Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AutoRuns detects several entries in the driver startup tab as "File not found"


  • Please log in to reply
3 replies to this topic

#1 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:02:14 AM

Posted 16 October 2009 - 09:01 AM

Hello, I hope I can accurately describe all I've done with my machine over the last 2 months or so, much of which is described here: http://www.bleepingcomputer.com/forums/ind...p;#entry1408857

Microsoft Windows XP Home SP 3
Dell Inspiron 2200 Notebook Laptop
Physical Memory 512.00 MB
Available Memory 154.94 MB
Total Virtual Memory 2.00 GB

In the time since that post, I've been busying myself with trying to bring this machine up to date--updating drivers, hardware, software etc, un-installing or deleting old unused or unwanted programs, files, folders, etc. replacing some factory installed programs, added a third party firewall (OA) and generally attempting to fine tune it and in the process educate myself. The machine is running very smoothly now (for my limited needs) and doesn't APPEAR to be infected but these entries in Autoruns concern me.

BVRPMPR5 File not found: D:\INSTAL~E\Core\BVRPMPR5.SYS
mbr File not found: C:\DOCUME~1\Nick\LOCALS~1\Temp\mbr.sys
MEMSWEEP2 File not found: C:\WINDOWS\system32\2.tmp
pxdiypob File not found: C:\DOCUME~1\Nick\LOCALS~1\Temp\pxdiypob.sys


I dug into these a little and this article in particular re: MBR convinced me that I needed to seek expert advice before going any further:

http://www.cxotoday.com/India/News/MBR_Roo...-87316-909.html

This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with. The MBR rootkit - known as "Mebroot" - is highly advanced and according to security solutions provider, F-secure, probably the stealthiest malware seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.....


And this: http://it.slashdot.org/article.pl?sid=08/01/08/0154227

Boot Record Rootkit Threatens Vista, XP, NT
Posted by kdawson on Mon Jan 07, 2008 10:41 PM
from the writing-to-zero dept.
Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS.
"Unfortunately, all the Windows NT family (including Vista) still have the same security flaw MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."



According to this link MEMSWEEP2 is a Rootkit: http://forum.emsisoft.com/Default.aspx?g=posts&t=1914

But then I found this on bleeping's startup list tab:

This is a valid program but it is not required to run on startup.

This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. The following information is a brief description of what is known about this file. If you require further assistance for this file, feel free to ask about in the forums.


A Google search for pxdiypob.sys:

Your search - pxdiypob.sys - did not match any documents


Info on BVRPMPR5:

http://www.file.net/process/bvrpmpr5.sys.html
http://www.runscanner.net/file/BVRPMPR5.SYS.html
http://goliath.ecnext.com/coms2/gi_0199-36...Software-s.html

Also, why is this in "D"????

One last thing before I end this post. (WHEW!) I recently used regsearch to delete registry entries associated with catchme.sys (Keylogger?):

http://www.computerhope.com/cgi-bin/process.pl?p=catchme.sys

What is catchme.sys?
Although can be used for legit programs this file is also used with malicious programs such as rootkits and keyloggers and should be a concern file.

Is catchme.sys safe?
This file catchme.sys is a threat and your system should be cleaned.

Overall threat: Yes
Spyware: no
Trojan: no
Virus: no
Malware: Yes


Edit to add: After deleting the "catchme.sys" keys, system shut down & start-up times have improved exponentially

Thank you in advance, looking forward to a response.

Edited by I'mlosthere, 16 October 2009 - 03:03 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:14 AM

Posted 16 October 2009 - 08:34 PM

If you have the MBR rootkit, you need to move to the advanced forum for help...

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:02:14 AM

Posted 17 October 2009 - 05:04 AM

Thank you for the quick response! :thumbsup: Topic started in HJT here.

:flowers: I see you posted my comment on your profile page, I meant every word. :trumpet:

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:14 AM

Posted 17 October 2009 - 11:16 AM

Thank you for the comment!

Have a good weekend...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users