[benny_b]

that didn't seem to go anywhere. i booted with the cd, there was no combo fix program included. i booted george.exe with command prompt. it did not find a recovery console, there was another window about boot partitions which it didn't like. the scanning window came up, but then nothing was going on with the hard drive. it didn't even start scanning like the other times. some one else on this site suggested changing the combofix file name before downloading. i don't know if this would make any difference, but as long as this program won't run i'm a bit skeptical that the computer is safe.

[Advertisements]

When you first boot Hiren's before you go into the miniXP there is an option for an antivirus program. I forget which one Avira maybe that should run on its own. You might try it.

[RKinner]

When you first boot Hiren's before you go into the miniXP there is an option for an antivirus program. I forget which one Avira maybe that should run on its own. You might try it.

[benny_b]

actually there isn't any av software options that i recognized as such in the boot menu. i did find the software in the xp mini installation. there's a "tools" icon on the desktop and right toolbar. i right clicked the tool bar icon and got a whole bunch of software options including combofix, malwarebytes and avira. i tried combofix and malwarebytes and got the message, "this program does not run on mini xp, please use your installed operating system." i did run avira and the scan was clean. log to follow.

i'd be happier if i could actually get combofix to run, but maybe it's not necessary. looks like a good tool though (when it runs).

Avira / Windows Version 1.9.150.0
Copyright © 2010 by Avira GmbH
All rights reserved.

engine set: 8.2.6.128
VDF Version: 7.11.19.7

key file: B:\Temp\HBCD\Avira\hbedv.key
registered user: Avira AntiVir Personal - Free Antivirus
serial number: 0000149996
key expires: Nov 30 2012

Scan start time: 2012-02-03 08:53:04
Command line: scancl.exe --logformat=singleline --quarantine=C:\Quarantine --logappend --log=scan.log --colors --heurlevel=2 --defaultaction=clean --suspiciousaction=clean C:

configuration file: B:\Temp\HBCD\Avira\scancl.conf


Statistics :
Directories............... : 8270
Files..................... : 59062
Infected.............. : 0
Warnings.............. : 0
Suspicious............ : 0
Infections................ : 0
Time...................... : 00:31:19

[RKinner]

I'll ask in our internal forum if anyone has a clue why CF won't run for us.

[RKinner]

Got a new way of running Combofix from one of the CF gurus.

Pause your antivirus,
close all programs including your browser and copy the next line:


"C:\Documents and Settings\Mike\Desktop\george.exe" /nombr

Start, All Programs, Accessories, click on Command Prompt. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

[benny_b]

please thank your guru for me. i had a look at the log but couldn't make much sense of it. i wasn't sure, it looked like it was deleting itself... anyways here it is finally.

