I think I caught a new virus. Exploit Rogue 1006

[Pleanie]

Hello, I'm back again with another extremely difficult problem

I caught this new virus from browsing the web. Whenever I try and google something and click a link, it'll take me to these random places like Yellowbook and other weird search engines.

When I tried to identify it with AVG, it says that it's called Exploit Rogue 1006.

I tried scanning my computer with both AVG and MALWAREBYTES (My brother installed those for me. He told me this is the best free anit-virus things I could get), but I got nothing.

At first, it was just redirecting me to different websites and I was too lazy to do anything about it. But now I'm getting this "DCOM Server Processor Launcher Terminated" thing which shuts down my computer in a minute at random times. So I thought I should stop being lazy and seek expert advice. Computer Hope hasn't failed me yet so I thought I would come back.

I tried looking up how to fix it online but there weren't any good results and it looks recent because the post dates were just about a week ago or a few days.

I'm not really computer smart (Or smart in general ^^;) so if you need me to give you some type of information on my computer, than just let me know.

Thank you for your help.

[harry 48]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

go to above and complete and post the 3 logs , an expert will see them

[Pleanie]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

go to above and complete and post the 3 logs , an expert will see them

Okay... I ran into a problem at Step 5 but I did everything before it.

Akamai Netsession Interface - I don't recognize it or even remember installing it
VIA Platform Device Manager -
----------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/26/2010 at 01:13 AM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 1978

Scan type       : Complete Scan
Total Scan Time : 00:21:30

Memory items scanned      : 422
Memory threats detected   : 0
Registry items scanned    : 3478
Registry threats detected : 0
File items scanned        : 22692
File threats detected     : 13

Adware.Tracking Cookie
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][3].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@collective-media[1].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@mediaplex[2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@trafficmp[2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@trafficmp[3].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt

Trojan.Dropper/Gen-PHP
   C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\89ABCDEF\LOAD[1].PHP
-------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/26/2010 1:47:19 AM
mbam-log-2010-01-26 (01-47-19).txt

Scan type: Quick Scan
Objects scanned: 96957
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------------------------------------
-I'm stuck here at Step 5: Update your java.

I checked and it said I should update my java but when I downloaded it, it would freeze when it starts downloading. The only way I could exit was to use CTRL+ALT+DELETE. Could this malware be related to Java? Anyways, I won't progress further until a professional tells me what to do. Thank you for your help.

[harry 48]

please go to step 6   and complete this is the important one

if need be re-name hjt to snipper.exe and run

[Pleanie]

please go to step 6   and complete this is the important one

if need be re-name hjt to snipper.exe and run

Okay.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:25 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs:  c:\windows\system32\suwunahe.dll,sesotoja.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: jilonatiz - {48e5a3c4-6b75-406c-82fb-3b31df9bd9c9} - (no file)
O22 - SharedTaskScheduler: gahurihor - {48e5a3c4-6b75-406c-82fb-3b31df9bd9c9} - (no file)
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4733 bytes

----------------------------------------------------------------------------

So I had to skip Step 5: Updating your Java.

Please tell me if I need to do anything else

[harry 48]

there is very little in your hjt log but please wait for a malware expert to help you get cleared , harry

[evilfantasy]

Hello Pleanie.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• O20 - AppInit_DLLs: c:\windows\system32\suwunahe.dll,sesotoja.dll
  
• O21 - SSODL: jilonatiz - {48e5a3c4-6b75-406c-82fb-3b31df9bd9c9} - (no file)
  
• O22 - SharedTaskScheduler: gahurihor - {48e5a3c4-6b75-406c-82fb-3b31df9bd9c9} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Pleanie]

Hello Pleanie.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• O20 - AppInit_DLLs: c:\windows\system32\suwunahe.dll,sesotoja.dll
  
• O21 - SSODL: jilonatiz - {48e5a3c4-6b75-406c-82fb-3b31df9bd9c9} - (no file)
  
• O22 - SharedTaskScheduler: gahurihor - {48e5a3c4-6b75-406c-82fb-3b31df9bd9c9} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Here you go

ComboFix 10-01-26.02 - Owner 01/26/2010  19:11:11.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.766.481 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
(((((((((((((((((((((((((   Files Created from 2009-12-27 to 2010-01-27  )))))))))))))))))))))))))))))))
.

