Windows Explorer trying to connect various IPs

Hello again ...



I have one more queston related to ZA Pro. To be more exact Program permittions - Expert rules ...


It is about Windows Explorer. I know it is not "internet related" program, but just yesterday, when I set it to "Block" (red-cross mark), and look a bit in Log Viewer, I noticed that it is trying to connect to many IPs, on many different occasions.


Is this traffic legal, or potentially dangerous ??

Are there some "generic" (universal) rules about Windows Explorer, like for example: which sites (if any) he must have permittions to visit, for some other program (or update procedure, etc.) to work properly, or something like this ??


EDITED: I recognize some of IPs and ports. For example I am certain, that all blocked entries with port 2334, are somehow related to my p2p sharing program, and all blocked traffic on port 53 (DNS) is outgoing attempt to my current ISP ...

But how kind of traffic is this, if all my files download/upload quite normal ??



P.S., Anyway, I leave it as "Block" (red-cross mark), and for better feeling, I also made Expert Rule to "Block-All" (Any) for now, but now I experience an error in IE, that "Search Engine could not be started" when going to unresolved IPs, or type some word, or domain, which not exist, and so on (meaning resolved in my host file), or if I go to resolved domain, I get common error message, that "Cannot find server or DNS Error". And IE behave strangly in general ...

Only IE windows started after making these rules ...


... don't sure, if it is related to changing this rules, but sure it started right after




thanks, you all are very friendly here on Wilders ...

 

I think that the traffic you are seeing is potentially dangerous. The port being directed to on most of these entries is used by SoulSeek P2P Filesharing or possibly by Age of Empires

http://isc.incidents.org/port_details.html?port=2234

but I would expect either of those to use their respective applications. I think you should download and run the trial of TDS3 from

http://tds.diamondcs.com.au/index.php?page=download

Once you have it installed and before you launch it, download the latest radius database from the same page and overwrite the file in your TDS folder. THen launch TDS and set your sensitivity settings to maximum and scan your entire drive

 

Yeah, sorry, I edited my post right after you reply to it.

I am well aware, that ports 2334-2340 are used by Soulseek. But I am certain, only slsk.exe process should use these ports/TCP endpoints to slsknet.org, and few other hosts (I see that clearly in TCP View application, I got from www.sysinternals.com)...

So it is some kind of strange traffic ??

Do you suggest to set it to Windows Explorer "Block All", as I did ??

What is this program, If you could be more specific. I don't like to install programs over and over. I had that habit, but I manage to "deal" with it, and make myself a sellection of really good, stable, actually needed, and not too much resoulces consuming, programs)

I could post you ere a list of running processes, if you had that in mind. But I think nothing so "special" is running right now ...
Just common programs, and few "monitoring applications" I constantly use.

The log entries follow each other in matter of seconds, not in the long terms !!


P.S., No, I am not a gamer ...



Thanks

 

Sorry, I also forgot to mention.

I am well aware of worms activity, how files look like, how they are spread.

I use CA EZ eTrust Antivirus 6.1.7.0, which scans with real-time protection (opening, closing, even only browsing through directory, which contains a worm), and includes also normal scanning (of drives, like Ad-aware, or Spybot S & D, not real-time kind). It definitions are updated per 1-2 days ...

I actually make a collection of worms in encrypted volume/file, so when scanning, I must to choose, not to "clean", but only to "report", that I can normally move them


So, I am certain, I haven't got any worm ony my HD, exept those, I want to have ...


P.S., I don't use web-voice, or any that kind of program. Only ulook, IE, ZA Pro, ETrust, and various other non essential programs (which are not neccesery running all the time, or when connected to internet)



Thanks

 

Hmmm, very strange ...


Just realized, that all the tracks that should start downloading, after making that rule (to prevent all Windows Explorer traffic), didn't started ...


Something was appearantly wrong ...


But then, after I have set Windows Explorer to "Ask", and deleted the one expert rule "Block-All/Any", I got an alert: "Do you want Windows Explorer to use Soulseek to connect internet" (see attachment) ...


So I went, and made expert rules for incoming/outgoing connections to Internet Zone (soulseek users), on ports 2234-2240, TCP protocol.

And right after clicking "Aplly" button, downloads started.


