Posts by PhilliePhan

So I am a little worried eset found so many corrupt files after performing the aforementioned tasks. Should I run a random virus/malware detection program from time to time?

Absolutely!
You should update and run MBAM every couple of weeks - more often if you engage in unsafe internet practices.

Keep a good AV/Firewall combo updated and running at all times. There are many good and free options available.
Online scans such as ESET are a good "backup" to your resident AV program if you feel you need a "second opinion."

The stuff ESET found is not worriesome.
You are going to get adware (or worse) in a lot of codec packs. I would recommend downloading them from a site such as Majorgeeks.com. The site owners are very good about keeping their downloads free of malware and crapware.

The Kryptik trojan was removed by combofix. What ESET detected was the combofix quarantine - no worries there.
To avoid these types of malware, always keep your Java updated and always remove older versions. If you automatically update it, this should be done for you.
Also, running ATF-Cleaner will flush the Java cache (if you set it to do so as directed in the Read Me First post).

The other detections are in System Restore. The combofix uninstall routine should have flushed System Restore points, or, at least it used to.
You can do this manually by turning System Restore …

Hi there...

Hi mak6152,

HijackThis really doesn't tell us much these days. We would prefer you try the steps in the linky below and post the logs:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

--- ALSO, post the scanlogs from the tools you have already run on your own.

One thing HJT does tell us is that the hosts file has been altered so google and bing redirect to a server in Romania...

Anyhoo, please post the requested logs. I or another volunteer will check back as time permits. Most likely it will be Judy or crunchie as I am backlogged with a lot of work this time of year.

Cheers :)
PP

i'm running the MBA-M right now. i have a few questions though. how do i re-enable system restore? i don't think i ever turned it off.

Malware could have turned it off. Or that service listed as not running may well be run on demand.... It can be hard to keep up with these things.

At any rate, we can verify it is running by doing this:
RightClick My Computer and select Properties >> System Protection and under Protection Settings make sure protection is on for the system drive.

Also, i plan to get rid of norton and replace with a combo of comodo and avira but i know that norton can be a pain to get rid of sometimes. can you walk me through it? Lastly, on my desktop, I am using comodo and avast, should i switch my antivirus to avira too?

The Symantec site has tools you can run to make the divorce from Norton a bit more amicable.
It may uninstall fairly cleanly these days - I guess you'll have to try that and see. Just make sure it is completely shut down before uninstalling it.

I like Avira. I have used it on one of my compys for many years and have been quite satisfied. It always ranks highly among the free options. My opinion is that it is the best of the free bunch.
Likewise, I'm sure there are people who prefer Avast! - I'm not one of …

That looks good - How are things running now?

-- Please update your Java here --> http://www.java.com/en/download/index.jsp
Then, look in Add/Remove programs and remove any old versions.

Or, you can open Javacpl and hit update and do this automatically.

-- Please run ATF-Cleaner as per the Read Me First sticky post and make sure Clear Java Cache is selected.

Then, please uninstall combofix as per the linky below:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Let me know if you run into any problems with the above.

Cheers :)
PP

Hi natakudragoon,

Sorry for the late reply - awfully busy these days.

-- How are things running on the ill machine?
There were some discrepancies in the logs, but on closer look they seem OK.
The locked reg keys look benign and the suspect drivers are gone.

-- Please update MBAM and run a fresh scan and see if it reads clean.

I don't think the Olmarik trojan got a foothold on the machine.
You should, though, re-enable System Restore and definitely update Norton and make sure it is running properly.
Or, if it has expired and you don't want to renew, replace it with a good free option such as Comodo Firewall paired with Avira Free Antivirus.

Make sure both AV and Firewall are up and running as Olmarik is known to interfere with those.

Let me know how things shake out.

Cheers :)
PP

I have no idea what aryplp.sys is for. What should I do about it?

I went ahead and removed it - if it is legitimate and needed then a replacement should be easy enough to obtain.

-- Do you know what this is --> GarenaPEngine Do you use it for gaming?