ComboFix 12-02-03.02 - Mike 02/03/2012 23:38:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.641 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\george.exe
Command switches used :: /nombr
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
c:\documents and settings\Mike\Application Data\Desktopicon
C:\george.exe
c:\george.exe\023.dat
c:\george.exe\023v.dat
c:\george.exe\023w7.dat
c:\george.exe\AppData.folder.dat
c:\george.exe\appinit.bad
c:\george.exe\asp.str
c:\george.exe\Assoc.cmd
c:\george.exe\attr.dat
c:\george.exe\ATTRIB.3XE
c:\george.exe\autorun_inf.dat
c:\george.exe\autorun_infB.dat
c:\george.exe\av.cmd
c:\george.exe\av.vbs
c:\george.exe\AWF.cmd
c:\george.exe\badclsid
c:\george.exe\BFE.dat
c:\george.exe\Boot-Rk.cmd
c:\george.exe\Boot.bat
c:\george.exe\BootDrv.vbs
c:\george.exe\borlander_file.dat
c:\george.exe\borlander_folder.dat
c:\george.exe\c.bat
c:\george.exe\c.mrk
c:\george.exe\Cache.folder.dat
c:\george.exe\Catch-sub.cmd
c:\george.exe\catchme.3XE
c:\george.exe\Catchme.tmp
c:\george.exe\CCS.bat
c:\george.exe\CF-Script.cmd
c:\george.exe\CF10235.3XE
c:\george.exe\cfdummy
c:\george.exe\Cfiles.dat
c:\george.exe\Cfolders.dat
c:\george.exe\CfReboot.dat
c:\george.exe\CHCP.bat
c:\george.exe\ClistB.dat
c:\george.exe\clsid.c
c:\george.exe\clsid.dat
c:\george.exe\clsid.hiv
c:\george.exe\cmd.3XE
c:\george.exe\Combobatch.bat
c:\george.exe\ComboFix-Download.3XE
c:\george.exe\ConEnv.sed
c:\george.exe\Cookies.folder.dat
c:\george.exe\Create.cmd
c:\george.exe\Creg.dat
c:\george.exe\CregC.cmd
c:\george.exe\CregC.dat
c:\george.exe\CregC_.dat
c:\george.exe\CSCRIPT.3XE
c:\george.exe\d-del_A.dat
c:\george.exe\d-delA.dat
c:\george.exe\dd.3XE
c:\george.exe\ddsDo.sed
c:\george.exe\DelClsid.bat
c:\george.exe\Desktop.folder.dat
c:\george.exe\desktop.ini
c:\george.exe\DisclaimED.dat
c:\george.exe\dll_whitelist.dat
c:\george.exe\dnd.dat
c:\george.exe\DPF.str
c:\george.exe\Drive.folder.dat
c:\george.exe\DriveFile.dat
c:\george.exe\Drives.dat
c:\george.exe\DrvRun.vbs
c:\george.exe\dumphive.3XE
c:\george.exe\embedded.sed
c:\george.exe\Env.sed
c:\george.exe\ERDNT.e_e
c:\george.exe\ERDNTDOS.LOC
c:\george.exe\ERDNTWIN.LOC
c:\george.exe\ERUNT.3XE
c:\george.exe\erunt.dat
c:\george.exe\ERUNT.LOC
c:\george.exe\Exe.reg
c:\george.exe\extract.3XE
c:\george.exe\f_system
c:\george.exe\Favorites.folder.dat
c:\george.exe\FD-SV.cmd
c:\george.exe\FdsvOK
c:\george.exe\ffdefstr.dll
c:\george.exe\FileKill.3XE
c:\george.exe\files.pif
c:\george.exe\Fin.dat
c:\george.exe\FIND3M.bat
c:\george.exe\FIXLSP.bat
c:\george.exe\FKMGen.cmd
c:\george.exe\ForeignWht
c:\george.exe\Gateway
c:\george.exe\GetHive.cmd
c:\george.exe\GOLDUN.DAT
c:\george.exe\grep.3XE
c:\george.exe\gsar.3XE
c:\george.exe\handle.3XE
c:\george.exe\hidec.3XE
c:\george.exe\history.bat
c:\george.exe\History.folder.dat
c:\george.exe\iexplore.exe
c:\george.exe\image001.gif
c:\george.exe\Imefile.dat
c:\george.exe\katch.cmd
c:\george.exe\katchNT-OS
c:\george.exe\KiLLNot
c:\george.exe\kmd.dat
c:\george.exe\Lang.bat
c:\george.exe\LatestVer
c:\george.exe\List-B.bat
c:\george.exe\List-C.bat
c:\george.exe\lnkread.vbs
c:\george.exe\LocalAppData.folder.dat
c:\george.exe\LocalService.dat
c:\george.exe\LocalServiceNetworkRestricted.dat
c:\george.exe\LocalSettings.folder.dat
c:\george.exe\LocalSystemNetworkRestricted.dat
c:\george.exe\max_.dat
c:\george.exe\mbr.3XE
c:\george.exe\mbr.chk
c:\george.exe\mbr.log
c:\george.exe\md5sum.pif
c:\george.exe\Mike.user.cf
c:\george.exe\Mirrors
c:\george.exe\MoveIt.bat
c:\george.exe\mtee.3XE
c:\george.exe\Music.folder.dat
c:\george.exe\MWindows.dat
c:\george.exe\mynul.dat
c:\george.exe\N_\10145
c:\george.exe\N_\12185
