites. So I started randomly searching forums and browsing social networking sites and lo and behold after clicking on a link to a new page or to view a picture, the webpage would be redirected to another site displaying an animated GIF of a Windows Explorer window and the appearance of a scan taking place with multiple threats being detected. At the same time a pop-up window appears advising that malware was found on the computer and to "click here" to "clean your PC". On these particular attacks described above, I have found that by clicking the "X" button, using Alt-F4, and in all of my encounters, even clicking the cancel button, closes this dialogue box. Then on the browser, I clicked the back button and was taken to the previous page. In the beginning, I would close the browser, clean my cache, delete the contents of my temp folder and run a virus scan just in case, but I don't even do that any more until my weekly maintenance. So far, I have never (knock on wood) been infected by doing this. This was tested on two comptuers. A Windows XP SP3 PC running AVG Antivirus (paid) and a Windows 7 PC running Microsoft's Security Essentials. By all means, this is not an endorsement for the antivirus software because neither alerted me to malicious content (AVG's webshield did alert me a few times, but not every time, that the web page was being redirected). My point is that by not panicking, AND READING THE DIALOGUE BOXES and even examining the other visual elements of trickery used, you can avoid the annoying and tedious task of troubleshooting and data recovery and/or rebuilding the PC config.

alexisgarcia72
alexisgarcia72

I agree with you. A brand new computer new user have local admin privilegies. This is a real bad practice. Rule Nr1 is to setup the regular user as standard or limited user. This is 50% of security, the rest is firewall, updates, Antivirus, Antispyware, etc. I have windows 2000 workstations controlling manufacturing process since 2001 without a single issue... The user who work with the workstation is an standard user, they cannot change or install anything.

dayen
dayen

No user is allowed Administrative rignts on our networks Only IT is allowed to install software. no personal software other then Palm or Blackberrie ect. and must be work related, no games and no personal e-mail accounts our company understands security. Thank GOD I am not in your boat been there and don't want to go back to it again. I remember a company who lost their access data base because an employee in stalled their home data base program. did they have backup no could I get them to put one in NO! did they get virus yes every thing that came along. yea there not in busness today.

zenodaddy
zenodaddy

The last time McAfee had found an infection, warned the user and then refused to remove the said infection was about 2 years ago in the companies I have worked for. I find the enterprise edition to be a complete waste of money for a company. There has to be a better solution.

dayen
dayen

McAfee, will not put it on a computer 12 years ago mabe more they joined Network associates and went down hill fast. very sad how the mighty have fallen

mlafflin
mlafflin

A cop fireman superhero you may be, but sensible English sure seems to give you a challenge it seems. Good luck with that.

Ron K.
Ron K.

McAfee Site Advisor for both Firefox and Internet Explorer are valuable tools to me. For instance, we, at TR, had some nimrod post a link to an innocuos sounding website the other day. Felling adventurous I clicked on it and McAfee immediately strobed red, couldn't miss it. I had my mouse on my home icon, (which is a blank page) and I got out of there before anything could reallhappen, a couple of seconds at the most. I warned other TR members but who listens to me. :^0 Anyway, I didn't get infected with anything or even see what the web page was all about. I marked it as spam and let it go at that. McAfee is free,JD. It doesn't take much in the way of resources and simply resides next to other crap you have running in your toolbars, like No Script and whatever. I highly recommend that you give it a shot and if you have I'd like to know why you don't use it. I intend to buy 3 copies of Malwarebytes realtime protection. Santee's experience with it made me decide to do that. It's on my list of shlt to do.

XnavyDK
XnavyDK

You did have a good point tho.

knowlengr
knowlengr

I hear you, but on this occasion I did not respond to any of those windows. (Been tricked before, but not this time). This one went beyond "clicking X" and visual trickery.

XnavyDK
XnavyDK

some of my guys call me and are merely looking at a web page acting like a virus that is not on the PC yet until they click on it. SO when they call me, I tell them to hold the power key down for 10 seconds. better that then click on something or try to explain how to force the browser to close. Sure there are drawbacks to a hard reboot, but have you tried to explain to your grandmother the difference between malware and vmware?

alexisgarcia72
alexisgarcia72

This is the good real best practice. Best practices even indicates admin staff must have two accounts: the regular one for daily work and the a-administrator account for admin tasks. Admin accounts must be used ONLY when you need to perform administrative tasks.