So it looks like Windows Explorer connects to exactly the same IPs as slsk:

TCP; users on ports 2234-2249 - incoming/outgoing
TCP; server on port 2240 - incoming/outgoing
UDP; my ISP on port 53(DNS) - only outgoing

... and and SHOULD have permittion to connect in this case, or Soulseek wouldn start downloading !!!




Thanks

 

Well, with all due respect, trojans present enough of a difference to make their detection very problematic for most anti-viruses. And, AdAware and Spybot in particular would be very poor at detecting them even though they are great for adware and spyware.

It is possible you have a dll-injecting trojan active within your explorer process.

[Late Edit - Yup I see you isolated it. No dll-injected trojan then ]

 

Yeah, but CA EZ eTrust Armor is actually also "worm-executon preventer", please, belive me. Its alerts are actually annoying, there are so many of them. It detected ALL "mydoom" worms, I got in my mail as attachments lately. And I mean all - all extensions .scr, .zip, .exe, .bat, etc., all "tricky" names, programmer used to give to these files, etc.

Though, I know there are other "forms" of worms out there ...

Could you be more specific, in which manner Windows Explorer "uses" Soulseek ??


I edited my previous post, and added, that it obviously connects to exactly the same IPs as slsk:

TCP; slsk users; on ports 2234-2249 - incoming/outgoing
TCP; slsk server; on port 2240 - incoming/outgoing
UDP; my ISP; on port 53(DNS) - only outgoing

Why ??

Why also to ISP ??



P.S., I am posting here also the screenshot of that IE error message, I am still getting ...

Do you think, I need to give Windows Explorer some more permittions/rights ??

Which then (if) ??

 

This is for name resolution. IP packets are set to be directed to numeric IP addresses. If there is something that needs to be sent to a readable hostname (such as www.wilderssecurity.com) it needs to first be translated into the appropriate IP address. This translation is done either through the local hosts file (which is usually very small or non-existant) or through the designated DNS servers which are usually hosted by your ISP. THe DNS queries and responses run over UDP port 53

 

Ah, I see now. That was the part, I missed (when I tryed to explain it to myself). Cause I always start slsk.exe (Soulseek main execuable) from inside Total Commander, it seemed strange to me why Soulseek's parent is always Windows Explorer, and not Total Commander ...


Well, the answer is - cause Total Commander is also started by Windows Explorer (and Windows Explorer by System process --> NT-based OSs), as all other programs at boot-up (i put Total Commander to registry HKLM....Run, to run at startup) - so called process-tree ...

So this explains, why one day, Zone Alarm reported the same Alert: "Do you wanted to allow "Total Commander" to use Soulseek to connect internet..." , after I (forgot why) closed Total Commander, and started it from desktop link, and right after that started slsk.exe executable.

When I closed Total Commander it "lost" its "parent", so at that time, Total Commander was the trully parent of Soulseek process ...



So anyway, you suggest to give this (to use some other program, etc.) rights to these kind of processes (like Explorer.exe, and Totalcmd.exe), but to make some reasonable expert rules, to tighten its permittions ...

The question here is, how Zone Alarm differs when Windows Explore connects "directly", and when, when using another application (like Soulseek). Which rules are then applyed to this certain traffic.

Soulseek Program General/Expert Rules, or Windows Explorer Program General/Expert Rules ??




Thank you both for your friendly answers

 

Sorry, again, I was wrong here. I tryed today the same thing, and even, when starting Total Commander from desktop, again, Windows Explorer was its parent process (in process tree). But anyway, I discovered, how I got hat similar mesage, but with Total Commander instead of Windows Explorer ...

I must have "terminate" Windows Explorer (maybe for "fun", orjust to test what happens, etc.) Of course in this case also desktop and systemtray dissappear, and one would think: "Oh, no, I screw it up, I need to restart computer, to get my tray back", but there are several variations, how to save yourself ...
1.) Sometimes Windows itself restart Exporer.exe process, just right after terminating it ...
2.) One option, is to switch with Alt+Tab to some other process (like Total Commander, if one use it), and simply start Exporer.exe ...
3.) Open Task Manager (Alt+Ctrl+Del), and run it from there ...

So, now in any of these cases, all processes that are running (and was started by Explorer.exe on startup), lose their parent. Actually in second case now Total Commander would be parent of Windows Explorer ...