-- Though it does look as if combofix may have removed some legitimate HP files. We will dequarantine those. If you like, we can dequarantine aryplp.sys as well and you can upload it for analysis at Jotti or Virustotal.

-- As for AVG still showing up, we can address that after we finish with the cleanup. AVG ought to have an uninstall cleanup tool on their site. Or, we can do it manually.

What is a good combination of firewall/anti-virus I should use?

If you want a great security suite and don't mind paying for it, I think Kaspersky ONE OR Kaspersky Internet Security is far and away the best of the bunch.
If you want to go the free route, get the Comodo Firewall - but don't install the antivirus, just the firewall.
I prefer to pair the Comodo Firewall with Avira Free Antivirus.

Those would be my recommendations.

Anyhoo, please do the following:

-- Re-run GMER and post those logs.

-- Please download and run Farbar Service Scanner
-- Check Include All Files and hit …

i re-downloaded GMER, but when i save the scanlogs, it's an empty text file. it's 0 bytes and there's nothing in it. should i still post it?

No - that's my fault. Sorry.

I'm working on some similar threads and, to save time, copied and pasted the next steps. GMER doesn't support 64-bit Windows.
No worries, though.
Try the others and post those logs.

I'll check back as time permits - there are still some issues in the combofix log, but I'm swamped at the moment.

PP:)

Great - that looks good. How are things running?

Before we give the "all clear," let's check a few other things:

-- Re-run GMER and post the logs.

-- Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me.

-- Please run an ESET Online Scan and post the results.

PP:)

thanks for the reply. i'm just appreciative of the help and support that you guys provide.
It skipped asking me to install the recovery console, so i'm assuming i already have it installed beforehand?

Happy to help :)

-- I don't see the recovery console, but no worries.

Let's try this:
-- Re-run GMER and post those logs.

-- I'd like to doublecheck something. Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for us.

-- Please run an ESET Online Scan and post the results.

There are a few other issues in the combofix log that we'll need to look at - I'll try to put something together as soon as I get a chance.

PP:)

Hi opr8tions,

Please follow the steps in the linky below to run combofix and post the log for us:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the recovery console.

-- I or another volunteer will check back as time permits. I am not going to be around much through the New Year, so it may be slow going.

Cheers :)
PP

Hi natakudragoon,

Please follow the steps in the linky below to run combofix and post the log for us:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the recovery console.

-- I am not going to be online much through the New Year, but I or another volunteer will check back as time permits.

Cheers :)
PP

Will anybody please help me ?

No.

.... Well, only if you promise to use your viruses for good deeds.

Errr..... No.

OK - Since I'll be offline for a bit, let's go ahead and do this:

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

You sir, are the man! Thank you PP and Happy New Year to you as well.
THANK YOU!

You're welcome - Though the thanks should go to sUBs for writing and maintaining combofix. It doesn't leave much for us volunteers to do.

I'd even go as far as to say it makes malware killing boring for those of us who remember the early days of HijackThis!

Cheers :)
PP

Last, but not least.

ESET_scan result
C:\Documents and Settings\chris\My Documents\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined

Great - looks as though you are good to go!

Happy New Year :)
PP

So far Ping.exe hasn't shown up in the task manager. Will run one more scan with MBAM and then check back here tomorrow. Thanks so far!

Happy to help :)

-- There are still a few things we need to do yet. I'll post the steps this evening when I get home.

In the meantime, it might help if you could navigate to c:\windows\system32\drivers\aryplp.sys and rightclick it and see if there is any property information for it.... Or, do you know what it belongs to?

PP:)

Thanks again for taking the time.

Merry Christmas!!

Merry Christmas to you as well!
Happy to help.... 'Tis the season, after all :)

At quick glance, that looks better. How are things running?

** Please follow up with an ESET Online Scan and post the results.

-- Also, since nothing particularly evil jumped out at me from the combofix log, you can probably go ahead and uninstall combofix as per the linky below:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

I'll check back as time permits.

PP:)

Hi Todd,

Normally we prefer all tools to be run in Normal Windows boot.
No worries, though.

