[Chirag64]

hello, i m using WINDOWS XP on my pc and lately i have been affected by this trojan/spy or wateva it is....i cant seem 2 know much about it nor m i able 2 get rid of it.

Symptoms:- My pc has become very slow and i have to log in from safe mode for it to work in normal speed . cmd.exe windows keep opening and making my monitor go blank. My Kaspersky Internet Security anti-virus goes nuts when this virus starts an attack, though it has detected a couple of files as OnLine Games.Win32 virus, it just deletes 2 of its files, which come back after every reboot

here is my HijackThis Log which i cud take out in safe mode...i can get 1 in normal mode also if reqd

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:58 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Opera 9.27\Opera.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: swsxachu.dll - {13FD5987-65D2-C58D-D87E-987451F12531} - C:\WINDOWS\system32\swsxachu.dll
O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\system32\opshbbty.dll
O2 - BHO: nhmxbjkl.dll - {27AC9076-C898-B098-D098-A18319080972} - C:\WINDOWS\system32\nhmxbjkl.dll (file missing)
O2 - BHO: lassaplo.dll - {2B69874A-C58C-458D-69F0-698F874E41B2} - C:\WINDOWS\system32\lassaplo.dll
O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll
O2 - BHO: lijzclit.dll - {3C954872-1230-6541-9548-6541025884C3} - C:\WINDOWS\system32\lijzclit.dll
O2 - BHO: apsgdjba.dll - {4FD45A54-9875-698F-E56E-65102358FDF4} - C:\WINDOWS\system32\apsgdjba.dll
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\system32\zptlcsys.dll
O2 - BHO: pjjxedwd.dll - {54FAE856-AD58-20CB-A025-CD4895FA6E45} - C:\WINDOWS\system32\pjjxedwd.dll
O2 - BHO: mpwdeapi.dll - {55694105-5108-9405-3695-954187462155} - C:\WINDOWS\system32\mpwdeapi.dll
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll
O2 - BHO: zywmfime.dll - {6319A1F1-9410-9654-3201-345FFA349136} - C:\WINDOWS\system32\zywmfime.dll
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\system32\mnmhgsrv.dll
O2 - BHO: ypdjfbmp.dll - {81954FAC-1023-154F-895A-1458258AD818} - C:\WINDOWS\system32\ypdjfbmp.dll
O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\system32\yxfhcjpg.dll
O2 - BHO: zxptejpg.dll - {91698482-6555-3666-1222-954784129019} - C:\WINDOWS\system32\zxptejpg.dll
O2 - BHO: yzztimsn.dll - {9490415F-65F8-B5C5-D8BA-9405FB120549} - C:\WINDOWS\system32\yzztimsn.dll
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-790525478-329068152-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-329068152-682003330-500\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-329068152-682003330-500\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7E1B217-78B9-4E64-A857-CD47632DCE96}: NameServer = 202.144.115.4,202.144.66.6
O20 - AppInit_DLLs: hjk.dll,gjbhr.dll,ilkyu.dll,yukevg.dll,sergy.dll,ergfwe.dll,hffgth.dll,tyjert.dl
l,rthkyuk.dll,jkjkll.dll,ghjyer.dll,kergt.dll,fgthde.dll,losdf.dll,gfcfg.dll,rege
r.dll,hrergh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,x
fgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,ths
ddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,nj
ritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dl
l,wergjuk.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb
.dll,fjnbv.dll,grgrjj.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dl
l,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,ghthhh.
dll,yjrfe.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.
dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfthe
r.dll,
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

--
End of file - 5251 bytes


I also tried using UnhackMe to search for hidden trojans or processes but none found

i know that the files that some of the files that are related to this trojan are

C:\WINDOWS\system32\ukrth.dll
C:\WINDOWS\system32\hjmh.dll
C:\WINDOWS\system32\unxxx.bat



unxxx.bat is what makes the cmd.exe windows open and creates some temporary files in 'C:\WINDOWS\temp\' folder(i think)