So, to explain more in details, what I mean here: What if I don't like Total Commander to connect in any way to internet (so I make that kind of rules), but it is needed by Soulseek, as mentioned ...

How Zone Alarm "deals" with this, which rules are applied to Total Commander (if not connecting directly, but "through" Soulseek), are these communications really not potentialy dangerous, in case, if I wouldn't "tighten" its permittions (like I did), and allow it all comunications ??

And maybe the most important questions - why only Soulseek (and maybe few others, though I don't remember any other) "require" his parent to connect ??
Why not all other "internet related" programs who all have Windows Explorer for their parent, like Soulseek ??, doesn't require Windows Explorer to connect internet ??

P.S, Just discovered, that Outlook Express also doesn't get my mail, if there are no Expert Rules for also Windows Explorer, which would allow communications on SMTP, POP3, HTTP ports. So the stangest thing is - I have set Windows Explorer on "ASK" right after installing Zone Alarm Pro, and have it as "ASK" all the time, but never got any alerts. So this communications were obviously permitted (without me knowing)

But now, after set to block I continuously get a mass of alerts ...



Many thanks for your responses

 

Yeah, I will also post one screenshot here, which "proves" that Windows Explorer connect to exactly the same destinations, as Soulseek.

Not to mention, that now I discovered more problems (cause I really want to tighten the permittions as far as possible) ...

Now also svchost.exe need permittions, for example to my ISP, etc., and if I not give it taht permittions (same as in Windows Explorer case), I can't browse net (strange, sometimes only some pages, but that vary probabkly besause of some other rules, I created, so I give permittion to visit/have established communication with certain hosts) ...

 

Yeah, sorry for so many posts, but here is really the stranges one ...

After giving permittion to svchost.exe to connect, and receive connections to/from my ISP, UDP, 53(DNS), I get this entries in Log Viewer.

-- SEE SCREENSHOT --

There sure is one entry, which shows, that traffic was permitted, but right after, for the same IP, same communication (outgoing), same protol, and port - it is blocked ...

EDITED: I dicovered where is the difference between those two lines. The one that is BLOCKED is HIGH rated, and the one that is ALLOWED is MEDIUM rated ...


I am really becomming more and more confused. Cause, as mentioned, I always have set svchost.exe, and Windows Explorer, to "ASK", but I didn't get any alerts (so, logicaly, I assumed, there wasn't any traffic), but as I said, right after set it to "BLOCK", suddenly alerts just start appearing, and there are SO MANY of them, so there must be some REAL traffic going on. But as I mention in previous post, if I DON'T give that permittion (or to Windows Explorer, or to svchost.exe), I CAN'T browse internet, Outlook doesn't receive e-mails, can't update some of programs, etc ...

So, please any sugestions, how to finally make all the Expert Rules.



P.S., I copied the Expert Rules from Soulseek, and Outlook to Windows Explorer, and svchost.exe Expert Rules, but in some cases it just DON'T help. For example I still can't browse my hotmail accuont on web, nor receive mails in Outlook ...


As far as things looks now - EVERYTHING depends on Windows Explorer (looks like even Internet Explorer someimes ...), and svchost.exe ...

 

I am posting also ZA alert, I get for svchost.exe, and it is new one for me - cause, it contain the word ... Temporarily !!


Is maybe the problem here, that some Rules (cos I know some are applied right away, like program permittions, etc.) are applied only "inside" current session (windows log-on, boot-up, or maybe internet connection session), so if I choosed to "BLOCK" first time, I was asked, this is applied till the end of current session ...

Do you have any idea, what is going on ??

Why suddenly I can't browse (some pages), why Outlook is behaving as it is ??


If all I have changed was that I made Expert Rules (for both Windows Explorer, and svchost.exe), but LEAVE both on "ASK" (so, as far as I know, I should be always asked about this two, and not automaticly Blocked ...

 

I think that your pb is related to how ZA works and how it sees things.
Why i think that, it's because explorer.exe has no need at all to access the internet nor to launch application to access the internet on my comp and is totally blocked without any side-effect or blocked applications (Windows XP).

Explorer is the parent of any executable you double click on, at application layer yes, but then, if the application access the internet, to my eyes the application access itself the internet (just think that in fact YOU have launched the app), it's different than an application which has a weblink on it, and when you click on it the app launched IE to access the internet, this time both exe are linked.