Since the next few days are going to be a bit hectic, we can save some time by going ahead with the following:

-- Please follow the steps in the linky below to run combofix and post the log for us:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please run it exactly as directed and be sure to install the recovery console.

-- I or another volunteer will check back as time permits.

Cheers :)
PP

Hi dapesche,

Please follow the steps in the linky below to run combofix and post the log for us:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the recovery console.

-- I or another volunteer will check back as time permits. The holidays are a bit hectic, so it may be slow going....

Cheers :)
PP

Hi ddevineuk,

A couple things before we take a whack at this:

-- This may be a lengthy process. The holiday season is brutal for getting timely volunteer help in forums for obvious reasons.
Plus, it appears you are across the pond from me, so we'll be working on different schedules. That tends to slow things down.

-- I am assuming you have a means to transfer logs and tools to and from the ill compy since you have posted the DDS.

What I need to know is ALL of the steps you have taken so far to try to clean the machine. Your log shows traces of combofix having been run. Did you run this powerful tool?
Let me know.

-- Also, let's have a look to see if you have been a victim of a popular malware making the rounds:

Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me.

Obviously, you will need to use a flash drive to transfer FSS and the resulting logs.

I will try to check back as time permits.

Happy Christmas :)
PP

I agree, but perhaps the user is not as skillful as you & your peers. I still stand by my original recommendation(easiest because it is the easiest to understand and do)

Actually, if the FSS.txt can pinpoint the issue, the OP may be able to download a file to flash drive, transfer it to ill computer and double-click it and reboot and presto - back online.

Simple and non-destructive.

There is absolutely no need to reformat the computer to fix this problem. We just need to find what service was infected and what registry keys were compromised.

-- One could argue, though, that after any sort of rootkit infection a reformat is the best course of action. But, that applies to the malware involved and not the connectivity issue.

The FSS.txt ought to show us where the problem lies.

Cheers :)
PP

Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for us.

You will need to use a flash drive to transfer FSS and the resulting logs.
Once we see which service was infected, we should be able to get you back online to continue the cleaning process...

Cheers :)
PP

Many thanks for replies. How do I upload mavinst.exe (found in C:\Program Files\mavinst.exe) to virusscan.jotti.org to be scanned?

Just go to Jotti or virustotal and click the browse button to navigate to the file and then click submit.

PP:)

Or, you could follow the steps in the linky below and post the requested scanlogs:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

With any luck, we can get you cleaned up a bit more easily.
I or another volunteer will check back as time permits, though the holidays can be a bit hectic.

Cheers :)
PP

You know what, I somehow had my Avast updates turned off, strange! Once I updated it, the program started screaming that there is a virus in the active memory or something, so I did a boot scan and it removed 8 files.

Glad to hear it!

You might want to post the Avast! log from that removal to make sure you got it all (or at least all that was shown in the earlier scanlogs).

Or, you could also follow the steps in the linky below to run combofix and post that log:

How To Use Combofix

Cheers :)
PP

IT WORKS!!!!! I can not thank you enough! Its finally back online! I appreciate your help and guidance thru all of this.

Glad to hear it! We kinda took a roundabout way to getting there, though - At least I learned enough to cut to the chase on the next one, LOL!

-- What you need to do now on the ill compy is to DELETE your existing copy of combofix.

Then download a fresh copy of combofix and run it. Be sure to install the Recovery Console this time now that the connection is back.

Please post that scanlog and we'll go from there.

PP:)

Another post on this forum suggested to run aswMBR, so i did that too and it found a bunch of infections, but it says not to fix anything before posting on the forums, so do you want me to post it here? It mentioned Win32:Alureon-AOV, seems like a nasty thing. Sooo, whats up with me lappy?

Sorry for the late reply - the holiday season is rough when there are not many active volunteers.

-- Yeah you've got a nasty one.
Please go ahead and post the aswMBR log.

I will try to check back as time permits.

Cheers :)
PP

ok, I tried to save the file a few more times using the same steps you gave me before, and it finally took. I merged it into my current settings and am rebooting now.