c:\george.exe\N_\12198
c:\george.exe\N_\15967
c:\george.exe\N_\17223
c:\george.exe\N_\17671
c:\george.exe\N_\19079
c:\george.exe\N_\19213
c:\george.exe\N_\19594
c:\george.exe\N_\20145
c:\george.exe\N_\21080
c:\george.exe\N_\23127
c:\george.exe\N_\23439
c:\george.exe\N_\24122
c:\george.exe\N_\25884
c:\george.exe\N_\27059
c:\george.exe\N_\27923
c:\george.exe\N_\28467
c:\george.exe\N_\28625
c:\george.exe\N_\30210
c:\george.exe\N_\31504
c:\george.exe\N_\3378
c:\george.exe\N_\3967
c:\george.exe\N_\6674
c:\george.exe\N_\7105
c:\george.exe\N_\7171
c:\george.exe\N_\7402
c:\george.exe\N_\8148
c:\george.exe\N_\827
c:\george.exe\N_\8426
c:\george.exe\N_\8682
c:\george.exe\N_\8911
c:\george.exe\N_\981
c:\george.exe\N_\cfdummy00
c:\george.exe\N_\CmdLine00
c:\george.exe\ncmd.com
c:\george.exe\ND_.bat
c:\george.exe\ND_64.bat
c:\george.exe\ndis_combofix.dat
c:\george.exe\NetHood.folder.dat
c:\george.exe\netsvc.bad.dat
c:\george.exe\netsvc.dat
c:\george.exe\NetworkService.dat
c:\george.exe\NirCmd.3XE
c:\george.exe\NircmdB.exe
c:\george.exe\NirCmdC.3XE
c:\george.exe\NIRKMD.3XE
c:\george.exe\NlsLanguageDefault
c:\george.exe\notifykeys.dat
c:\george.exe\notifykeysB.dat
c:\george.exe\NT-OS.cmd
c:\george.exe\NULL
c:\george.exe\OsId.txt
c:\george.exe\OSid.vbs
c:\george.exe\pausep.3XE
c:\george.exe\pend.txt
c:\george.exe\Personal.folder.dat
c:\george.exe\pev.3XE
c:\george.exe\PEV.exe
c:\george.exe\pevb.3XE
c:\george.exe\Pictures.folder.dat
c:\george.exe\PING.3XE
c:\george.exe\Policies.dat
c:\george.exe\powp.dat
c:\george.exe\PreDIR
c:\george.exe\Prep.inf
c:\george.exe\PrintHood.folder.dat
c:\george.exe\Profiles.Folder.dat
c:\george.exe\Profiles.Folder.folder.dat
c:\george.exe\progfile.dat
c:\george.exe\Programs.folder.dat
c:\george.exe\Purity.dat
c:\george.exe\PV.3XE
c:\george.exe\pv.com
c:\george.exe\rar_sfx.cmd
c:\george.exe\RCLink.dat
c:\george.exe\RcRdy
c:\george.exe\RcVer00
c:\george.exe\Recent.folder.dat
c:\george.exe\REGDACL.sed
c:\george.exe\RegDo.sed
c:\george.exe\region.dat
c:\george.exe\RegScan.cmd
c:\george.exe\REGT.3XE
c:\george.exe\Resident.txt
c:\george.exe\restore_pt.dat
c:\george.exe\restore_pt.vbs
c:\george.exe\Rkey.cmd
c:\george.exe\rmbr.3XE
c:\george.exe\rogues.dat
c:\george.exe\ROUTE.3XE
c:\george.exe\run.sed
c:\george.exe\run2.sed
c:\george.exe\Rust.str
c:\george.exe\s0rt.3XE
c:\george.exe\safeboot.dat
c:\george.exe\safeboot.def.dat
c:\george.exe\sed.3XE
c:\george.exe\SendTo.folder.dat
c:\george.exe\SetEnvmt.bat
c:\george.exe\setpath.3XE
c:\george.exe\SetPath.bat
c:\george.exe\setpath_N.cmd
c:\george.exe\SF.exe
c:\george.exe\sfx.cmd
c:\george.exe\SnapShot.cmd
c:\george.exe\SRestore.cmd
c:\george.exe\srizbi.md5
c:\george.exe\Start_dat
c:\george.exe\StartMenu.folder.dat
c:\george.exe\StartUp.folder.dat
c:\george.exe\SuppScan.cmd
c:\george.exe\svc_wht.dat
c:\george.exe\SvcDrv.vbs
c:\george.exe\svchost.dat
c:\george.exe\svchost.vista.x64.dat
c:\george.exe\swreg.3XE
c:\george.exe\swsc.3XE
c:\george.exe\swxcacls.3XE
c:\george.exe\SysPath.dat
c:\george.exe\system_ini.dat
c:\george.exe\tail.3XE
c:\george.exe\Temp.dat
c:\george.exe\Templates.folder.dat
c:\george.exe\toolbar.sed
c:\george.exe\unhand.dat
c:\george.exe\Update-CF.cmd
c:\george.exe\v_wht.dat
c:\george.exe\VerCF.bat
c:\george.exe\version.txt
c:\george.exe\VikPev00
c:\george.exe\Vikpev01
c:\george.exe\VInfo
c:\george.exe\VInfo2
c:\george.exe\VINFO3
c:\george.exe\Vipev.dat
c:\george.exe\ViPev00
c:\george.exe\ViPev01
c:\george.exe\vistaMcode.dat
c:\george.exe\vRun_DLL
c:\george.exe\vun.dat
c:\george.exe\vundonames.dat
c:\george.exe\w_sock.dll
c:\george.exe\w7Mcode.dat
c:\george.exe\whiteAll.dat
c:\george.exe\whitedir.dat
