As I said inthat initial post, the main preoblem I've experienced was unsuccessful startup, with multiple re-boots, etc., and the computer freezing while still in startup. The computer is a used ThinkPad, which seemed OK at first but problems seemed to accumulate. I installed Norton Systemworks to try to clean it up, but that terribly slowed down performance, so I uninstalled and went with Trend Micro PC-cillin (which is currently out of date, I want to make sure it's the best before I pay to update - SUGGESTIONS?) I had already been running Spybot S&D, and I downloaded Ad-Aware SE Plus on advice from Google Help Center.
There were some viruses/spyware/etc. captured/quarantined/cleaned by those programs, but performance was still poor. Started researching, found PCWorld article on "Common PC Problems Solved". First, I downloaded & ran Hederer's ERUNT (which I have not re-run since doing all of the scans suggested in the TomCoyote Self Help post. QUESTION: when I get clean, do I need to delete that file to avoid re-infection from that registry?)
Step 2 was an even more thorough malware check, and when Ad-Aware froze during the scan, I went to another PCWorld article titled "How Can I Tell if my PC Has a Virus?", which led me to check the msconfig utility's startup tab. I was already planning on tweaking my autoloaders, hoping that would help the slow startup process, so that was when I "unchecked" the suspicious files (dmwnd.exe, dmcef.exe, etc., 26 like that in all), as well as those which Sysinfo.org recommended disabling (not needed or wanted).
That step helped, but because of the suspicious autoloaders and Ad-Aware's behavior, I also ran Bitdefender's online virus scan, which detected (and hopefully cleaned) A BUNCH of Trojan activity. I'm not sure a logfile was created, I'm unable to locate one at this time. After running Bitdefender, I ran ERUNT's NTREGOPT utility to clean up the Registry a bit further. Disk Defrag was not necessary. Not feeling very secure after the results from Bitdefender, I decided to run HijackThis and participate in the forum.
After registering with TomCoyote and making my initial post, I discovered the "Before Posting" instructions! OOOPS!!! Then ...
I updated Spbot & re-ran. Found & fixed Pipas-A. Launched Ad-Aware, updated, re-ran. Froze at same place (could tell was frozen because clock froze too, and Task Mgr. showed the app "not running"). I downloaded & ran AVG Anti-Spyware, made recommended changes to settings, rebooted in Safe mode, and ran scan. 2 items were quarantined: Downloader.Agent.uj (high), and SpyMarshall (med). I DISCOVERED AN ERROR IN YOUR INSTRUCTIONS: when I went to "Reports" icon (step #6 in AVG scan instructions), it showed "No Reports Available". Being a novice, I went to the next step and closed AVG to reboot in normal mode, losing that report. Also, the instructions say to post that AVG report with a NEW HijackThis log - the instructions never said to run/post a "baseline" or "old" one!
Restart was REALLY slow(even though many autoloaders were still unchecked). All of the desktop icons did not load. The Trend Micro autoload icon was not in the toolbar. Only items present were clock, volume, yellow update shield, and the "out of date" message balloon from the red security shield icon.
I gave it 1/2 hour, then used Task Mgr. to restart (again. redundant?) The "End Program" box came up for explorer.exe - not responding. Went through the startup cycle up to the point where the box warning that Trend Micro's Evaluation Version expired came up, where everything froze again. Decided to reboot in Safe mode, again using Task Mgr. Had to "end program" for both _CLS_PCCGUIDE and explorer.exe. Booted fine in Safe mode, again checked startup tab in msconfig, had same settings as when it worked fine previously, so tried rebooting normally. Again, very slow for toolbar & desktop icons to appear, but eventually everything seemed to come up OK, so I went to bed.