Great - Hopefully that will do the trick. If not, run Farbar Service Scanner again and let's see what it says.

I should be home around 9PM EST and I'll check back then.

PP:)

It's still opening as a notepad file.

That is odd - a .reg extension should not do that.

-- Rightclick it and see if you have the option to Run or to Merge.

Let me prepare it and attach it and see if that works.

PP:)

--- OK - I changed the extension and when I rightclick it I get the option to Merge. Hopefully that will work. Extract it from the Zip and give it a go. DoubleClick ought to work too.
Remember to reboot after.

I thought I was doing it the easy way before because we cannot attach files with a .reg extension.... LOL!

RightClick mavinst.exe and check the properties for ID info.

Due to the location of the file/folder, this is likely a component of a rogue anti-spy app.

You ought to upload mavinst.exe to http://virusscan.jotti.org/en for analysis and post back with the results.

Cheers :)
PP

Ok - let's try to repair the registry damage done by the malware. I thought winsock fix might do it for us, but I guess not.

Anyhoo - first I suggest backing up the registry with a tool such as ERUNT
It is simple and quick and good to have as a "fallback" in the event we need it.

Then, please download the attached FixNetBT.txt
You need to actually download the text file to the desktop.
-- RENAME it to FixNetBT.reg

On the ill machine, DoubleClick FixNetBT.reg and allow it to merge into the registry.
REBOOT and see if that fixes the connection.

--- If not, run Farbar Service Scanner again and post those results.

PP:)

Hey CCG,

Too cold for the T-tops. Was going to try a little silicone sealant, but will probably have to wait until spring. No worries, I suppose - after all, it is a 17 year old car.

-- As for the ill computer, let's try an oldie but goodie from Option^Explicit ---> Winsock XP Fix

Run that and hit fix - that ought to automatically repair the registry damage so we don't have to do it manually. If we have to do it manually then it becomes dicey.

Let me know how that shakes out.

PP:)

I have done 2 microsoft fixes (20199 and 20203). I have run different versions of winsockfix. Now I am reinstalling XP-SP3 over the existing SP3. Iknow that is a dated solution, but I am hoping it simply places the right fixes in the right places, given that it is such a major update.

Sounds like you got hit with one of the ZeroAccess rootkit variants. I've been helping another poster with a similar issue.

Reinstalling SP3 is not a good idea on an (especially rootkit - assuming that is what you have) infected computer. You may get connection back, but you'll still need to deal with the remaining malware before it puts you back into the same boat again.

If you find you need some assistance, please post a thread in the Spyware Forum.

Best Luck :)
PP

I think it's gone. Thanks so much. I have no clue why safe mode wouldn't start and why i had to run rkill like 5 times to get it to work or why malwarebytes took like 3 tries before it even ran.

Could be a combination of factors, not the least being the malware involved did not want you to be able to run the tools. Sometimes rkill needs to be run multiple times.
Back 6-7 years ago when we didn't have all these nifty tools to work with, we'd have users killing running processes manually and then racing to get the malware removed before the processes could start again... Fun times :)

-- You should remove that last detection by MBAM or just flush your temp files. (use ATF-Cleaner from the Read Me First Sticky) Flush your system restore points while you are at it.

I strongly suggest you run an online scan:

http://www.eset.com/us/online-scanner/

Make sure that comes back clean as well.

Let us know if you have any further issues.

Cheers :)
PP

I uninstalled and reinstalled the wireless program. It is still doing the same thing, saying I'm connected and have full strenght connection, however it never gives me an address.

All right - let's throw the kitchen sink at it and see what happens:

Open a command prompt again and enter each of the following commands one by one:
sc start dhcp
sc start netbt
sc start ipsec
sc start tcpip
sc start afd
netsh int ip reset C:\resetlog.txt
netsh winsock reset
ipconfig /flushdns
ipconfig /all

REBOOT for good measure and see if that helps.

If not, please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me. That should show us what we are missing.

PP:)

I am wondering if re-installing the wireless software would resolve this?