I used procexp.exe (a task manager from www.sysinternals.com) to see the dlls that each process loads and was shocked to see that the above dll files are being used by many processes, so all my windows processes are affected too.

also, my problem is connected to this problem, so maybe u people can configure something from our common problems
http://www.geekstogo...es-t200647.html

ok...so this is all i know.... PLEASE HELP ME WITH THIS

[Advertisements]

Hello Chirag64 and welcome to G2G. Let's see what we can find. Please follow the steps belo in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
• Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT

[OldTimer]

Hello Chirag64 and welcome to G2G. Let's see what we can find. Please follow the steps belo in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
• Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT

[Chirag64]

thanx for noticing my problem OLDTIMER, sorry to reply so late....i've attached the file that u had asked for....only problem is that ATFCleaner did not detect Opera in my pc(which i use the most among all browsers)... i hope u understand d problem soon and help me get rid of this trojan

Attached Files

•  OTScanIt.Txt   240.59KB   110 downloads

[OldTimer]

Hi Chirag64. Let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
eth8023
mbr
Files to delete:
%allusersprofile%\documents\sys24035.bin
%allusersprofile%\documents\sys30824.bin
%systemdrive%\docume~1\chirag\locals~1\temp\mbr.sys
%systemdrive%\migregdb.ex_
%systemroot%\system32\1f9o.dat
%systemroot%\system32\amcompat.tlb
%systemroot%\system32\ciwdaapi.sys
%systemroot%\system32\crugd.cfg
%systemroot%\system32\crugd.dll
%systemroot%\system32\dehkj.dll
%systemroot%\system32\dhugtj.cfg
%systemroot%\system32\drivers\cdralw.sys.del
%systemroot%\system32\drivers\eth8023.sys
%systemroot%\system32\drivers\eth8023.sys.del
%systemroot%\system32\dscef.cfg
%systemroot%\system32\dscef.dll
%systemroot%\system32\dtrgjy.dll
%systemroot%\system32\fsrgeb.dll
%systemroot%\system32\fydgky.dll
%systemroot%\system32\fyhje.dll
%systemroot%\system32\gmnait.dll
%systemroot%\system32\hfrdzx.dll
%systemroot%\system32\hfrdzx.dll.del
%systemroot%\system32\hgfhk.cfg
%systemroot%\system32\hgfhk.dll
%systemroot%\system32\hgnmjsdg.dll
%systemroot%\system32\hhrdxd.dll
%systemroot%\system32\hhrdxd.dll.del
%systemroot%\system32\ijsgajba.sys
%systemroot%\system32\jggtsr.dll
%systemroot%\system32\jhrcar.dll
%systemroot%\system32\jhrcar.dll.del
%systemroot%\system32\jkhjsd.dll
%systemroot%\system32\jyjlt.cfg
%systemroot%\system32\jyjlt.dll
%systemroot%\system32\kduy.cfg
%systemroot%\system32\lariytrz.cfg
%systemroot%\system32\lariytrz.dll
%systemroot%\system32\lesxachu.sys
%systemroot%\system32\ngjxakin.sys
%systemroot%\system32\njritc.cfg
%systemroot%\system32\njritc.dll
%systemroot%\system32\nscompat.tlb
%systemroot%\system32\oqrthc.cfg
%systemroot%\system32\pzwmaime.sys
%systemroot%\system32\rgghjj.cfg
%systemroot%\system32\rgghjj.dll
%systemroot%\system32\rhs.cfg
%systemroot%\system32\rhs.dll
%systemroot%\system32\sthth.cfg
%systemroot%\system32\sthth.dll
%systemroot%\system32\thef.dll
%systemroot%\system32\tiwxattb.sys
%systemroot%\system32\toqnabib.sys
%systemroot%\system32\tyjert.cfg
%systemroot%\system32\unxxx.bat.del
%systemroot%\system32\vusetup.dll
%systemroot%\system32\winsys.reg
%systemroot%\system32\wymxajkl.sys
%systemroot%\system32\wyrsdj.dll
%systemroot%\system32\wyrsdj.dll.del
%systemroot%\system32\xdhdg.dll
%systemroot%\system32\xfgnfx.cfg
%systemroot%\system32\xfgnfx.dll
%systemroot%\system32\xfgnxfn.cfg
%systemroot%\system32\ydgn.cfg
%systemroot%\system32\ydgn.dll
%systemroot%\system32\zdesfx.dll
%systemroot%\system32\zdesfx.dll.del
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%systemdrive%\found.010
%systemdrive%\found.011
%systemdrive%\found.012
%systemdrive%\found.013
%systemdrive%\found.014
%systemdrive%\found.015
%systemdrive%\found.016
%systemdrive%\found.017
%systemdrive%\found.018
%systemdrive%\found.019
%systemdrive%\found.020
%systemdrive%\found.021

