How to get WinXP's Recovery Console installed?

I'm working through the sticky post on removing malware. I'm almost to the end of the Windows XP Cleaning Procedure, at the point where instructions begin for ComboFix.
Following BleepingComputer's instructions, I have attempted to install Window's XP Recovery Console using my original Windows disc and typing d:\i386\winnt32.exe /cmdcons into the "run" field. I get a message that says "Windows Setup cannot continue because the version of Windows on your computer is newer than the version on the CD. Warning: If you decide to delete the version of Windows that is currently installed on your computer, the files and settings cannot be recovered."
The only 2 options after that warning are A) to exit click cancel or B) for more information, click details. After reading details, the only option is to exit.
How am I going to install Recovery Console before I use ComboFix?

 

Welcome to MG's!

Don't worry about installing the Recovery Console, just proceed by running ComboFix and attaching the requested logs.

 

AGGGGHHH! As per instructions I skipped the install of Recovery Console and used the BleepingComputer instructions for running ComboFix. ComboFix has stalled at the screen titled "Find3m" which says " Preparing log report. Do not run any programs until ComboFix has finished." The cursor is blinking. It has been sitting like this for 3 hours. What should I do?

 

It was just updated, download a fresh copy and try running it again. If it does the same thing, skip it and proceed.

 

Have rebooted and restored my computer to the restore point established by ComboFix when it began. Quesitons:
1.Will I need to uninstall the version of ComboFix I have now, before I download and install the new file? If so, is there a procedure, or do I just use Revo Uninstaller in the usual way?
2. Although I checked carefully to make sure Avast, firewall, etc were shut down before running ComboFix, I'm wondering if it stalled because something was still running. Is there a way to check and make sure everything is shut down before I try this again?

And P.S. Thanks, Arrick, and all you folks at Major Geeks. I only have the nerve to work this out myself because I know y'all are there as my safety net when I stumble.

 

No, just download, save to desktop and run again.

You can just right click on the system tray icon and click shutdown or exit. The only way to truly unload or exit is to uninstall and this isn't really necessary just to run CF.

 

I have completed the steps listed in the Windows XP Cleaning Procedure and will attache the logs here. Here are details of the problem I am having and what I have done so far:

I’ve been troubleshooting for several months, trying to find the source of multiple problems.

This computer running Windows XP Home Edition Service Pack 3 was built for me 2 years ago especially for graphic work. It used to run very fast but a few months ago became e-x-t-r-e-m-e-l-y slow, especially when moving files around.

I use 2 monitors, and when I drag windows from one screen to another, the graphic interface breaks up and stalls.Frequently, when I close one of the windows, portions of it will remain on my desktop, overlapping whatever other window I open. Unless I move very slowly when this happens, the computer crashes. Frequently when I perform a function like saving a file, even just a small Word doc, all the icons disappear from the monitor and take anywhere from 10 seconds to 1 or 2 minutes to start reappearing.

I also have 2 internal hard drives. The windows system and all other programs are installed on Drive C. I store all my text, graphic and video files on internal Drive F. When I try to access Drive F, it takes at least one minute for the F Drive window to open. It takes another 30 seconds for the icons to appear in that window.

Anytime I input information online, the computer takes many long pauses. When I have to input my name, for instance, I can type 4 letters, then the computer pauses for a full 30-seconds, sometime longer, before I can type the rest of my name. I have noticed that the Avast “A” icon on the toolbar always starts spinning as soon as I can type again, so I suspected a problem with Avast. However, I tried working on a friend’s computer that also runs Avast and had no such problems.

For the last 2 months, my computer has been crashing hard anytime I’m working with a lot of copy & paste of html files.

Last week, I noticed that the red LED light that usually blinks when I’m switching between drives was not coming on. Thinking this might mean a drive is falling, I went to the Western Digital site and downloaded their diagnostic tool for my 2 WD drives. The diagnostic said Drive C is “Pass.” When I select the other drive, Drive F, the diagnostic tool says “Not available.” If I tell it to run the diagnostic program on that drive, the computer crashes.

These drives are still under warranty by Western Digital, so I wrote their tech support and asked them to tell me what my experience with the diagnostic tool means. After 8 days, I have not received a reply from them.

I asked about the hard drives in the hardware section of the Major Geeks forum and it was suggested that the multiple problems sounded more like malware.

Over the last 2 months I have done this:
Replaced the mouse twice in case it was a problem with the input device.
Uninstalled all Logitech software that was generating frequent error messages.
Uninstalled every other piece of software I could spare.
Run Ccleaner, Sopybot Search & Destroy and Smart Defrag and the windows system tools numerous times.