Yeah - give that a try. Uninstall it and then reinstall it. Also check to make sure the DHCP Client is started - we may have to revisit that.

Resetting TCP/IP should correct the damage you noted from the malware.

-- Avira logs should be available to print or copy and paste.
I imagine you've got a number of infected restore points and, as Judy mentioned, we'll need to flush those after we complete the cleaning procedures.

I'll be around over the weekend - hopefully weather will be good and I can have another crack at those Camaro T-Tops....:)

PP

Ok, I walked thru the steps PP gave me, still no change.

So, you were able to copy and paste the driver with no problem?

-- OK, let's try this. You'll need to open a command prompt:
START > RUN > Type cmd ENTER

Then, type or copy & paste the following and hit Enter:
netsh int ip reset c:\resetlog.txt

Note:
It is netsh<space>int<space> ip<space> reset<space> c:\resetlog.txt
Make sure to type it accurately or you'll get an error.

REBOOT the ill computer and see if that does the trick.

I will try to check back tomorrow PM EST.

Cheers :)
PP

ComboFix is running right now. It said it found a RootKit Virus, and sat there for a bit, then asked me to restart the computer. It is now restarted and ComboFix is running again. I took a quick screen shot of the actual message to get the name of the virus. (If it helps?)

--- Yeah screenshot would be cool - what rootkit did it identify?

-- I imagine you are still offline? Let's try this:
Click START > CONTROL PANEL > PERFORMANCE & MAINTAINANCE > ADMINISTRATIVE TOOLS > SERVICES
- RightClick DHCP Client and select STOP
- Navigate to C:\Windows\System32\Drivers and DELETE NetBT.sys (if it remains).
- Then go to C:\Windows\servicepackfiles\i386 and locate NetBT.sys.
Copy and Paste NetBT.sys from servicepackfiles\i386 into the C:\Windows\System32\Drivers Folder.
- Then, go back to Services and RightClick DHCP Client and select START

Reboot the computer for good measure and see if the connection is restored. If so, Update MBAM and run a full scan.

Let us know how you fare and we'll work from there.

Cheers :)
PP

oh and one more thing I already know that MBAM is being blocked and how would i get rkill on the computer... i would have to transfer it via a usbdrive huh

Flashdrive is best for the logs - you could burn any tools onto a CD, if necessary.
But for now, a flashdrive will suffice for RKILL and the process list.

PP:)

Thank you. Vista 64.

I will try this when I get home. The infected computer is the only one I have so I can only read/reply here when I am using someone else's computer. Because of this please feel free to post further steps in case I can or can't because I have to go to someone else's house to read/reply to the forum.

Ideally, we'd like to get MBAM to run and see where that leaves us. Even if you cannot update it, run it anyway. If it won't run, we can try to remove the processes that are blocking it.

You should also try running rkill to see if that will then allow MBAM to run.

Let us know where you stand. I'll try to check back as time permits.

PP:)

Please help me with this problem. Thank you very much.

What is your OS?

-- Can you open a command prompt and do this:
Type or copy and paste tasklist >> %systemdrive%\peek.txt ENTER

Please post the peek.txt - it should be C:\peek.txt.

We'll see if there are other running processes we need to shut down.

Cheers :)
PP

I just turned my computer on to run these scans and the avira antivirus popped up saying it found the TR/Rootkit.gen2 and blocked it. I dont know how it keep spreading but it is. This is the same thing that it supposedly blocked before, when all these problems started......

I thought I could find the logs folder from the avira antivirus and so far cant find it. I can view them thru the interface but I'm not sure how to put them into a notepad document or anything.

Hey CCG,

Did Avira remove or quarantine anything? You ought to be able to find that in the History via the gui.
Chances are that the last thing it removed was an infected driver that was needed to connect to the internet. If that is the case, we ought to be able to replace it and re-establish a connection.

-- Were you able to download Combofix and TDSSKiller?
Let us know. We are going to need them.

It's midnight EST and I've got to run - will look at the logs as soon as I can and get back to you. Judy may beat me to it.

