not only ended up out $ but found this through microsoft security essentials scan, Rouge:win32/fakerean! Nice