66 replies to this topic

[LMac]

I did not get an "ACCEPT" box when I ran Roguekiller

 

RogueKiller V9.2.9.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : https://www.adlice.c...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Joe Blow [Admin rights]
Mode : Scan -- Date : 09/05/2014  13:21:18

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 17 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswMBR -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswVmm -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[Rans.Gendarm] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Internet Explorer\Main | Search Page : http://rd.yahoo.com/...//www.yahoo.com  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 44 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[12] : Unknown @ 0x87057f38
[SSDT:Addr(Hook.SSDT)] NtAlertThread[13] : Unknown @ 0x87057fd0
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[17] : Unknown @ 0x86d5e3c0
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : Unknown @ 0x86f43458
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : Unknown @ 0x8714e1f8
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[43] : Unknown @ 0x870bd4a8
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[52] : Unknown @ 0x86f43308
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : Unknown @ 0x86e98da8
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[57] : Unknown @ 0x87073448
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : Unknown @ 0x870955b8
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[83] : Unknown @ 0x870cbbe0
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[89] : Unknown @ 0x87057e08
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[91] : Unknown @ 0x87057ea0
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : Unknown @ 0x8716adf0
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[108] : Unknown @ 0x870cbb28
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[114] : Unknown @ 0x870bd410
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : Unknown @ 0x86f3cbb0
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[123] : Unknown @ 0x87095520
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : Unknown @ 0x87073598
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : Unknown @ 0x86f3cb28
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[137] : Unknown @ 0x86f433b0
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : Unknown @ 0x8704d890
[SSDT:Addr(Hook.SSDT)] NtResumeThread[206] : Unknown @ 0x86eb6e80
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : Unknown @ 0x87084460
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[228] : Unknown @ 0x870844f8
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : Unknown @ 0x870734e0
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : Unknown @ 0x870bd378
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : Unknown @ 0x86eb6f18
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[257] : Unknown @ 0x870bf310
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : Unknown @ 0x86eb6f90
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[267] : Unknown @ 0x870845a0
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : Unknown @ 0x86d5e318
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : Unknown @ 0x870c1ac0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : Unknown @ 0x870c7ae0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : Unknown @ 0x86d697b0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : Unknown @ 0x870c7b58
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[428] : Unknown @ 0x870c1a38
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : Unknown @ 0x86eff288
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : Unknown @ 0x86d69728
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : Unknown @ 0x86eff310
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : Unknown @ 0x86f37290
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : Unknown @ 0x86d6b8a0
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom1 : \Driver\redbook @ Unknown (\SystemRoot\System32\DRIVERS\redbook.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\System32\DRIVERS\redbook.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG SV1204H +++++
--- User ---
[MBR] f805a109462a5da52bf7725f32d6a765
[BSP] 44e76c70a7a409e06dba851ad28fef86 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114485 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_09052014_073613.log - RKreport_SCN_09052014_091353.log

[LMac]

ix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-09-2014
Ran by Joe Blow at 2014-09-05 13:48:47 Run:2
Running from C:\Documents and Settings\Joe Blow\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=2c02&lc=0409
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
SearchScopes: HKCU - DefaultScope {46A120EA-A6CA-427F-88AA-618F1920B282} URL = http://search.yahoo....=utf-8&fr=b1ie7
SearchScopes: HKCU - {46A120EA-A6CA-427F-88AA-618F1920B282} URL = http://search.yahoo....=utf-8&fr=b1ie7
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.se...ct=sb&qsrc=2869
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"
C:\Documents and Settings\Administrator\Desktop\Hot Deals from Compaq.exe
Folder: C:\Documents and Settings\Administrator\WINDOWS
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
EmptyTemp:
end
*****************

HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{46A120EA-A6CA-427F-88AA-618F1920B282}" => Key deleted successfully.
"HKCR\CLSID\{46A120EA-A6CA-427F-88AA-618F1920B282}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => Key deleted successfully.
"HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
"HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\UploadMgr" => Key deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Hot Deals from Compaq.exe => Moved successfully.

========================= Folder: C:\Documents and Settings\Administrator\WINDOWS ========================

2014-09-04 13:50 - 2002-08-02 02:15 - 0000000 ____D () C:\Documents and Settings\Administrator\WINDOWS\system

====== End of Folder: ======

=========  ipconfig /flushdns =========

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh winsock reset all =========

Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.

========= End of CMD: =========

[LMac]

Logs provided.

 

programs seemed to uninstall OK

 

Can I delete the programs and log files now?

[LiquidTension]

We still have a little more work to do. Malware removal is not a simple process and requires numerous steps.

Please hang fire for the next set of instructions.

[LMac]

Will do thanks

[LiquidTension]

Hello Larry, 

 

Please confirm that you checked the two items requested in RogueKiller, and clicked Delete. 
 
