[Resolved] Windows won't boot on old XP machine

[Corsair]

Here are the DDS logs. Once computer is running it seems to do ok. She uses Mozilla Firefox as a web browser. When I double click on it from desktop icon, it seems to take an excess amount of time to open. Other than that, system seems to work ok.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Colleen Doherty at 20:01:20 on 2012-02-27
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.605 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cidaemon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
uSearch Page =
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
mDefault_Page_URL = hxxp://www.dell.com
mSearch Page =
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant =
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{4FEEA601-3F03-4D31-A928-BB8F3867A758} : DhcpNameServer = 209.18.47.61 209.18.47.62
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\colleen doherty.d30r69c1\application data\mozilla\firefox\profiles\pxasqf06.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\8\NP_wtapp.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-8-24 82432]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [2009-5-15 174720]
S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [2009-5-15 174720]
S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [2009-5-15 174720]
.
=============== Created Last 30 ================
.
2012-02-27 17:32:57   3584   ----a-r-   c:\documents and settings\colleen doherty.d30r69c1\application data\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe
2012-02-27 17:32:54   --------   d-----w-   c:\program files\Windows Installer Clean Up
2012-02-27 17:31:41   --------   d-----w-   c:\program files\MSECACHE
2012-02-26 22:36:55   --------   d-----w-   c:\program files\CCleaner
2012-02-26 19:59:47   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\ElevatedDiagnostics
2012-02-26 17:15:49   81920   ----a-w-   c:\windows\system32\Startup.cpl
2012-02-25 20:18:06   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-25 19:25:34   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\Malwarebytes
2012-02-25 19:24:47   --------   d-----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-02-25 19:24:44   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-02-25 19:24:44   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-02-25 18:28:09   --------   d-----w-   c:\windows\pss
2012-02-20 04:13:17   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\YoudaGames
2012-02-16 04:47:32   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\IronCode
2012-02-16 04:33:43   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\Rainbow
2012-02-16 04:24:51   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\AtlantisQuest
2012-02-16 04:20:34   16856   ----a-w-   c:\program files\mozilla firefox\plugin-container.exe
2012-02-16 04:20:02   719832   ----a-w-   c:\program files\mozilla firefox\mozcpp19.dll
2012-02-15 22:18:05   3072   ------w-   c:\windows\system32\iacenc.dll
2012-02-15 22:18:05   3072   ------w-   c:\windows\system32\dllcache\iacenc.dll
2012-02-14 04:17:57   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\md studio
2012-02-03 03:35:56   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\PeaceCraft3
2012-01-31 03:47:42   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\local settings\application data\Seppia
2012-01-30 02:44:22   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\local settings\application data\CrimsonThief
.
==================== Find3M  ====================
.
2012-02-17 17:48:24   90112   ----a-w-   c:\windows\DUMPcbcb.tmp
2012-01-12 16:53:24   1859968   ----a-w-   c:\windows\system32\win32k.sys
2011-12-17 19:46:36   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-12-17 19:46:36   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58   385024   ----a-w-   c:\windows\system32\html.iec
.
============= FINISH: 20:03:12.65 ===============

[Hoov]

There could still be something lurking on the harddrive.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix''s window while it''s running. That may cause it to stall



Also there are some hints in the event viewer logs show in the DDS scan that point to a problems so I need to get a better look at that.

I need you to go to the administration tools in XP. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side and click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name,  make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name,  make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.

[Corsair]

How do I get both of those evt files zipped and in one file to send you?