Unfortunaly i can't help you much, i just find strange that explorer was linked to an internet access, but as i said, may be it's just that way that ZA works and has his own way to manage internet access.

 

Thanks you for your answer/tip.


Yeah, I tried now (I don't know, how that I haven't remember earlier to do this ...), and RESTORE all rules to the time, two days ago, so before I changed them (for Windows Explorer, and Generic Host Process for Win32 Services), and as I wrote in previous posts, Windows Explorer was set to "ASK" for all (server, and access, Trusted and Internet Zone permittions), but there were also NO Expert Rules made for it.

But I was wrong about Generic Host Process for Win32 Services. It was set to "ALLOW" for all (server, and access, Trusted and Internet Zone permittions), also with NO Expert Rules made ...


But anyway this doesn't explain, why (with configuration, I have restored), there are NO more alerts now, when it is connecting internet, using some other program (Soulseek, etc.), like they were previously (see - screenshot - in one of previous posts) !!

Also, I see clearly, that now (with restored configuration), there are also no more entries in Log Viewer, like there were, before I restored configuration. NONE. Like previous (see - screenhot - in one of previous posts) Soulseek's "ALLOW" entries are here, but NONE for Windows Explorer.

That means, that all traffic was allowed (and IS allowed now, with restored configuration) for Windows Explorer, even if I it was/is set to "ASK" ??

The logical explanation/answer is, that Zone Alarm gives a certain program FULL permitions, even if it is set to "ASK" (but with NO Expert rules). Is it so, then ??




Thank you all

 

O.K., That is probably true, though I really don't remember getting alerts, when it was se to "ASK", with NO Expert Rules.
But ...
If it is set to "ASK", and there are NO Expert Rules, as I mention, and I get alert-prompt, and I choose "YES" (to allow access or server rights), then without additional rules it does get "FULL" access/permittions ??
And reverserly if it is set to "ALLOW", and there are NO Expert Rules, then without additional rules it does get "FULL" access/permittions ??
And one more possibility, if is set to "ASK", and there ARE Expert Rules, and I get alert-prompt, and I choose "YES" (to allow access or server rights), then I suppose Expert Rules are applied in this way ??

Hello. All I did was, that I copied all the rules (almoust all, some were not needed) from programs specific Expert Rules, to Windows Explorer, and Generic Host Process for Win32 Services Expert Rules ...

- Also I must mention, that Soulseek for example "require" only Windows Explorer (or I would need to say Windows Explorer "require" Soulseek) and not Generic Host Process ...

- On the other hand, few of my program that use on-line update (virus definitions, etc.), "require" only Generic Host Process, and not Windows Explorer. All this, I see from ZA Pro alerts, when rules are very/too much "tight" ...


As you said very well - the problems were only cause by adding Expert Rules. But the thing is, I really want to be well-protected. Maybe to meantion here, I actually don't use "Trusted" Zone at all !!!

I dicovered all the IPs that are needed for certain program fom ZA Alerts, Log Viewer, and my program TCP-View from http://www.sysinternals.com, so I add only them, and not all from Trusted Zone, in one specific rule. Off course for Internet Explorer i add only Internet Zone for HTTP port



- Maybe the biggest confusion here is, that I don't undestand completely, how this two programs (Windows Explorer, Generic Host Process) "uses" some other program. What this actually means. Are they connected as well. Which rules are applied then. And if there are some that are restricted in Windows Explorer rules, but permitted in Soulseek rules, and Windows Explorer "uses" Soulseek to connect, then Soulseek would function normal ?!?

Cause in my screenshot you could see, there were pairs, same IP, same Port, for Soulseek, and Windows Explorer, and I was able to downoad/upload, only if BOTH were allowed. If Soulseek entry was allowed, but Windows Explorer's wasn't connection FAILED !!!

Could any malicious code is allowed to have access to my PC not through Soulseek but from Windows Explorer, when it would "uses" Soulseek to connect ?!?


P.S., This is also very strange. If I set to "NOT Allow Open Process" method, I am continuously getting alerts (see screenshot):
"Generic Host Process not allowed to call Open Process on Internet Explorer", and same for Outlook Express, and even for Soulseek.
Is this legal/normal, should I give it that permittion too ??