AnsuGisalas
AnsuGisalas

Perhaps people who're experienced in dealing with the flaws of windows computers? Not docking the MSSE, but I'll wait and see. My current solution won't allow MSSE to install, so that's another reason why I wait.

jfuller05
jfuller05

I'm running it on a test network. What company would know a windows computer better than Microsoft?

dayen
dayen

Ok I will take an english class can't hurt before I write list. thank you

santeewelding
santeewelding

Rather than click on it, I skated around it by entering its bare essentials into the McAfee "Secure Search" bar in order to watch the light show.

TBBrick
TBBrick

In my experience, most users want it KISS when their computers freak out. This is what I tell my users to do when they get the weird stuff: #1. Do *NOT* click anything/anywhere on the pop-up. #2. Immediately call the Help Desk line. #3. Do not type, click, wiggle, or breathe anywhere on/near the computer until someone in IS gives the Ok.

TBBrick
TBBrick

But I do appreciate turning us onto ERUNT.

knowlengr
knowlengr

These other TR posts will be helpful to some readers.

1101doc
1101doc

"BEFORE they call IT" Run this morning's ERUNT backup, reboot and start a Malwarebytes scan. They can continue to work until you get the time to check their system to assure that it is clean.

dan
dan

Very good info, I had not heard of the Ultimate Boot CD for Windows project. Thanks for taking the time.

ultimitloozer
ultimitloozer

Ultimate Boot CD for Windows. It's a free tool which allows you to take WinXP installation files & create a disk of common anti-virus/anti-malware tools to use to disinfect systems. It also contains backup, partitioning, formatting & many other tools you can use as a general repair disk. I use it to create weekly images (on my hard disk) that I can quickly burn to a CD when someone calls with malware issues.

DoubleBarrel
DoubleBarrel

1. If you have them on the phone, have them shut down the computer. Many computers will do a decent shutdown if the power button is pressed momentarily. If not, hard shut down. 2. I like to keep a USB drive with the latest Malwarebytes, SuperAntiSpyware, AVG (free), SpyBot S&D, and Threatfire from PCTools. 3. When I arrive, I boot in safe mode if possible and do a system restore to a few days prior. 75% of the time, this will get the machine running. I then install Malwarebytes, AVG free (if they have not A/V), and Threatfire free and run them to check for hidden problems. 4. I use UBCD4Win and update it at the worst monthly. If the rollback didn't work, boot from this CD. I use the Avira, Malwarebytes, SuperAntiSpyware, Spybot S&D, and it lets you boot the computer with a clean operationg system to physically remove programs when possible. (If you want to use a USB stick, plug it in before booting). 5. Clean all temporary internet files, cookies, and Temp files manually. Don't trust the browser to do this properly. If they don't need IE proper I install FireFox for a browser as it is not part of the operating system and I have had better results security wise. 6. Worst case, you have to format and reinstall the OS, use the UBCD4Win CD to boot the computer with a USB drive plugged in and backup any needed data (they probably haven't done this) and then remove the partition, re-partition and format the drive and reinstall the operating system and drivers. Then the fun starts getting all programs reinstalled and system setup the way they had it. Hope this helps and others will have their preferences to add I am sure.

AnsuGisalas
AnsuGisalas

A lot of users might not recognize a fake AV attack... what with the big box on the table being "the computer" and the big box under the table being "the harddisk" (with it's nifty albeit weirdly sized pop-out "beverage holder"). I'd like to see a list like that too... but I'll start with those, thanks Michael.

dan
dan

As a matter of fact I have read and filed all three of those posts and found them very helpful. I look forward to seeing what you come up with. I think its a common enough occurrence and if someone can boil the options down to a best practices under most circumstances - it could help a lot of users and IT staff. Kinda like field triage before the surgeons with the nice lights get in and fix things.

dan
dan

With all due respect, after all the rancor I still didn't get an overall consensus from the pro's for an action plan for users who have stumbled or fallen into a virus alert status. I like the hard reboot for quick response and I realize there are different strategies for different situations but it would be nice if you pro's who deal with this stuff all the time could offer a quick action plan list for us with less experience. Is there a general list of steps you would recommend for users who have good reason to suspect they were just infected by a drive by or some other infection? Assuming their computer is suddenly chewing peanuts for no reason, responding very slow, or in general acting poorly. And by list I mean, shut the system off, run XYZ AV followed by XYZ. The things you want them to do BEFORE they call IT. It would be nice to send a list of action steps to users so just in case they have a clue. Thanks, I know this may seem obvious but the power of forums like this is the combined experience of the pro's.

Editor's Picks