Here is Combofix log:
ComboFix 12-02-27.02 - Colleen Doherty 02/27/2012  21:12:14.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.463 [GMT -5:00]
Running from: c:\documents and settings\Colleen Doherty.D30R69C1\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\filesubmit
c:\windows\Downloaded Installations\BMP
c:\windows\Downloaded Installations\BMP\{1010925C-CEA9-49ED-AB1F-BDA72379C99B}\1033.MST
c:\windows\Downloaded Installations\BMP\{1010925C-CEA9-49ED-AB1F-BDA72379C99B}\BACS.msi
c:\windows\NDNuninstall7_48.exe
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\ndisapi.dll
c:\windows\system32\SET1C5.tmp
c:\windows\system32\SET1C8.tmp
c:\windows\system32\SET1F5.tmp
c:\windows\system32\SET1F7.tmp
c:\windows\system32\SET203.tmp
c:\windows\system32\SET276.tmp
c:\windows\system32\SET279.tmp
c:\windows\system32\SET2BD.tmp
c:\windows\system32\SET2BE.tmp
c:\windows\system32\SET2C3.tmp
c:\windows\system32\SET2C4.tmp
c:\windows\system32\SET2D6.tmp
c:\windows\system32\SET2D7.tmp
c:\windows\system32\SET2DF.tmp
c:\windows\system32\SET2E0.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-28 to 2012-02-28  )))))))))))))))))))))))))))))))
.
.
2012-02-27 17:32 . 2012-02-27 17:32   3584   ----a-r-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2012-02-27 17:32 . 2012-02-27 17:32   --------   d-----w-   c:\program files\Windows Installer Clean Up
2012-02-27 17:31 . 2012-02-27 17:31   --------   d-----w-   c:\program files\MSECACHE
2012-02-26 22:36 . 2012-02-26 22:37   --------   d-----w-   c:\program files\CCleaner
2012-02-26 19:59 . 2012-02-26 19:59   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\ElevatedDiagnostics
2012-02-26 17:15 . 2002-12-29 06:14   81920   ----a-w-   c:\windows\system32\Startup.cpl
2012-02-25 20:18 . 2012-02-25 20:18   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-25 19:25 . 2012-02-25 19:25   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\Malwarebytes
2012-02-25 19:24 . 2012-02-25 19:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-25 19:24 . 2012-02-25 19:24   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-02-25 19:24 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-02-20 04:13 . 2012-02-20 04:13   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\YoudaGames
2012-02-18 06:38 . 2012-02-18 06:38   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2012-02-16 04:47 . 2012-02-16 04:47   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\IronCode
2012-02-16 04:33 . 2012-02-16 04:33   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\Rainbow
2012-02-16 04:24 . 2012-02-16 04:27   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\AtlantisQuest
2012-02-16 04:20 . 2012-02-18 11:29   16856   ----a-w-   c:\program files\Mozilla Firefox\plugin-container.exe
2012-02-16 04:20 . 2012-02-18 11:29   719832   ----a-w-   c:\program files\Mozilla Firefox\mozcpp19.dll
2012-02-15 22:18 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\iacenc.dll
2012-02-15 22:18 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\dllcache\iacenc.dll
2012-02-14 04:17 . 2012-02-14 04:17   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\md studio
2012-02-03 03:35 . 2012-02-03 03:41   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\PeaceCraft3
2012-01-31 03:47 . 2012-01-31 03:47   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Local Settings\Application Data\Seppia
2012-01-30 02:44 . 2012-01-30 02:44   --------   d-----w-   c:\documents and settings\Colleen Doherty.D30R69C1\Local Settings\Application Data\CrimsonThief
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-17 17:48 . 2006-12-20 18:20   90112   ----a-w-   c:\windows\DUMPcbcb.tmp
2012-01-12 16:53 . 2004-08-10 18:51   1859968   ----a-w-   c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-10 18:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-10 18:51   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-10 18:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-10 18:51   385024   ----a-w-   c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Colleen Doherty\\Local Settings\\Temporary Internet Files\\Content.IE5\\23DKIJGP\\SweetImSetup[1].exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [8/24/2009 5:52 PM 82432]
S3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [10/12/2010 12:59 PM 206072]
S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [5/15/2009 1:34 PM 174720]
S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [5/15/2009 1:34 PM 174720]
S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [5/15/2009 1:34 PM 174720]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - NDISRD
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Colleen Doherty.D30R69C1\Application Data\Mozilla\Firefox\Profiles\pxasqf06.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-27 21:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16??
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-02-27  21:30:55
ComboFix-quarantined-files.txt  2012-02-28 02:30
.
Pre-Run: 30,974,857,216 bytes free
Post-Run: 31,090,421,760 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - ECF36E65DF405401FA1101851FDC7607

[Hoov]

Save both files to the same location, select them both and then right click on one of them and select send to  then compressed file. If you can't get them zipped together, just zip them individually and attach them that way.

It does look like combofix did find some malware. Try rebooting the computer and see how it does.