Why not ??
If I discovered, that itrequire exactly the same IPs, ports and protocols as programs (Outlook, update features from various programs). Could be dangerous ??
Even I don't see why, cause if copying all rules from programs, and then put "BLOCK-ALL-ANY" rules at the end (like in all programs, Windows Explorer and Generic Host Process are "using" to connect) "tight" permittions much more, if it would be set to "ASK" (and then I would always choose "YES", grant access for programs they "use" to work properly), or "ALLOW", but with NO Expert Rules ...

And as the most important part of this post - few questions about ports, IPs, and protocols, I discovered, they were also blocked during that time (when having "problematic" confuiguration), and maybe are also with "right", restored settings ...

1. What are this two traffics:
Comment: Protocol Remote Port Direction
NetBIOS Name - UDP - 137 (NetBIOS) - Outgoing (from My Computer to my ISP)
TCPFlags ISP - TCP - 135 - Incoming (from my ISP to My Computer)

2. What is this traffic: Incoming instead of Outgoing, as usual ...
Comment: Protocol Remote Port Direction
DNS Servers - UDP - 53 (DNS) - Incoming (from my ISP's DNS Servers to My Computer)

3. What is this traffic: TCP instead of UDP, as usual ...
Comment: Protocol Remote Port Direction
localhost - UDP - / - Outgoing (from My Computer to 127.0.0.1)

 

Cause it is not possible to send two screenshots in one post, I am just posting second important screenshot here. It is about Hotmail account, which "require" too much permittions in my opinion ...

So, here (see attachment) is example of alert I get, cause my rules block sending "NetBIOS Name" to a.sc.msn.com. And therefor because all of this trafic, it is not allowed, my hotmail account doesn't work. Should I give it tall that permittions - NetBIOS Name, TCP Flags (see my previous post) ??

Yes, but here is the sange thing, as I mention, when I have set both on "ASK", with no Expert Rules ...
1. I wasn't warned (or at least not so many times, maybe once, or twice per session) for this two program connection attempts
2. There was NO adittional alerts (if traffic was blocked, ar allowed), nor entries in Log Viewer neither (to see actually activity). Suppose cause they WEREN'T blocked, and "reporting-level" was the same - set to HIGH ...

P.S., Actually everything is working now with "problematic rules configuration" - Soulseek, Internet Explorer, also in Outlook Express all smtp/pop3 based e-mail accounts are working, exept Hotmail account. Whatever I tryed, allowing rules, step-by-step, etc. (exept restoring to previous configurations) it just didn't work. I get an Outlook error: "A time-out occured while communicating with server", and strange, I can't connect Hotmail account also in Internet Explorer (though, I can to mymsn.com, and read my mail there).

Few times, I was redirected to this page (the end seems significant - reason=nocookies):
http://www.hotmail.msn.com/cgi-bin/sbox?did=1&t=55f5mmTNUDWtLFLAO2kkEhLLlHsdZFWWCenZ79Su1LTKsyXkKtnT4bJn7dlaFVO8sygSTtOkhiEGr6i3MXyMwBqg$$&p=5!cAJvFCpF0hU3uv0vHXZYdfvqoZ7gNDFkAxj7EGrrlWX5lSvukEmeJvTUSjMElASLT6AJX0HbuNF1g2i08YOQhO!sAMpXMnko*evqPu7Em7sKP*3zZdHxbfjPv7KAT*8DNsOln8MzVVfFXeT6Gm2qS3C3NMNlC14fY43CvI!TI0xSARJSOTgRbg$$&rru=%2fcgi-bin%2fhmhome&reason=nocookies


So, from my pont of view, Hotmail account requires too much permittions for my taste. I think, that it is not working cause TCP Flags, and NetBIOS Name being blocked - see bellow (there are no other blocks exept them, if watching Log Viewer during Outlook connected to E-mail servers)

 

First of all - thank you VERY, VERY much for all explanations. And expecially for patience with me and my many questions. Well, at least "we" maybe help someone else with our "debate" to determine, how to set his Expert rules ...
Well, hopefully (for you, LowWaterMark to have some rest ... lol ...) this is my last question in this topic (and not on Wilders in general ...), cause I think, I get all the knowledge, I need to set right Expert Rules ...