STEP 1
 AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Double-click AdwCleaner.exe to run the programme.
• Follow the prompts. 
• Click Scan. 
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean. 
• Follow the prompts and allow your computer to reboot. 
• After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 2
 Junkware Removal Tool (JRT)

• Please download Junkware Removal Tool and save the file to your Desktop.
• Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click JRT.exe to run the programme.
• Follow the prompts and allow the scan to run uninterrupted. 
• Upon completion, a log (JRT.txt) will open on your desktop.
• Re-enable your anti-virus software.
• Copy the contents of JRT.txt and paste in your next reply.
   

STEP 3
 Batch File

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  @echo off
  dir C:\Documents and Settings\Administrator\WINDOWS\system /s >C:\Documents and Settings\Joe Blow\Desktop\look.txt
  del %0

• Click Format. Ensure Wordwrap is unchecked. 
• Click File, Save As and name the file batchfile.bat. 
• Select All Files as the Save as type.
• Save the file to your Desktop. 
• Locate batchfile.bat  (XP) on your Desktop. Double-Click the icon.
• A log (look.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.
   

======================================================

STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Did you delete the two items in RogueKiller?
• AdwCleaner[S0].txt
• JRT.txt
• look.txt

[LMac]

Adam these are the 2 files you asked me to check and delete.

 

I did check and delete 2 files.  The whole description in roguekiller was not displayed only about half.  The half I could read matched and they were the only 2 files that did match.  They were the last two files in the list on roguekiller.

 

I will do the next steps now and post the results in a few minutes

 

 

 

Rans.Gendarm] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND

 

• [PUM.SearchPage] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Internet Explorer\Main | Search Page : -> FOUND

[LMac]

# AdwCleaner v3.309 - Report created 06/09/2014 at 08:35:56
# Updated 02/09/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : Joe Blow - OLD_DESK_TOP
# Running from : C:\Documents and Settings\Joe Blow\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DCABB943-792E-44C4-9029-ECBEE6265AF9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F06672-0E95-41A9-80CB-DEE386AF99AD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F06672-0E95-41A9-80CB-DEE386AF99AD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\WEDLMNGR

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [2163 octets] - [06/09/2014 08:32:32]
AdwCleaner[S0].txt - [2116 octets] - [06/09/2014 08:35:56]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2176 octets] ##########

[LMac]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by Joe Blow on Sat 09/06/2014 at  8:44:53.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 09/06/2014 at  8:52:19.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[LMac]

Step 3 Batchfile

I followed the direction-  and ensured wrap was off.

 

I ran the batch -  it did not produce a txt file and it deleted itself when finished.

[LiquidTension]

Hello, 
 
Lets try it a different way. 

 SystemLook

• Please download SystemLook (x32) and save the file to your Desktop.
• Double-click SystemLook.exe to run the programme.
• Copy the entire contents of the codebox below and paste into the textfield.
  

  :dir
  C:\Documents and Settings\Administrator\WINDOWS\system /s

• Click the  button to start the scan.
• Upon completion, a log (SystemLook.txt) will open. Copy the contents of the log and paste in your next reply.
• Note: If the log is very long, please attach the file instead of copy/pasting the contents. 
• Click the  button. 

[LMac]

Nortgon classified it as a threat and deleted it.

 

Do you want me to turn off Norton?

[LiquidTension]

Yes, please disable Norton temporarily.

[LMac]

• SystemLook 30.07.11 by jpshortstuff
  Log created at 09:26 on 06/09/2014 by Joe Blow
  Administrator - Elevation successful

  ========== dir ==========

  C:\Documents and Settings\Administrator\WINDOWS\system - Parameters: "/s"

  ---Files---
  None found.

  No folders found.

  -= EOF =-

[LiquidTension]

Hi Larry, 

 

Looks like the folder is empty. Nothing of concern there. 

 

STEP 1
 Batch File

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  @echo off
  rd /s /q "C:\Documents and Settings\Administrator\WINDOWS"
  del %0

• Click Format. Ensure Wordwrap is unchecked. 
• Click File, Save As and name the file batchfile.bat. 
• Select All Files as the Save as type.
• Save the file to your Desktop. 
• Locate batchfile.bat  (XP) on your Desktop. Double-click the icon.
   

STEP 2
 Malwarebytes Anti-Malware (MBAM)

• Please download Malwarebytes Anti-Malware Free to your Desktop.
• Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. 
• Launch the programme and select Update.
• Once updated, click the Settings tab and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• Click Copy to Clipboard and paste the log in your next reply. 
   

STEP 3
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click  and save the file to your Desktop, naming it something unique such as MyEsetScan.
• Push the Back button.
• Place a checkmark next to  and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Did the batch file run OK?
• MBAM Scan log
• ESET Online Scan log