This morning, computer was functioning normally, so I ran AVG again, with a similar result to the previous scan, and this is when I discovered the error in the instructions. Step #6 should read: CLICK "SAVE REPORT" ON SCAN PAGE, NOTE WHERE SAVED. Here is that report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:00:33 pm 02/27/2007
+ Scan result:
[2000] VM_00B30000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[292] VM_003E0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[3808] VM_008E0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[4008] VM_009F0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[672] VM_003C0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[700] VM_00D60000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[724] VM_00C70000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
::Report end
I then ran HijackThis for the first time. Here is that log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:47:24 am, on 02/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B519670-F7F3-4E75-BF25-085F0DD18A9C}: NameServer = 85.255.114.75,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7DB259E-CC34-43D4-B827-FBDF3B66AEFD}: NameServer = 85.255.114.75,85.255.112.71
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
I then ran the ATF Cleaner. Then went back into msconfig and chose "Normal" startup on the "general" tab (to recheck all of the autoloaders) including the suspicious entries. Restarted (OK boot, not great, but not terribly slow). Rand Ad-Aware ands successfully completed a full system scan with 0 critical objects. YAY!!! Ran HijackThis again, and here is that log file (this time including the suspicious & unnecessary autoloaders):
Logfile of HijackThis v1.99.1
Scan saved at 01:51:19 pm, on 02/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [exe.zxumd] C:\WINDOWS\system32\dmuxz.exe
O4 - HKLM\..\Run: [exe.zibmd] C:\WINDOWS\system32\dmbiz.exe
O4 - HKLM\..\Run: [exe.wremd] C:\WINDOWS\system32\dmerw.exe
O4 - HKLM\..\Run: [exe.vuymd] C:\WINDOWS\system32\dmyuv.exe
O4 - HKLM\..\Run: [exe.ulamd] C:\WINDOWS\system32\dmalu.exe
O4 - HKLM\..\Run: [exe.uftmd] C:\WINDOWS\system32\dmtfu.exe
O4 - HKLM\..\Run: [exe.uawmd] C:\WINDOWS\system32\dmwau.exe
O4 - HKLM\..\Run: [exe.qzbmd] C:\WINDOWS\system32\dmbzq.exe
O4 - HKLM\..\Run: [exe.qvemd] C:\WINDOWS\system32\dmevq.exe
O4 - HKLM\..\Run: [exe.pxgmd] C:\WINDOWS\system32\dmgxp.exe
O4 - HKLM\..\Run: [exe.pojmd] C:\WINDOWS\system32\dmjop.exe
O4 - HKLM\..\Run: [exe.oaymd] C:\WINDOWS\system32\dmyao.exe
O4 - HKLM\..\Run: [exe.mismd] C:\WINDOWS\system32\dmsim.exe
O4 - HKLM\..\Run: [exe.lzfmd] C:\WINDOWS\system32\dmfzl.exe
O4 - HKLM\..\Run: [exe.lfpmd] C:\WINDOWS\system32\dmpfl.exe
O4 - HKLM\..\Run: [exe.lbgmd] C:\WINDOWS\system32\dmgbl.exe
O4 - HKLM\..\Run: [exe.kqvmd] C:\WINDOWS\system32\dmvqk.exe
O4 - HKLM\..\Run: [exe.hngmd] C:\WINDOWS\system32\dmgnh.exe
O4 - HKLM\..\Run: [exe.hgomd] C:\WINDOWS\system32\dmogh.exe
O4 - HKLM\..\Run: [exe.guimd] C:\WINDOWS\system32\dmiug.exe
O4 - HKLM\..\Run: [exe.fzpmd] C:\WINDOWS\system32\dmpzf.exe
O4 - HKLM\..\Run: [exe.fuemd] C:\WINDOWS\system32\dmeuf.exe
O4 - HKLM\..\Run: [exe.fpxmd] C:\WINDOWS\system32\dmxpf.exe
O4 - HKLM\..\Run: [exe.fenmd] C:\WINDOWS\system32\dmnef.exe
O4 - HKLM\..\Run: [exe.fecmd] C:\WINDOWS\system32\dmcef.exe
O4 - HKLM\..\Run: [exe.dnwmd] C:\WINDOWS\system32\dmwnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B519670-F7F3-4E75-BF25-085F0DD18A9C}: NameServer = 85.255.114.75,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7DB259E-CC34-43D4-B827-FBDF3B66AEFD}: NameServer = 85.255.114.75,85.255.112.71
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
And that is where I'm at. Whew! Please tell me I'm close!!!
Thanks so much for your help ...