c:\george.exe\whitedirCreated.dat
c:\george.exe\Wmi_rem.vbs
c:\george.exe\XP.mac
c:\george.exe\xpmcode.dat
c:\george.exe\xpreg.dat
c:\george.exe\XPSBoot.reg
c:\george.exe\zDomain.dat
c:\george.exe\zhsvc.dat
c:\george.exe\zip.3XE
c:\george.exe\Zlob01
c:\windows\system32\asw1.tmp
c:\windows\system32\asw2.tmp
c:\windows\system32\aswB.tmp
c:\windows\system32\ava2.tmp
c:\windows\system32\ava3.tmp
c:\windows\system32\avaC.tmp
c:\windows\system32\PowerToyReadme.htm
.
.
((((((((((((((((((((((((( Files Created from 2012-01-04 to 2012-02-04 )))))))))))))))))))))))))))))))
.
.
2012-01-25 18:45 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-25 18:45 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-25 18:45 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-25 18:45 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-25 18:45 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-25 18:45 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-01-25 18:45 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-01-25 18:45 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-01-25 18:44 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-01-25 18:44 . 2012-01-25 18:44 -------- d-----w- c:\program files\AVAST Software
2012-01-25 18:44 . 2012-01-25 18:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software
2012-01-25 17:53 . 2012-01-25 17:53 -------- d-----w- C:\WINSSLog
2012-01-17 21:28 . 2012-01-17 21:27 720896 ----a-w- c:\windows\iun6002.exe
2012-01-17 21:28 . 2012-01-23 14:00 -------- d-----w- c:\program files\TuneXP
2012-01-17 18:09 . 2012-01-17 18:09 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-17 17:25 . 2011-11-03 15:28 386048 -c----w- c:\windows\system32\dllcache\qdvd.dll
2012-01-17 17:23 . 2011-10-14 14:47 23040 -c----w- c:\windows\system32\dllcache\mciseq.dll
2012-01-17 17:23 . 2011-10-14 14:47 176128 -c----w- c:\windows\system32\dllcache\winmm.dll
2012-01-17 17:16 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-12 03:46 . 2012-01-13 16:51 -------- d-----w- c:\program files\Microsoft Bootvis
2012-01-11 19:45 . 2012-01-13 16:51 -------- d-----w- c:\program files\Lame
2012-01-09 14:58 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-09 14:58 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-09 14:58 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-09 14:58 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2011-01-03 14:56 41184 ----a-w- c:\windows\avastSS.scr
2011-11-25 21:57 . 2001-08-23 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2001-08-23 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2009-04-15 19:29 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2001-08-23 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-14 00:51 . 2011-11-14 00:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-21 07:24 . 2011-03-27 14:32 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-11-7 49254]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 13:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\System32\DRIVERS\ALiAGP.sys [2002-09-02 26880]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S3 tridxp;tridxp;c:\windows\system32\DRIVERS\tridxpm.sys [2003-05-21 249344]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\tu9nsqk3.default\
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-94245253.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-03 23:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-02-04 00:01:30
ComboFix-quarantined-files.txt 2012-02-04 05:01
.
Pre-Run: 20,870,062,080 bytes free
Post-Run: 20,912,467,968 bytes free
.
- - End Of File - - 97115595443CE60E4DB999426D292A9E