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

• Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
• Click the Execute button
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Driver Services - Non-Microsoft Only]
NY -> (eth8023) eth8023 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\eth8023.sys
NY -> (mbr) mbr [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Chirag\LOCALS~1\Temp\mbr.sys
[Registry - Non-Microsoft Only]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> fyhje.dll -> %SystemRoot%\system32\fyhje.dll
YY -> hgnmjsdg.dll -> %SystemRoot%\system32\hgnmjsdg.dll
YY -> dehkj.dll -> %SystemRoot%\system32\dehkj.dll
YY -> dtrgjy.dll -> %SystemRoot%\system32\dtrgjy.dll
YN -> fgffthui.dll -> 
YN -> thyut.dll -> 
YY -> jkhjsd.dll -> %SystemRoot%\system32\jkhjsd.dll
YN -> trhth.dll -> 
YN -> rthrk.dll -> 
YY -> fydgky.dll -> %SystemRoot%\system32\fydgky.dll
YN -> yjfef.dll -> 
YY -> thef.dll -> %SystemRoot%\system32\thef.dll
YN -> gfcfg.dll -> 
YN -> frntrn.dll -> 
YN -> qrhhb.dll -> 
YN -> drghszd.dll -> 
YN -> fngn.dll -> 
YN -> gnfctt.dll -> 
YN -> xgnfn.dll -> 
YN -> xfgnhcgfm.dll -> 
YN -> serger.dll -> 
YN -> bnxnb.dll -> 
YN -> fxgnfx.dll -> 
YN -> jzijj.dll -> 
YY -> xfgnfx.dll -> %SystemRoot%\system32\xfgnfx.dll
YN -> serghjm.dll -> 
YN -> thsddh.dll -> 
YN -> xbcvxb.dll -> 
YN -> zfdzb.dll -> 
YN -> xdndn.dll -> 
YN -> xdfntt.dll -> 
YY -> hgfhk.dll -> %SystemRoot%\system32\hgfhk.dll
YN -> dnteh.dll -> 
YN -> xfng.dll -> 
YY -> njritc.dll -> %SystemRoot%\system32\njritc.dll
YN -> chmfcmh.dll -> 
YN -> jwlah.dll -> 
YY -> gmnait.dll -> %SystemRoot%\system32\gmnait.dll
YN -> hfjg.dll -> 
YN -> thurh.dll -> 
YN -> mgmgmm.dll -> 
YN -> oqrthc.dll -> 
YN -> hyjmt.dll -> 
YY -> jyjlt.dll -> %SystemRoot%\system32\jyjlt.dll
YN -> ijatnaw.dll -> 
YN -> sehhter.dll -> 
YN -> fhjfg.dll -> 
YN -> zdbdb.dll -> 
YY -> ydgn.dll -> %SystemRoot%\system32\ydgn.dll
YN -> dbfb.dll -> 
YN -> fjnbv.dll -> 
YN -> hjtdrh.dll -> 
YN -> setrhes.dll -> 
YN -> cdxbfxdb.dll -> 
YN -> xfgnxfn.dll -> 
YN -> gjkhj.dll -> 
YY -> xdhdg.dll -> %SystemRoot%\system32\xdhdg.dll
YY -> rhs.dll -> %SystemRoot%\system32\rhs.dll
YN -> mrjhtjd.dll -> 
YN -> zdbfbd.dll -> 
YN -> fjyjy.dll -> 
YN -> fxnfnh.dll -> 
YN -> bjrvm.dll -> 
YN -> ektvm.dll -> 
YN -> rdthr.dll -> 
YN -> yjrfe.dll -> 
YY -> dscef.dll -> %SystemRoot%\system32\dscef.dll
YY -> crugd.dll -> %SystemRoot%\system32\crugd.dll
YY -> lariytrz.dll -> %SystemRoot%\system32\lariytrz.dll
YN -> hjaiq.dll -> 
YN -> kduy.dll -> 
YN -> hkfgh.dll -> 
YN -> awef.dll -> 
YN -> dfhsh.dll -> 
YN -> ethsh.dll -> 
YN -> stehs.dll -> 
YY -> sthth.dll -> %SystemRoot%\system32\sthth.dll
YN -> wfhyt.dll -> 
YY -> rgghjj.dll -> %SystemRoot%\system32\rgghjj.dll
YN -> ghjkdr.dll -> 