[Corsair]

Here are the zipped files.  Just rebooted. Best ever! Would have to say pretty normal! I'm going to call it quits for tonight. Will check in the A.M for directions on hopefully wrapping this up! Thanks a bunch for all your help today Hoov.

[Hoov]

Do you have a Dell Printer? Also in the morning could you send me a new copy of the event viewer logs? From the time stamps it appears almost everything except the printer has been cleared up.

[Corsair]

I called my daughter and found out that she used to have a Dell printer but no longer has it or any other printer. Boot speed this morning was acceptable by the way. Attached are the zipped event files.

[Hoov]

Looks like all the problems are cleared up except for 2. In the event viewer logs there is evidence of probably one program that is failing. The bad part is that because of the problem, the event viewer has no idea what is causing it. So we need to do a bit of digging.

Please download RunScanner

• Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
  
• Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
• Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
• Check Beginner Mode
• Click Scan computer
• Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
• At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
• A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
• Next, zip up the runscanner.run file that you just saved.
• I want you to upload the zipped runscanner.run file as an attachment in your next reply
• To do that choose "Additional Options" under "Post Reply"
• Browse to the zipped RUN file location and then click the "Post" button to attach the file.
• I will review the run file, and then upload it back to you with items marked for deletion.
• Please await my directions and the returned RUN file, and do not delete anything in the interim

[Corsair]

Before I perform your runscanner directions, I just learned something from my daughter over the telephone. She still does use a Virgin Mobile wireless USB adapter plugged into the back of her laptop to access the internet. When we made that startup folder in Control Panel, I turned off anything to do with Broadcom, Novatel wirless, etc. Before we are done, we need to turn that stuff back on. If you follow me (I hope!), should I do that now and plug that modem back into her laptop or just proceed with runscanner as directed?

Sorry for the confusion on my part.

[Hoov]

Either way is fine. Now that I know what she uses, I will ignore anything from Virgin Mobile.

[Corsair]

Before I ran the runscanner scan, I turned back on the few items in that Control Panel startup folder that we created regarding that mobile stuff. I think I got everything associated but not sure. I then rebooted and then ran the runscanner operation. Zipped run file attached.

[Hoov]

Now, I want you to fix some autostart items by using the RUN file that I have attached with items marked for deletion:

• Please download and extract the attached Zip file called runscannerCorsair.zip to your Runscanner folder
• Open Runscanner in Expert Mode by double-clicking runscanner.exe, checking "Expert" and clicking OK.
• Click the "Open Run File" button
• Browse to "runscannerCorsair.run" (the run file you just unzipped) located in the Runscaner folder, and click Open
• The screen will refresh after the run file loads
• Click the "Item Fixer" button
• The items selected to be fixed will be displayed and checked for removal
• Click "Fix Selected items"
• Confirm that you want to fix these items by clicking OK in the confirmation dialog box.
• You will receive a "Done fixing items" message when removal is complete.
• Reboot
• Launch Runscanner again, save another .RUN File called runscannerCorsair2.run
• Zip up runscannerCorsair2.run and attach it to your next reply please.

After all of this, reboot the computer and give me the event viewer logs again. Let me know what the computer says is the time you rebooted, and how it rebooted and runs.

[Corsair]

Last reboot was between 2144 and 2147. (Old sailors can still remember!) Boot seemed acceptable for speed. Event logs and .run file attached. If possible, with your blessings that is, I would like to give laptop back to daughter tomorrow when I go to visit granddaughter.

[Hoov]

Well we did not get rid of the problem, but it looks like it is tied to the fax service. If she does not use the computer to fax with, go into the administrative tools and then to the Fax service and stop it then disable it. That should deal with it. Also the event viewer shows that there is a disk error, so you need to run chkdsk on the harddrive again. Other than that, if all is well then there is no reason not to return it.

If your daughter does get back online, have her come back here and we can help her secure her computer and give her some pointers on how to keep her machine safe online.

As for the Old Sailor still remembering, I don't know about you I am still more comfortable using the 24 hour clock. As for the calendar, I wish everyone would switch over and use the Julian calendar, then I would not have to remember what month and how many days there are in it. 

[Corsair]

Not sure I follow you on how to stop fax service in admin tools. Please point me in right direction. Also ok to uninstall Combofix now and isn't there a certain way to uninstall it? I will run chkdsk again. What is the easiest way to start it?