Edited by benny_b, 03 February 2012 - 11:37 PM.

[RKinner]

That worked. It does look like it got rid of stuff the first run of george created. It didn't find any malware. The guru said it was having problems reading the mbr for some reason so let's run mbrcheck just to make sure there is nothing funny there.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply. Close the program.

[benny_b]

i've noticed recently that the boot time has improved. the windows start screen is only a few seconds now and the loading personal settings is about 30 seconds. the desktop takes another minute or so to become functional. i'm not sure why that is other than the error check we ran. i did run a few error checks previously to try to fix this. the battery is still installed.

here's the mbr scan

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200000c

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7BCE000 \WINDOWS\system32\KDCOM.DLL
0xF7ADE000 \WINDOWS\system32\BOOTVID.dll
0xF767F000 ACPI.sys
0xF7BD0000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF766E000 pci.sys
0xF76CE000 isapnp.sys
0xF7AE2000 compbatt.sys
0xF7AE6000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF7BD2000 aliide.sys
0xF794E000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7650000 pcmcia.sys
0xF76DE000 MountMgr.sys
0xF7631000 ftdisk.sys
0xF7BD4000 dmload.sys
0xF760B000 dmio.sys
0xF7956000 PartMgr.sys
0xF76EE000 VolSnap.sys
0xF75F3000 atapi.sys
0xF76FE000 disk.sys
0xF770E000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF75D3000 fltmgr.sys
0xF75C1000 sr.sys
0xF771E000 PxHelp20.sys
0xF75AA000 KSecDD.sys
0xF7597000 WudfPf.sys
0xF750A000 Ntfs.sys
0xF74DD000 NDIS.sys
0xF795E000 speedfan.sys
0xF74C3000 Mup.sys
0xF7C96000 giveio.sys
0xF7966000 ALiAGP.sys
0xF774E000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF743E000 \SystemRoot\system32\DRIVERS\tridxpm.sys
0xF742A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF775E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF776E000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF777E000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7407000 \SystemRoot\System32\DRIVERS\ks.sys
0xF7379000 \SystemRoot\system32\drivers\smwdm.sys
0xF7355000 \SystemRoot\system32\drivers\portcls.sys
0xF778E000 \SystemRoot\system32\drivers\drmk.sys
0xF733D000 \SystemRoot\system32\drivers\aeaudio.sys
0xF779E000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF79A6000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF79AE000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7329000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7266000 \SystemRoot\system32\DRIVERS\LTSMT.sys
0xF79BE000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7246000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF79D6000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF7222000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF79DE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF71D2000 \SystemRoot\system32\DRIVERS\ar5211.sys
0xF71BE000 \SystemRoot\System32\DRIVERS\sdbus.sys
0xF7B86000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xF7D4C000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF77AE000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7B8E000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF71A7000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF77BE000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF77CE000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF79FE000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF7196000 \SystemRoot\System32\DRIVERS\psched.sys
0xF77DE000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7A0E000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7A1E000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7166000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF77EE000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7BDC000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF70E0000 \SystemRoot\System32\DRIVERS\update.sys
0xF7BB2000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF77FE000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF782E000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7BE0000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7BE4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7D87000 \SystemRoot\System32\Drivers\Null.SYS
0xF7BE8000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A66000 \SystemRoot\System32\drivers\vga.sys
0xF7BEC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BF0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A76000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A86000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7487000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF2BC5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF2B6C000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF784E000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF2B46000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF2B1E000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF7A9E000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF7B62000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF2AFC000 \SystemRoot\System32\drivers\afd.sys
0xF785E000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF2AD1000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF2A61000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF787E000 \SystemRoot\System32\Drivers\Fips.SYS
0xF2A16000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF2981000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xF7ACE000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF78AE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF70BC000 \SystemRoot\System32\drivers\Dxapi.sys
0xF798E000 \SystemRoot\System32\watchdog.sys
0xF78CE000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D01000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\tridxp.dll
0xBF0CD000 \SystemRoot\System32\ATMFD.DLL
0xED845000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xED7CD000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xED55C000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7C60000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xED51A000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xED4B1000 \SystemRoot\System32\Drivers\HTTP.sys
0xED319000 \SystemRoot\System32\DRIVERS\srv.sys
0xED2B4000 \SystemRoot\system32\drivers\wdmaud.sys
0xED781000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 21):
0 System Idle Process
4 System
432 C:\WINDOWS\system32\smss.exe
708 csrss.exe
732 C:\WINDOWS\system32\winlogon.exe
776 C:\WINDOWS\system32\services.exe
788 C:\WINDOWS\system32\lsass.exe
936 C:\WINDOWS\system32\svchost.exe
1020 svchost.exe
1072 C:\WINDOWS\system32\svchost.exe
1120 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe
1252 svchost.exe
1384 C:\WINDOWS\system32\spoolsv.exe
1628 svchost.exe
1688 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1784 C:\WINDOWS\system32\svchost.exe
536 C:\WINDOWS\explorer.exe
608 C:\Program Files\AVAST Software\Avast\AvastUI.exe
128 alg.exe
164 C:\Documents and Settings\Mike\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC25N040ATMR04-0, Rev: MO2OAD4A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