2010-01-26 06:41 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 06:41 . 2010-01-26 06:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-26 06:41 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-26 05:48 . 2010-01-26 05:48   52224   ----a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-26 05:47 . 2010-01-26 05:47   117760   ----a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-26 05:47 . 2010-01-26 05:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-26 05:47 . 2010-01-26 05:47   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-26 05:47 . 2010-01-26 05:47   --------   d-----w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-01-26 05:46 . 2010-01-26 05:46   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-25 16:22 . 2010-01-26 05:31   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-25 16:22 . 2010-01-26 05:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 19:16 . 2010-01-22 19:16   --------   d-----w-   c:\program files\Trend Micro
2010-01-21 16:36 . 2010-01-21 16:36   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-01-21 16:36 . 2010-01-21 16:36   --------   d-----w-   c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-21 16:36 . 2010-01-26 22:02   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-21 05:10 . 2010-01-27 00:16   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\PMB Files
2010-01-21 05:10 . 2010-01-26 21:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\PMB Files
2010-01-21 05:10 . 2010-01-21 05:10   --------   d-----w-   c:\program files\Pando Networks
2010-01-19 21:30 . 2009-11-25 18:01   1230080   ----a-w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-01-19 15:07 . 2010-01-19 15:07   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-01-18 00:50 . 2010-01-18 00:50   --------   d-----w-   c:\program files\Redbana
2010-01-16 06:11 . 2010-01-17 21:39   96   ---ha-w-   c:\windows\system32\HsInfo.dat
2010-01-16 06:02 . 2010-01-16 06:02   --------   d-----w-   C:\alaplaya
2010-01-16 00:33 . 2010-01-27 00:16   --------   d-----w-   c:\program files\Common Files\Akamai
2010-01-10 03:33 . 2008-10-10 09:52   4379984   ----a-w-   c:\windows\system32\D3DX9_40.dll
2010-01-10 03:32 . 2005-05-26 20:34   2297552   ----a-w-   c:\windows\system32\d3dx9_26.dll
2010-01-10 03:31 . 2010-01-10 03:32   --------   d--h--w-   c:\windows\msdownld.tmp
2010-01-10 03:31 . 2010-01-10 03:33   --------   d-----w-   c:\windows\Logs
2010-01-04 16:54 . 2010-01-20 02:03   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2010-01-04 16:54 . 2010-01-04 16:54   --------   d-----w-   c:\program files\Common Files\Adobe
2010-01-04 16:35 . 2010-01-04 16:35   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-12-31 20:19 . 2010-01-26 20:37   0   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2009-12-31 20:17 . 2009-12-31 20:17   --------   d-----w-   c:\windows\Sun
2009-12-31 20:16 . 2009-12-31 20:16   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-31 20:16 . 2009-12-31 20:16   --------   d-----w-   c:\program files\Java
2009-12-31 20:16 . 2009-12-31 20:16   152576   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-31 20:16 . 2009-12-31 20:16   79488   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-30 02:25 . 2009-12-30 02:30   --------   d-----w-   c:\documents and settings\Owner\Application Data\NeopleLauncherDFO
2009-12-30 02:17 . 2009-12-30 02:17   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\AVG Security Toolbar
2009-12-30 02:16 . 2009-12-30 02:16   --------   d-----w-   C:\$AVG
2009-12-30 02:16 . 2009-12-30 02:16   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-12-30 02:16 . 2009-12-30 02:16   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-12-30 02:16 . 2009-12-30 02:16   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-12-30 02:16 . 2009-12-30 02:16   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-12-30 02:16 . 2010-01-26 22:36   --------   d-----w-   c:\windows\system32\drivers\Avg
2009-12-30 02:16 . 2010-01-19 21:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-30 02:16 . 2009-12-30 02:16   --------   d-----w-   c:\program files\AVG
2009-12-30 02:16 . 2009-12-30 02:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-12-30 02:13 . 2009-12-30 02:13   --------   d-----w-   c:\program files\CCleaner
2009-12-30 02:09 . 2010-01-26 06:41   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-30 02:09 . 2010-01-26 06:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-30 01:53 . 2010-01-26 21:38   --------   d-----w-   C:\Nexon
2009-12-30 01:53 . 2010-01-26 21:38   393216   ----a-w-   c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-12-30 01:53 . 2010-01-26 21:38   258352   ----a-w-   c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-12-30 01:53 . 2010-01-26 21:38   118784   ----a-w-   c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-12-30 01:53 . 2009-12-30 01:53   90112   ----a-w-   c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-12-30 01:53 . 2010-01-26 21:38   561152   ----a-w-   c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-12-30 01:53 . 2010-01-26 21:38   167936   ----a-w-   c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-12-30 01:53 . 2009-12-30 01:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\NexonUS
2009-12-30 01:40 . 2009-12-30 01:40   0   ----a-w-   c:\windows\nsreg.dat
2009-12-30 01:40 . 2009-12-30 01:40   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-12-29 20:34 . 2008-04-13 18:39   5376   -c--a-w-   c:\windows\system32\dllcache\mspclock.sys
2009-12-29 20:29 . 2010-01-18 00:50   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-12-29 20:29 . 2009-12-29 20:29   --------   d-----w-   c:\program files\VIA
2009-12-29 20:29 . 2009-12-29 20:34   --------   d-----w-   c:\program files\Common Files\InstallShield
2009-12-29 20:28 . 2004-07-07 03:45   60672   ----a-w-   c:\windows\system32\drivers\viamraid.sys
2009-12-28 23:49 . 2010-01-26 06:16   20456   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 19:52 . 2006-02-28 12:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2009-12-29 20:34 . 2009-12-29 20:34   --------   d-----w-   c:\program files\Realtek Sound Manager
2009-12-29 20:34 . 2009-12-29 20:34   --------   d-----w-   c:\program files\AvRack
2009-12-29 20:34 . 2009-12-29 20:34   --------   d-----w-   c:\program files\Realtek AC97
2009-12-28 22:51 . 2009-12-28 22:51   --------   d-----w-   c:\program files\microsoft frontpage
2009-12-28 22:48 . 2009-12-28 22:48   21640   ----a-w-   c:\windows\system32\emptyregdb.dat
2009-12-28 21:27 . 2009-12-28 22:50   76487   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-21 19:14 . 2006-02-28 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2006-02-28 12:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01   1230080   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-26 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-31 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-30 02:16   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Nexon\\DFO\\DFO.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Nexon\\PopTag\\CA.exe"=
"c:\\Nexon\\PopTag\\NMCOSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56891:TCP"= 56891:TCP:Pando Media Booster
"56891:UDP"= 56891:UDP:Pando Media Booster
"57814:TCP"= 57814:TCP:Pando Media Booster
"57814:UDP"= 57814:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/29/2009 9:16 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/29/2009 9:16 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 7:00 AM 14336]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/29/2009 9:16 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/29/2009 9:16 PM 285392]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 XDva310;XDva310;\??\c:\windows\system32\XDva310.sys --> c:\windows\system32\XDva310.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{317D9D5A-8E20-40D2-B5D1-C7E2828238C6}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ujuc4ame.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 19:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2344)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SOUNDMAN.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-26  19:18:57 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-27 00:18