Each time I run all these system tools the computer will run faster for a few hours, but as soon as it crashes, I’m back to slow mode.

The windows Event Viewer under “System “ will say “Error…System Control Manager” or less frequently “Error… System Error.” Under “Application” I get frequent Yellow waning signs for MSinstaller.

I have just completed the Windows XP Cleanup Procedure, running SUPERantispyware, SpyBot Search & Destroy, Malwarebytes, combofix and MGTools. The logs are attached.

Since running the Windows XP Cleanup Procedure, I am unable to backup any data. I ordinarily back up to an external hard drive using Norton Ghost. My computer is no longer recognzing the exteranl drive. When I was not able to backup to my primary external drive, I tried plugging a thumb drive into the main USB on the front of the computer. I got a message saying I did not have permission to access that drive. This has never happened before and I don’t know how to regain access to my external drives.

Any advice will be deeply appreciated!

 

Here is the final log from the Windows XP Cleaning Procedure.
I certainly appreciate the time you take to go through these!

 

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 3:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 4:
Please go to the following website and upload the following two files.

http://virusscan.jotti.org

Copy the results and attach it to your next post if it contains anything.

 

O.K. I followed all your instructions in your last post step-by-step.

C:\WINDOWS\system32\es(3).dll
Found nothing

and

C:\WINDOWS\system32\es(4).dll
Found nothing

After using ATF-Cleaner, I rebooted and opened Firefox. ALL the cookies and passwords were intact. I followed the instructions again to be certain I didn't miss a step. Same result--cookies and passwords intact.

I've been working on my computer for 2 days, watching to see what has changed. Here's what I notice:
1.The system has NOT been crashing.Hoorah!

2.Adobe PDF documents are no longer hanging up when I close them.

3.The graphic interface of documents and programs are not breaking up AS MUCH when I move them about on my desktop. It used to look like an acid flashback. Now there's just a brief delay before the graphic disappears in one place and appears in another. Sometimes when I close a window, only a portion of it disappears. The remainder hangs around and overlaps new windows I open. This computer was built for graphics work and used to easily meet my needs when I had multiple windows open. Now just a word doc and a browser open seem a challenge.

4. There are still long delays when I perform certain actions. I have 2 internal drives. When I go to My Computer and click on the second drive, there is a 30 second to 1 minute delay before the window opens. When it opens, it is blank. Then all the icons disappear from my desktop. Then the items within the new window appear, followed by the desktop icons reappearing.
In the same vein, if I fill out a form on the internet and hit "send" the window will go blank white for a few seconds, then begin reappearing.Or if I have Firefox open and click on an icon on my desktop, all of the icons will disappear for a few seconds, then begin reappearing.

5. Entering information on the internet is still extremely slow. When I go to GoDaddy and enter my user name, I can type 3 letters, then the cursor freezes. After 15 to 30 seconds it starts blinking again and I can finish typing my user name. Then there's another wait while the cursor freezes and unfreezes before I can type in my password. Just logging in take about 2 minutes. 2 weeks ago I removed ALL add-ons to Firefox in case one of them was the problem. I still notice that the Avast icon always begins spinning when the cursor unfreezes. Avast is set to use the defaults.

6. Something new--I am not able to access any of the devices I use for backup. I use Norton Ghost to back up to an external drive using a USB connection, Mosy to back up to online storage space and USB flash drives to back up work-in-progress during the day. At this time, I am not able to access any of these.The computer does not recognize that these external devices have been attached and the Mozy icon says "automatic backups suspended" even though I have set it to configure for backup twice since running all these scans. (I am, however, able to use a microphone and a printer connected by USB.)

Another thing-- I have tried to use msconfig to remove Smart Defrag from my startup, but each time I reboot, Smart DeFrag is back in the start-up menu.
I'm assuming that when I ran these tools and scans, something was reset to a default so I no longer have permission to change the star-up menu or backup files, but I don't know what that would be.

So, Sherlock Holmes, where do I go from here?:confused

 

Something you need to remember, not all computer problems are malware related. Your logs are clean and the problems you are explaining are not malware related. At this point, I would recommend you posting all of your current issues in the Software Forum.

First, never use "msconfig" to manage your startup items. See the below thread for more information.

Dealing with Startup Processes

If you want to remove Smart Defrag from starting up then run HJT and remove the below entry.

O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp​

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Many thanks for your advice. I truly appreciate the time you took to help me. Salut! :wine

 

You're Welcome!:major