Yes, I belive, you convided me about this. And if it's recommended like that by Zonelabs ...
And also, it is just to complicated to set everything. Though, I succeeded in a way (everything working, exept Hotmail account), I might need some day some other IPs or ports (needed for some new program, or something), that are not in my current Exper Rules for this two processes (Explorer.exe, and svchost.exe), and then I would need to do all this (testing, browsing Log Viewer, etc. once more) ...
But anyway, I will mention here, that on my XP system svchost.exe ask for server rights ALL THE TIME, so this is probably caused by differences in our system/internet/software configuration ...

As I mention (see one of the "big" screenshots in one of previous posts) - cause, for example in case of Windows Explorer, it seems, it connects to exactly same IPs, ports and with same protocol, as Soulseek - the line in previous post, where I mention, that there are in pairs (entries in Log Viewer for both programs, Soulseek and Windows Explorer), so it seems clever to give them the same rights. In that way, I know, it will connect only with the same permittions, as are applied for programs which it uses (Soulseek in this case), and is required for, and nothing more.

Sorry, I can't answer to that one. See the "big" screenshot with "pairs" ...

Sorry, you see, I meant more like "malicious traffic/communications/access, not actual program/process ...

NO, I am certainly not using LAN, just normal 56K dial-up modem. I also don't have any other computers inside my house, exept one, I am using right now, and I am not using any "file and printer sharing" features.

I actually don't have any printer at all (nor internet-voice devices), and I only share my files with p2p sharing program Soulseek, but you probably didn't mean that.

Where can I see about NetBIOS being enabled/disabled. Though I am almoust sure, I haven't enabled it, and that it wasn't by default also. I remember there was something about protocols, and there was an option to allow, or disallow Net BIOS maybe somewere under Contol Panel - Modem and Telephone Options, but I can't find it anymore (though, I haven't search for long time ...)

P.S. Under Control Panel - Internet Connections/Properties - Connections - Settings - Networking tab., I see two features "File and Printer Sharing for Microsoft Networks", and "Client for Microsoft Networks" ( - see screenshot - ), could I also disable this two ??

Actually I already tried, and disabled both, and everything seems to work normal. I am just curios, if this is trully the right thing to do in my case (dial-up, with no printer, no "requests" to Microsoft, like update, on-line help, etc.) ??

Could I also "uninstall" them, beside disabling them (if I am certain, I will not use them) ??

So, I need to "ALLOW" both Incoming and Outgoing traffic for DNS Servers ??
I thought all the time, that only Outgoing is reqired, cause that is seen very often, but Incoming, once or twice per session ...

TCPFlags ISP - TCP - 135 - Incoming (from my ISP to My Computer)
TCPFlags - TCP - 135 - Incoming (from my ISP to My Computer)

Maybe ISP word just by TCPFlags confuses you. Again, my mistake. So, the right order is here, above in second line ...

I simply meant as it is written - Incoming TCP protocol traffic from one of my DNS-Servers on (Remote) port: 135, to My Computer, probably on (Local) ports: 3000-5000 ...

The one that is used for DNS queries most of the time, and I see it very very often, used by almoust all "Internet related" programs ...

P.S., my ISP use 2 servers for DNS queries, and other DNS traffic, as I discovered so far, and to also mention this: I put sometimes, for some programs whole IP range, instead of one IP. Hope this is not dangerous in case of IPs which are in my ISP range ...

Sorry again, I wrote wrong (damn "cut and paste"), you're right - I meant TCP (as it is written in the line above the wrong one), usually my computer connets to localhost with UDP protocol.

By the way - what is actually localhost. I read somehere, it is my computer, but my computer has actually two different "names", in "un-resolved" form, they are 127.0.0.1, and 0.0.0.0, and in "resolved" form, it is: mz-9s680eu689tz. What communtication is actually this, and how is it possible that My Computer "Establish" (or only "Listen") a connection to My Computer ??


P.S., The last two additional question here is - what Expert Rules (if any) do you suggest to set for alg.exe - Application Layer Gateway Service ??

And again - question about Incoming vs. Outgoing traffic. It confuses me a little - why Soulseek comunications are all "Outgoing", even it is clearly, that for example traffic - files that I am currently downloading from some Soulseek's user - (so called uploading), and should be "marked" as "Incoming", as far as I understand your explanation in one of previous posts. Or maybe, there are just no entries for this in ZA Pro - Log Viewer ??
Is uploading one of "forms" of Incoming traffic, do I get this right ??




Thanks again for all you help