YN -> hfther.dll -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispCPL -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispAppearancePage -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [&Google]
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [&Google]
YN -> WebBrowser\\{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{12F02779-6D88-4958-8AD3-83C12D86ADC7} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{E908B145-C847-4e85-B315-07E2E70DECF8} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YN -> C:\WINDOWS\system32\vturq -> 
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\tally63.exe -> F:\tally63.exe [F:\tally63.exe:*:Disabled:tally63]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\New CD\Klingon Academy Demo\kademo.exe -> D:\New CD\Klingon Academy Demo\kademo.exe [D:\New CD\Klingon Academy Demo\kademo.exe:*:Disabled:kademo]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Tally\tally63.exe -> %SystemDrive%\Tally\tally63.exe [C:\Tally\tally63.exe:*:Disabled:tally63]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Age of Empires\Age of kings\Age2_X1\age2_x1.Exe -> E:\Age of Empires\Age of kings\Age2_X1\age2_x1.Exe [E:\Age of Empires\Age of kings\Age2_X1\age2_x1.Exe:*:Disabled:Age of Empires II Expansion]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Microsoft Games\Age of Mythology\aom patch.exe -> D:\Program Files\Microsoft Games\Age of Mythology\aom patch.exe [D:\Program Files\Microsoft Games\Age of Mythology\aom patch.exe:*:Disabled:Age of Mythology]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\EA Games\Command & Conquer Generals Zero Hour\game.dat -> %SystemDrive%\EA Games\Command & Conquer Generals Zero Hour\game.dat [C:\EA Games\Command & Conquer Generals Zero Hour\game.dat:*:Disabled:game]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Valve\hl.exe -> D:\Program Files\Valve\hl.exe [D:\Program Files\Valve\hl.exe:*:Disabled:Half-Life Launcher]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Half-Life 2\Half-Life 2\root\hl2.exe -> D:\Program Files\Half-Life 2\Half-Life 2\root\hl2.exe [D:\Program Files\Half-Life 2\Half-Life 2\root\hl2.exe:*:Disabled:hl2]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\EA Games\NFS III\nfs3.exe -> %SystemDrive%\EA Games\NFS III\nfs3.exe [C:\EA Games\NFS III\nfs3.exe:*:Disabled:Need For Speed III for Win32]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Q2Demo\quake2.exe -> D:\Q2Demo\quake2.exe [D:\Q2Demo\quake2.exe:*:Disabled:quake2]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\TM2\TM2.EXE -> D:\TM2\TM2.EXE [D:\TM2\TM2.EXE:*:Disabled:Twisted Metal 2]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YServer.exe -> %ProgramFiles%\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\EA SPORTS\FIFA 2005\fifa2005nocd.exe -> D:\Program Files\EA SPORTS\FIFA 2005\fifa2005nocd.exe [D:\Program Files\EA SPORTS\FIFA 2005\fifa2005nocd.exe:*:Enabled:fifa2005nocd]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Eidos\Pyro Studios\Commandos 3 - Destination Berlin\commandos3.exe -> D:\Program Files\Eidos\Pyro Studios\Commandos 3 - Destination Berlin\commandos3.exe [D:\Program Files\Eidos\Pyro Studios\Commandos 3 - Destination Berlin\commandos3.exe:*:Enabled:commandos3]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Football Manager\Football Manager 2007\Football Manager 2007\fm.exe -> %SystemDrive%\Football Manager\Football Manager 2007\Football Manager 2007\fm.exe [C:\Football Manager\Football Manager 2007\Football Manager 2007\fm.exe:*:Enabled:Football Manager 2007]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\EA SPORTS\NBA LIVE 2005\nba2005 nocdpatch.exe -> D:\Program Files\EA SPORTS\NBA LIVE 2005\nba2005 nocdpatch.exe [D:\Program Files\EA SPORTS\NBA LIVE 2005\nba2005 nocdpatch.exe:*:Enabled:NBA LIVE 2005]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Warcraft III\Warcraft III.exe -> D:\Program Files\Warcraft III\Warcraft III.exe [D:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Warcraft III\War3.exe -> D:\Program Files\Warcraft III\War3.exe [D:\Program Files\Warcraft III\War3.exe:*:Enabled:Warcraft III]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Midtown Madness 2\Midtown2.exe -> D:\Program Files\Midtown Madness 2\Midtown2.exe [D:\Program Files\Midtown Madness 2\Midtown2.exe:*:Enabled:Midtown Madness 2 Executable]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Microsoft Games\Age of Mythology\aomx.exe -> D:\Program Files\Microsoft Games\Age of Mythology\aomx.exe [D:\Program Files\Microsoft Games\Age of Mythology\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MP3 Downloader\mp3downloader.exe -> %ProgramFiles%\MP3 Downloader\mp3downloader.exe [C:\Program Files\MP3 Downloader\mp3downloader.exe:*:Enabled:mp3downloader]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BearShare Applications\BearShare\BearShare.exe -> %ProgramFiles%\BearShare Applications\BearShare\BearShare.exe [C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\gykscmgk.exe -> C:\WINDOWS\system32\gyk
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe -> %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe:*:Disabled:Kaspersky Anti-Virus]
[Files/Folders - Created Within 30 days]
NY -> MIGREGDB.EX_ -> %SystemDrive%\MIGREGDB.EX_
NY -> FOUND.020 -> %SystemDrive%\FOUND.020
NY -> FOUND.021 -> %SystemDrive%\FOUND.021
NY -> FOUND.010 -> %SystemDrive%\FOUND.010
NY -> FOUND.011 -> %SystemDrive%\FOUND.011
NY -> FOUND.012 -> %SystemDrive%\FOUND.012
NY -> FOUND.013 -> %SystemDrive%\FOUND.013
NY -> FOUND.014 -> %SystemDrive%\FOUND.014