Cheers :)
PP

EDIT:
Never mind that last bit about Avira - I just saw it in the logs:

Error - 12/7/2011 4:12:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client …

Hey CCG,

These tools can be burned to a CD if that is easier for you. That way you can use the flash drive only to help post scanlogs.

I completely spaced on the connectivity issue, so it may save some time to download these tools in addition to the ones I mentioned before and put them on the disk as well:

combofix

tdsskiller

-- See if you are able to run the two scans from my previous post and we'll go from there. Judy may add some steps as I imagine she is more up to date on these baddies than I am these days.

PP:)

Hi CCG,

In addition to what Judy has posted above, there are a couple tools we need to run after the fresh MBAM scan.

If you have any trouble with the steps, just let us know and we'll talk you through it - no worries :)

When you run these tools, be sure ALL other windows are closed and you are not running any other tools or programs.

--- Please download aswMBR and run it as per the directions in the linky.
- Please save the scanlog as directed in the linky and just Copy & Paste it into your next reply. Do Not fix anything just yet.
- If it asks to download Avast!'s Anti-virus database, please go ahead and do that.

--- Then, please download OTL.exe to the Desktop.

Run OTL.

- Where it says Output, change it to Minimal Output.
- Change the Standard Registry Box to All.
- Check the boxes for the LOP Check and and the Purity Check.

Then, hit the Run Scan button.

--- TWO scanlogs should open (and also be saved on the Desktop with OTL.exe) --- > OTL.Txt and Extras.Txt.

Please Copy & Paste these into your reply for us and we will go from there.
There are likely two more tools we'll need to run, but let's just start with the above for now.

Cheers :)
PP

This doesn't nessecarily help, but I have the exact same issue on my wifes laptop....

You guys should try the tool here --> http://public.avast.com/~gmerek/aswMBR.htm

Follow the listed steps and post the log. Perhaps it will detect the baddie.
Even if not, you could go ahead and rewrite the Master Boot Record and see if that helps....

Cheers :)
PP

watch out for added search engine/tool bars and other crap that's in the download.i never agreed to any of it,un checked it all when installing it , but it deleted all my home pages and changed it to Babylon

Interesting - I may play with that in the sandbox for a bit.

But, yeah, it is always caveat emptor with downloads these days. You should always scan them and pay attention to what rides along with them whether it be a benign toolbar, adware or malware.

About the only site I really trust to have clean downloads is Majorgeeks. The guys that run the site make that a top priority.

PP:)

PDF2CHM

Cheers :)
PP

Hi Naveed,

A few yeas ago I made a little batch tool to remove a particular malware and I wanted to first back up the registry before the tool deleted keys.

I exported the reg backup into a folder with the date and time of the backup. It wasn't particularly sophisticated, but it went something like this:

for /f "tokens=2-4 delims=/- " %%A in ('date/t') do set varA=%%A-%%B-%%C
for /f "tokens=1* delims=:-" %%A in ('time/t') do set varB=%%A%%B

mkdir "%systemdrive%\PhilliePhan Registry Backup %varA% %varB%\"
cd %systemdrive%\PhilliePhan Registry Backup %varA% %varB%\
regedit /e Backup.reg

You ought to be able to mkdir with whatever variable you want as the name.

I think the final result was a bit more simplified, but I can't recall it - this is how I plotted it out in my head when I conceived it.

Hope it helps.

PP :)

Oh my bad, sorry about that. I work in the security sector and use HJT all the time and admit it has some downfalls lol. I'll go over those rules and regs though to be sure in the future I abide by them. Thanks for the link.

No worries! :)

HJT was great about 5-7 years ago. But these days it just doesn't show the detail needed for today's malware.
I'm sure you'll find that DDS or OTL are far better tools. Both will give you all the info HJT does and then some.... We use DDS in our "Read Me First" sticky, but OTL may actually be the better tool - It is more versatile, but using it is more complex.

-- Anyhoo, welcome to Daniweb - we are always happy to have knowledgeable volunteers who want to give a little of their free time to help others.

Best :)
PP