Huge Malware/Spyware problem, cannot run anything except web browser.

[TrentWalker]

I did the pre-requisite readings before posting this, but I can't seem to figure anything out.

I'm getting the "Application cannot be executed...file is infected" popup what seems like every 30 seconds randomly and every time I try to run Notepad or any program. I only seem to be able to open Firefox. At first it was the XP Internet Security 2010, then Antivirus Soft, and various other "security" popups.

I tried to run rkill to generate a log, but I'm not sure it works. I get a quick MS-DOS screen, but almost instantly it gets shut down by the "Application cannot be executed" popup. Where is the log supposed to be generated?

Thanks in advance for any help. I'm getting pretty frustrated here.   

[TrentWalker]

Sorry, forgot to add that I am running Windows XP (I think SP3, cannot open my system information in control panel so cannot be 100% sure). 

[evilfantasy]

Try not to restart the computer until one of the tools we use does it  for you or tells you to.

If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

1) Please download and run the below  tool named Rkill (courtesy of BleepingComputer.com) which  may help allow other programs to run.
 
There are 4 different  versions. If one of them won't run then download and try to run the next  one.
 
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your  antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

*  Double-click on the Rkill desktop icon to run the tool.
*  If using Vista or Windows 7 right-click on it and  choose Run As Administrator.
* A  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

*  If Rkill does not run from the first link, delete the file, then  download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until  the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

*  Please download  exeHelper from Raktor to your desktop.
* Double-click on  exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
*  Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs  together (they will both be in the one file).


3) If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Logs needed:

• Rkill
  
• exeHelper
  
• Malwarebytes

[TrentWalker]

Thanks for responding.

I was able to get both Rkill and exeHelper to generate logs just before I got hit with the "application is infected..." popup, but the logs were basically blank. It appears the malware stopped them in their tracks.

This is what Rkill said:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as ZACK MORRIS on 02/25/2010 at 22:07:45.


Processes terminated by Rkill or while it was running:

And exeHelper:

exeHelper by Raktor

That's it.

And I have tried to install Malwarebytes several times with no success. Sometimes it won't complete the install, other times it does complete the install, but when I try to launch the program, it says something like "Cannot locate mbam.exe...". I installed Malwarebytes once in safe mode and it looked like things were going well, but the program shut down by itself in the middle of the full scan.

I read on another help forum about how malware/spyware can be used for identity theft/credit card fraud so now I'm afraid to even have the infected computer logged on to the internet (I'm on a different PC right now). Is this true? and how can I make sure I am not putting myself at risk when I try to fix that computer?   
 

[evilfantasy]

I will be sending you a Private Message with some instructions to follow. We are doing this privately to keep the info out of the hands of the malware creators. Please do not mention the name of utility we will be giving you or where you are getting it from. Just try to do what we ask you to do and then post back here with any problems you had. Again in mentioning your problems, please don't refer to the program by name. Just call it "the utility" or "the program". For example, your response could be:

The program ran OK. Or the program would not run, I received the following error message...(put your error message here).

[TrentWalker]

I was able to get "the program" to run in Safe Mode and it detected like 93 objects, but after I quarantined them it prompted me to restart (which I immediately did) and I was not able to make a log because it restarted into normal mode and it was like "the program" was never installed on my computer.

The good news is after the restart, things started returning back to normal. I was able to double click on install files so I proceeded to install "the program" in normal boot mode. I ran it again and it detected 23 objects this time. Here is the log from that run (2nd run):

Memory items scanned      : 385
Memory threats detected   : 0
Registry items scanned    : 5279
Registry threats detected : 1
File items scanned        : 30144
File threats detected     : 23

Adware.Tracking Cookie
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@lucidmedia[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@zedo[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@atdmt[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@imrworldwide[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@revsci[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@2o7[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@apmebf[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@invitemedia[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@mediaplex[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@media6degrees[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@doubleclick[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@fastclick[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][3].txt

Rogue.AntivirusSoft
   HKU\S-1-5-21-2996800989-1999048823-2621022130-1006\Software\avsoft

Trojan.Agent/Gen-Faker
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1316\A0193300.EXE

Adware.Vundo/Variant-[Fixed]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1316\A0193302.DLL

I then installed Malwarebytes and ran that:

