Geeks to Go Forums: Deckard's System Scanner (formerly Comboscan) - Geeks to Go Forums

This tool is compatible with Windows 2000 and up (that includes Vista).

Download a single executable and run it. ComboScan gives your standard warnings, then does the following (in order):

• Logs if the computer is in Normal Mode, Safe Mode, or Safe Mode with Networking. No more guessing!
  
• Creates a restore point (Normal Mode XP and Vista only). Will try to re-enable System Restore if it was disabled.
  
• Cleans Temporary Files, Downloaded Program Files, Internet Cache Files, and empties the Recycle Bin on all drives.
  
• Searches for HijackThis on the system. If it cannot find it, it will ask the user permission to download a copy from greyknight17.com. The user also has the option of telling ComboScan where their copy of HijackThis is if they have already downloaded it.
  
• Renames HijackThis based on the login name and gets a log using the /autolog parameter, closing both HijackThis and the Notepad without requiring interaction from the user.
  
• Lists out HJT entries that the user has hidden.
  
• Lists out HJT backups.
  
• Dumps file associations (similar to SREng) and will highlight in red if something doesn't match up.
  
• Dumps drivers (whitelisted) and tests for pe386/Rustock.
  
• Dumps services (again, whitelisted).
  
• Dumps the Scheduled Tasks folder.
  
• Prints files created in the past 30 days and files modified in the past 90 days, similar to ComboFix.
  
• Dumps various registry load points with whitelist (very similar to ComboFix).
  
• Gets basic system information, such as number of CPUs, memory usage, drive information (filesystem type, space).
  
• Dumps Security Center information (if appropriate).
  
• Dumps DOS environment variables.
  
• Lists all user profiles on the system (and says which are administrative accounts).
  
• Dumps Add/Remove programs, looking in both HKLM and HKCU. Common Microsoft entries are whitelisted.
  
• Turns off word wrap in Notepad.
  
• Unhides files and shows extensions.
  
• Opens the logs in Notepad for the user to post.

In all, it takes anywhere from 1-5 minutes to do all the above, depending on the system.

ComboScan produces two logs. The primary log contains everything up to and including the registry dump, and the supplementary log contains everything else. You can find both logs in C:\ComboScan.

Some additional notes:

If ComboScan downloads and installs HijackThis, installs it as %PROGRAMFILES%\HijackThis\HijackThis.exe and creates a shortcut on the Desktop.

If ComboScan cannot download HijackThis and there is no local copy of HijackThis for ComboScan to use, ComboScan will produce a HijackThis-esque log. You will still need to install HijackThis or you will need to manually fix the system as ComboScan does not provide this ability.

There is a command switch, /config, that will allow you to pick and choose which modules you want ComboScan to use.

When ComboScan is run for the first time, it will produce a full set of logs. Each subsequent run will only produce a HijackThis log along with a file and registry dump (no restore point or cleanup is performed). If you want something else -- like the driver dump -- you will need to run ComboScan with /config. If you download and run a newer copy of ComboScan, it will produce a full set of logs again the first time the new copy is run.