NY -> FOUND.015 -> %SystemDrive%\FOUND.015
NY -> FOUND.016 -> %SystemDrive%\FOUND.016
NY -> FOUND.017 -> %SystemDrive%\FOUND.017
NY -> FOUND.018 -> %SystemDrive%\FOUND.018
NY -> FOUND.019 -> %SystemDrive%\FOUND.019
NY -> eth8023.sys.del -> %SystemRoot%\System32\drivers\eth8023.sys.del
NY -> hhrdxd.dll -> %SystemRoot%\System32\hhrdxd.dll
NY -> hfrdzx.dll -> %SystemRoot%\System32\hfrdzx.dll
NY -> 1f9O.dat -> %SystemRoot%\System32\1f9O.dat
NY -> ngjxakin.sys -> %SystemRoot%\System32\ngjxakin.sys
NY -> zdesfx.dll -> %SystemRoot%\System32\zdesfx.dll
NY -> wyrsdj.dll -> %SystemRoot%\System32\wyrsdj.dll
NY -> jggtsr.dll -> %SystemRoot%\System32\jggtsr.dll
NY -> njritc.cfg -> %SystemRoot%\System32\njritc.cfg
NY -> ciwdaapi.sys -> %SystemRoot%\System32\ciwdaapi.sys
NY -> tyjert.cfg -> %SystemRoot%\System32\tyjert.cfg
NY -> rgghjj.cfg -> %SystemRoot%\System32\rgghjj.cfg
NY -> fsrgeb.dll -> %SystemRoot%\System32\fsrgeb.dll
NY -> vusetup.dll -> %SystemRoot%\System32\vusetup.dll
NY -> rhs.cfg -> %SystemRoot%\System32\rhs.cfg
NY -> dhugtj.cfg -> %SystemRoot%\System32\dhugtj.cfg
NY -> lesxachu.sys -> %SystemRoot%\System32\lesxachu.sys
NY -> dscef.cfg -> %SystemRoot%\System32\dscef.cfg
NY -> unxxx.bat.del -> %SystemRoot%\System32\unxxx.bat.del
NY -> pzwmaime.sys -> %SystemRoot%\System32\pzwmaime.sys
NY -> wymxajkl.sys -> %SystemRoot%\System32\wymxajkl.sys
NY -> HFRDZX.DLL.del -> %SystemRoot%\System32\HFRDZX.DLL.del
NY -> ZDESFX.DLL.del -> %SystemRoot%\System32\ZDESFX.DLL.del
NY -> WYRSDJ.DLL.del -> %SystemRoot%\System32\WYRSDJ.DLL.del
NY -> jhrcar.dll -> %SystemRoot%\System32\jhrcar.dll
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> sys30824.bin -> %AllUsersProfile%\Documents\sys30824.bin
NY -> sys24035.bin -> %AllUsersProfile%\Documents\sys24035.bin
[Files/Folders - Modified Within 30 days]
NY -> FOUND.020 -> %SystemDrive%\FOUND.020
NY -> FOUND.021 -> %SystemDrive%\FOUND.021
NY -> FOUND.010 -> %SystemDrive%\FOUND.010
NY -> FOUND.011 -> %SystemDrive%\FOUND.011
NY -> FOUND.012 -> %SystemDrive%\FOUND.012
NY -> FOUND.013 -> %SystemDrive%\FOUND.013
NY -> FOUND.014 -> %SystemDrive%\FOUND.014
NY -> FOUND.015 -> %SystemDrive%\FOUND.015
NY -> FOUND.016 -> %SystemDrive%\FOUND.016
NY -> FOUND.017 -> %SystemDrive%\FOUND.017
NY -> FOUND.018 -> %SystemDrive%\FOUND.018
NY -> FOUND.019 -> %SystemDrive%\FOUND.019
NY -> cdralw.sys.del -> %SystemRoot%\System32\drivers\cdralw.sys.del
NY -> eth8023.sys.del -> %SystemRoot%\System32\drivers\eth8023.sys.del
NY -> hhrdxd.dll -> %SystemRoot%\System32\hhrdxd.dll
NY -> hfrdzx.dll -> %SystemRoot%\System32\hfrdzx.dll
NY -> winsYs.reg -> %SystemRoot%\System32\winsYs.reg
NY -> 1f9O.dat -> %SystemRoot%\System32\1f9O.dat
NY -> ngjxakin.sys -> %SystemRoot%\System32\ngjxakin.sys
NY -> nscompat.tlb -> %SystemRoot%\System32\nscompat.tlb