Malwarebytes' Anti-Malware 1.43
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 3:42:41 PM
mbam-log-2010-02-27 (15-42-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 229289
Time elapsed: 1 hour(s), 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tabasifil (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hosalajono (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: nlauipn.dll  -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.88,93.188.161.39 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{570ac077-8bd7-4f49-8f6c-b5871d60abaa}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.88,93.188.161.39 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\nlauipn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\11.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\14.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1B.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Bvij.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\F.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mcmbyn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00007fc3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I then ran a quick scan using "the program" one more time just to see if it would catch anything else:

Memory items scanned      : 370
Memory threats detected   : 0
Registry items scanned    : 5278
Registry threats detected : 0
File items scanned        : 88942
File threats detected     : 3

Adware.Tracking Cookie
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@zedo[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@2o7[1].txt

And finally a quick scan using Malwarebytes:

Malwarebytes' Anti-Malware 1.43
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 5:32:44 PM
mbam-log-2010-02-27 (17-32-44).txt

Scan type: Quick Scan
Objects scanned: 136946
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I then decided to run a virus scan with my Avira Antivir. It detected 15 objects, but I'm not sure if I should go ahead and quarantine/delete them. I believe some of them are false positives so I am cautious to proceed. This is not a log, but a copy of what it says after the scan, but before I take any action:

Object         Detection   

rkill.pif                 HIDDENEXT/Crypted
D4EF690Ad01         TR/Dropper.Gen
jar_cache52099.tmp   TR/Dldr.Java.Agent.AH.1
rigslhn.exe         TR/Crypt.XPACK.Gen
rsxeamwonc.tmp        TR/Dldr.Mufanom.muo   
all.pdf            EXP/Pdfka.bpf
newplayer.pdf         EXP/Pdfka.bmg
rkill.pif                 HIDDENEXT.Crypted
jar_cache52099.tmp   TR/Dldr.Java.Agent.AH.1
rigslhn.exe          TR/Crypt.XPACK.Gen
rsxeamwonc.tmp         TR/Dldr.Mufanom.muo
all.pdf            EXP/Pdfka.bpf
newplayer.pdf         EXP/Pdfka.bmg
A0190740.exe        TR/Crypt.XPACK.Gen

Should I click on "Repair All" or no?

Also, it appears there are a few cookies in my internet explorer that I am now unable to delete using the internet options in the control panel. Are these the quarantined cookies?

I'd appreciate any more help to make sure everything is okay.

But your help so far is greatly appreciated. I thought for sure I was going to have to reformat. 

 

[evilfantasy]

Generally cookies are not a problem. All websites use them, even this one.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[TrentWalker]

Here is the log

[Saving space, attachment deleted by admin]

[evilfantasy]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\miqmxq

File::
c:\windows\Tqezewapa.bin
c:\windows\Wmaciseciyo.dat


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download GMER Rootkit Detector and save it your desktop.
 
* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

[TrentWalker]

Attached is the CFScripted ComboFix log.

Unfortunately, I tried running the GMER program twice and both times it froze up my computer (my computer is pretty old) shortly after beginning the scan.

Any ideas?

Thanks again for everything.   

[Saving space, attachment deleted by admin]

[evilfantasy]

Try this one.

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[TrentWalker]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/02/28 17:52
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5229000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\DVDVideoSoft\FEIST-~4.MP4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-113\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-115\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-141\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-143\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-146\1:5-9
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041   Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa6e61166

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa6e6115c

#: 063   Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa6e6116b

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa6e61175

#: 098   Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa6e6117a

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa6e61148

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa6e6114d

#: 193   Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa6e61184

#: 204   Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa6e6117f

#: 247   Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa6e61170

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa6e61157

==EOF==

[evilfantasy]

Download the MBR Rootkit Detector to your desktop.

Go to Start > Run then copy and paste the following red text into the Open field then click OK:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file and post the contents of the new mbr.log


Also let me know how the computer is running now.

[TrentWalker]

I hope I did this right.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

The computer is running a bit slower than normal, although it is pretty slow normally. However, I feel that my hard drive is working a bit harder than before as it is noticeably noisier. But that may also just be the age of my computer.

I'm probably going to have to purchase a new notebook anyway, but there are a few important files on this computer so I really appreciate your help in getting it back to normal again. 

[evilfantasy]

Yes that looks good.

I would like to run one more scan to make sure we didn't miss anything.

First a little cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log