Sounds like you need to read the cert.org article on how to respond to system intrusions. See http://www.cert.org/security-improvement/modules/m06.html. Good luck, Scott Edwards http://www.daxal.com