W32.Blaster.Worm & CMD.EXE

[anpnw]

Had the msblaster worm problem which was detected and removed with the help of advise offered in these boards. I have seen other mentions of CMD.exe problems that may be associated with this worm.
I have found CMD.EXE -087B4001.pf size 5KB in Windows\Prefetch folder. The date created happens to coincide with the date of the msblaster problems. Does anyone have any ideas if this is related to the worm problem, or am I getting really paranoid? Would you suggest deleting this file?

 

[Mictlantecuhtli]

You can delete all files in prefetch folder as far as I know, XP creates them again during next reboot, unless you do the following:

Start Regedit, navigate to

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ MemoryManagement \ PrefetchParameters \ EnablePrefetcher

0 - disable,

1 - prefetch when starting apps,

2 - prefetch when booting, or

3 - both

 

[waiyeh]

what does the prefetch folder do?
do that mean i can disable it?

 

[Mictlantecuhtli]

XP Kernel Enhancements

Logical Prefetcher for Faster Boot and Application Launch

When a Windows XP system is booted, data is saved about all logical disk read operations. On later boots, this information is used to prefetch these files in parallel with other boot operations. During boot and application launch, a Windows system demands and pages a sizable amount of data in small chunks (4 KB to 64 KB), seeking between files, directories, and metadata. The Logical Prefetcher, which is new for Windows XP, brings much of this data into the system cache with efficient asynchronous disk I/Os that minimize seeks. During boot, the Logical Prefetcher finishes most of the disk I/Os that need to be done for starting the system in parallel to device initialization delays, providing faster boot and logon performance.

Logical prefetching is accomplished by tracing frequently accessed pages in supported scenarios and efficiently bringing them into memory when the scenario is launched again. When a supported scenario is started, the transition page faults from mapped files are traced, recording which page of a file is accessed. When the scenario has completed (either the machine has booted or the application started), the trace is picked up by a user-mode maintenance service, the Task Scheduler. The information in the trace is used to update or create a prefetch-instructions file that specifies which pages from which files should be prefetched at the next launch.

The user-mode service determines which pages to prefetch by looking at how successful prefetching has been for that scenario in the past, and which pages were accessed in the last several launches of the scenario. When the scenario is run again, the kernel opens the prefetch instructions file and asynchronously queues paging I/O for all of the frequently accessed pages. The actual disk I/Os are sorted by the disk drivers to go up the disk once to load all pages that are not already in memory. This minimizes seeks, cuts down on disk time, and increases performance. The kernel also prefetches the file system metadata for the scenario, for example, MFT entries and directory files. Because prefetching is useful only when the required data is not in memory, the applications that are launched frequently are not traced and prefetched each time.