Microsoft Windows XP Home SP 3
Dell Inspiron 2200 Notebook Laptop
Physical Memory 512.00 MB
Available Memory 154.94 MB
Total Virtual Memory 2.00 GB
In the time since that post, I've been busying myself with trying to bring this machine up to date--updating drivers, hardware, software etc, un-installing or deleting old unused or unwanted programs, files, folders, etc. replacing some factory installed programs, added a third party firewall (OA) and generally attempting to fine tune it and in the process educate myself. The machine is running very smoothly now (for my limited needs) and doesn't APPEAR to be infected but these entries in Autoruns concern me.
BVRPMPR5 File not found: D:\INSTAL~E\Core\BVRPMPR5.SYS
mbr File not found: C:\DOCUME~1\Nick\LOCALS~1\Temp\mbr.sys
MEMSWEEP2 File not found: C:\WINDOWS\system32\2.tmp
pxdiypob File not found: C:\DOCUME~1\Nick\LOCALS~1\Temp\pxdiypob.sys
I dug into these a little and this article in particular re: MBR convinced me that I needed to seek expert advice before going any further:
This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with. The MBR rootkit - known as "Mebroot" - is highly advanced and according to security solutions provider, F-secure, probably the stealthiest malware seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.....
And this: http://it.slashdot.org/article.pl?sid=08/01/08/0154227
Boot Record Rootkit Threatens Vista, XP, NT
Posted by kdawson on Mon Jan 07, 2008 10:41 PM
from the writing-to-zero dept.
Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS.
"Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."
According to this link MEMSWEEP2 is a Rootkit: http://forum.emsisoft.com/Default.aspx?g=posts&t=1914
But then I found this on bleeping's startup list tab:
This is a valid program but it is not required to run on startup.
This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. The following information is a brief description of what is known about this file. If you require further assistance for this file, feel free to ask about in the forums.
A Google search for pxdiypob.sys:
Your search - pxdiypob.sys - did not match any documents
Info on BVRPMPR5:
Also, why is this in "D"????
One last thing before I end this post. (WHEW!) I recently used regsearch to delete registry entries associated with catchme.sys (Keylogger?):
What is catchme.sys?
Although can be used for legit programs this file is also used with malicious programs such as rootkits and keyloggers and should be a concern file.
Is catchme.sys safe?
This file catchme.sys is a threat and your system should be cleaned.
Overall threat: Yes
Edit to add: After deleting the "catchme.sys" keys, system shut down & start-up times have improved exponentially
Thank you in advance, looking forward to a response.
Edited by I'mlosthere, 16 October 2009 - 03:03 PM.