Pre-Run: 235,131,940,864 bytes free
Post-Run: 235,103,506,432 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 8E7246D4DF152B798A36CF6A5B18472A

[evilfantasy]

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\XDva310.sys
2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply


Also let me know how the computer is running now.

.

[Pleanie]

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\XDva310.sys
2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply


Also let me know how the computer is running now.

.

I tried but it wouldn't work. When I pasted it, it said, "--- File not found, please verify the correct file name given"

But I tested the malware by going into random trusted websites from google and I haven't been sent to a different website once.

[evilfantasy]

Please download SystemLook from one of the below links and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

* Double-click SystemLook.exe to run it.
* Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
XDva310.sys

* Click the Look button to start the scan.
* Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
* When finished, a notepad window will open with the results of the scan. Please post the log.

The log can also be found on your desktop entitled SystemLook.txt

[Pleanie]

Please download SystemLook from one of the below links and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

* Double-click SystemLook.exe to run it.
* Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
XDva310.sys

* Click the Look button to start the scan.
* Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
* When finished, a notepad window will open with the results of the scan. Please post the log.

The log can also be found on your desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:01 on 27/01/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "XDva310.sys"
No files found.

-=End Of File=-

[evilfantasy]

Thank you.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Pleanie]

Thank you.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

I did all that and the scan but there was no "List of found threats" button.

This is what came up after it was finished scanning.

[evilfantasy]

Looks good.

time to finish up.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.