[RKinner]

MBR check seems to think the MBR is good so I'm not sure why Combofix was having problems with it.

It sounds to me like it is running fairly normally now. We still have some things turned off in MSCONFIG. You can turn them on and see if it slows again.

Ron

[benny_b]

looking at process explorer HI's are spiking to 2.95 and DPC's to 1.99.

i tried to run windows performance analyzer again, but i'm hung on 'xperf' is not a recognized command. from what i've read below this tool has limited functionality on XP2(don't know about XP3 pro).

http://msdn.microsof...7(v=vs.85).aspx

btw does all of this scanning mean that i'm free of malware, viruses, etc.?

Edited by benny_b, 04 February 2012 - 02:25 PM.

[benny_b]

so dpc is still telling me some device drivers behave bad. i haven't enabled the services yet. i made an attempt to reinstall microsoft windows performance toolkit by using a redistributable install on win7, but that hasn't seemed to work either. it doesn't seem to load the xperf.exe file for one. i'm at a bit of a loss for how to proceed here.

[RKinner]

Don't think there is any malware left. Just bad drivers. We are getting into unfamiliar waters for me too. I normally just do malware.

[benny_b]

OK. so i guess that means it's not a malware problem. well what do you suggest we do? should i start a new post in the xp forum, have this one transferred or did you want to try to work further with me on this.

i did finally get the windows performance tools kit to run. i copied the file from win 7 onto my xp, created a PATH in the environment variables to run it through command prompt and read the .etl file on my win 7 machine. unfortunately the stackwalk feature does not run on xp.

in the DPC CPU usage:

the main culprit is NDIS.sys with a count of 15,090 and inside that ndisMDpc using 14,455

next is ntoskrnl.exe with a count of 5,485

next is USBPORT.SYS at 679

in the Interrupt:

NDIS.sys 29,226
sdbus.sys 14,613
pcmcia.sys 14,613
USBPORT.SYS 14,929
VIDEOPRT.SYS 14,613
portcls.sys 14,613

i can send the logs in a zipped .etl file if you like.

Edited by benny_b, 06 February 2012 - 10:39 PM.

[RKinner]

NDIS.sys has something to do with networking so I would get the latest network driver for your PC and see if that helps.

[benny_b]

i found some similar info seaching around. as you may have noticed my computer skills are somewhat rudimentary, so when you ask me to get the latest network driver i'm not sure what you are asking. i went onto the toshiba web site and there are a number of drivers for LAN utility wi-fi, driver wi-fi, utility wi-fi, LAN driver wi-fi, LAN wi-fi, LAN driver, and another LAN driver wi-fi.