NY -> amcompat.tlb -> %SystemRoot%\System32\amcompat.tlb
NY -> zdesfx.dll -> %SystemRoot%\System32\zdesfx.dll
NY -> wyrsdj.dll -> %SystemRoot%\System32\wyrsdj.dll
NY -> jggtsr.dll -> %SystemRoot%\System32\jggtsr.dll
NY -> njritc.cfg -> %SystemRoot%\System32\njritc.cfg
NY -> hgfhk.cfg -> %SystemRoot%\System32\hgfhk.cfg
NY -> ciwdaapi.sys -> %SystemRoot%\System32\ciwdaapi.sys
NY -> tyjert.cfg -> %SystemRoot%\System32\tyjert.cfg
NY -> rgghjj.cfg -> %SystemRoot%\System32\rgghjj.cfg
NY -> fsrgeb.dll -> %SystemRoot%\System32\fsrgeb.dll
NY -> oqrthc.cfg -> %SystemRoot%\System32\oqrthc.cfg
NY -> rhs.cfg -> %SystemRoot%\System32\rhs.cfg
NY -> lariytrz.cfg -> %SystemRoot%\System32\lariytrz.cfg
NY -> dhugtj.cfg -> %SystemRoot%\System32\dhugtj.cfg
NY -> jyjlt.cfg -> %SystemRoot%\System32\jyjlt.cfg
NY -> xfgnxfn.cfg -> %SystemRoot%\System32\xfgnxfn.cfg
NY -> ydgn.cfg -> %SystemRoot%\System32\ydgn.cfg
NY -> sthth.cfg -> %SystemRoot%\System32\sthth.cfg
NY -> lesxachu.sys -> %SystemRoot%\System32\lesxachu.sys
NY -> dscef.cfg -> %SystemRoot%\System32\dscef.cfg
NY -> crugd.cfg -> %SystemRoot%\System32\crugd.cfg
NY -> unxxx.bat.del -> %SystemRoot%\System32\unxxx.bat.del
NY -> pzwmaime.sys -> %SystemRoot%\System32\pzwmaime.sys
NY -> toqnabib.sys -> %SystemRoot%\System32\toqnabib.sys
NY -> kduy.cfg -> %SystemRoot%\System32\kduy.cfg
NY -> ijsgajba.sys -> %SystemRoot%\System32\ijsgajba.sys
NY -> xfgnfx.cfg -> %SystemRoot%\System32\xfgnfx.cfg
NY -> wymxajkl.sys -> %SystemRoot%\System32\wymxajkl.sys
NY -> tiwxattb.sys -> %SystemRoot%\System32\tiwxattb.sys
NY -> JHRCAR.DLL.del -> %SystemRoot%\System32\JHRCAR.DLL.del
NY -> HHRDXD.DLL.del -> %SystemRoot%\System32\HHRDXD.DLL.del
NY -> HFRDZX.DLL.del -> %SystemRoot%\System32\HFRDZX.DLL.del
NY -> ZDESFX.DLL.del -> %SystemRoot%\System32\ZDESFX.DLL.del
NY -> WYRSDJ.DLL.del -> %SystemRoot%\System32\WYRSDJ.DLL.del
NY -> jhrcar.dll -> %SystemRoot%\System32\jhrcar.dll
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> sys30824.bin -> %AllUsersProfile%\Documents\sys30824.bin
NY -> sys24035.bin -> %AllUsersProfile%\Documents\sys24035.bin
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  
  • Scan using the following Anti-Virus database:
    
    • Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
• Just use the default settings.
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
• Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
• Attach that file back here in your next reply.

Step #5

Copy/paste the following back here in your next reply:

• The Avenger report (c:\Avenger.txt)
• The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
• The online virus scan report (whichever one you ran)

Attach the following back here in your next reply:

• The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT