This is some very stubborn malware >:(

  1. Please download The Avenger2 by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
c:\users\HEELO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\okyy.vbs
c:\users\HEELO\AppData\Roaming\okyy.vbs

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|okyy
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|okyy


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Then…

Re-run FRST and attach fresh report…