Author Topic: 2 strange items in startup  (Read 10875 times)

0 Members and 1 Guest are viewing this topic.

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #15 on: August 07, 2011, 05:58:11 PM »
I'll give that a try and see what happens. Thanks Essexboy and all.
Oh, I did run Aswmbr, from what I can see it's clean too. But I do see where it says unknown MBR code, is that something I should be concerned with? I've attached the log as well.






Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40604
  • Dragons by Sasha
    • Malware fixes
Re: 2 strange items in startup
« Reply #16 on: August 07, 2011, 06:01:28 PM »
Do you have a Dell or HP system ?

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #17 on: August 07, 2011, 07:41:49 PM »
No, system is homebrew.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40604
  • Dragons by Sasha
    • Malware fixes
Re: 2 strange items in startup
« Reply #18 on: August 07, 2011, 09:58:43 PM »
OK lets look deeper on that MBR then

Please download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 
Quote
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #19 on: August 07, 2011, 10:48:39 PM »
Ok, I ran that, how long does it normally take to run? Asking since it did create a report on the desktop. But the window it was running in appeared to hang, that is I had an hour glass at the bottom of it. I let it sit that way for about 30 minutes. Then found I couldn't start anything, couldn't close the window, resorted to a reset to get things back.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40604
  • Dragons by Sasha
    • Malware fixes
Re: 2 strange items in startup
« Reply #20 on: August 07, 2011, 11:04:23 PM »
That is not normal - should take no more than a minute or two

Lets see if we can get a dump of the MBR

Run MBRCheck.exe once again.
 
You will be presented with the following dialog:
 
Quote
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 
Enter Y and press Enter.
 
The following dialog will be presented:
Quote
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
 
Enter your choice:

 
Enter 1 and press Enter
 
It will then ask for a name and location - call it mbr.txt and save to your desktop
Attach it to your next post please

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #21 on: August 08, 2011, 04:25:16 PM »
I tried MBRCheck again, here's what I've found.
With Avast running it wants to open it in the sandbox, it I tell it to run normally, it hangs.
If I let it run in the sandbox, it runs to completion, bit says Error opening the drive (I'll put the entire text of it at the end of this).
If I turn Avast off, it hangs.
I don't know what it would do if I uninstall Avast and run it.
I do have a mbr.dat file (512 bytes) on my desktop, I believe that appeared after running aswMBR.

And here's the text from running MBRCheck in the sandbox.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:                Windows XP Home Edition
Windows Information:            Service Pack 3 (build 2600)
Logical Drives Mask:            0x0000007c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000012`f03b4000  (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000002f`00153a00  (NTFS)

      Size  Device Name          MBR Status
  --------------------------------------------
ERROR Opening: \\.\PhysicalDrive0 (5)


Done!
Press ENTER to exit...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40604
  • Dragons by Sasha
    • Malware fixes
Re: 2 strange items in startup
« Reply #22 on: August 08, 2011, 07:50:13 PM »
Not overly happy with the failure to dump the MBR - so lets get the RC installed and if necessary we will reset the MBR from there

Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.

They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.


Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #23 on: August 08, 2011, 09:47:23 PM »
Here's the log. Oh, I didn't know Combofix would reboot, so I only had Avast shields set to off until a reboot, hope that wasn't a problem. And on the reboot, it wanted to Sandbox a lot of things, I told them to all run normally.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40604
  • Dragons by Sasha
    • Malware fixes
Re: 2 strange items in startup
« Reply #24 on: August 08, 2011, 10:39:02 PM »
How is the system now ?

Are the phantom startups still there ?

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #25 on: August 08, 2011, 11:03:33 PM »
All seems well now. Tho the MBR still isn't right, that is MBRCheck still does its thing. Any ideas for that?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40604
  • Dragons by Sasha
    • Malware fixes
Re: 2 strange items in startup
« Reply #26 on: August 08, 2011, 11:10:53 PM »
As you have a custom built machine we can replace it with a fresh copy from the recovery console

Reboot to the recovery console, it will now be part of the safe mode menu

Once in the recovery console, at the command prompt type in the following:

Fixmbr

When complete type

Exit

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #27 on: August 09, 2011, 01:02:16 AM »
I believe that has fixed the mbr, it did say it wrote it. However MBRCheck still hangs. I ran AswMBR and it now shows it as a Windows XP default mbr. I know I shouldn't have run that, but I was curious as to whether it really did anything. Is there some service that MBRCheck needs that possibly isn't running?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87079
  • No support PMs thanks
Re: 2 strange items in startup
« Reply #28 on: August 09, 2011, 01:31:22 AM »
The aswMBR.exe is firstly an analysis tool, so long as you don't try to make any changes it shouldn't be an issue.

Now you have a default XP MBR code that is a good start. I don't know if you have rebooted yet after doing the fixmbr, if not I would reboot.

I don't know why mbrcheck hangs, hopefully essexboy may have some suggestions when he is next on-line later today (currently 00:30am in the UK).

Since the fixmbr worked, I don't know if essexboy would need the mbrcheck results.

Are you having any other problems ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Bluemeanie

  • Jr. Member
  • **
  • Posts: 59
Re: 2 strange items in startup
« Reply #29 on: August 09, 2011, 02:16:47 PM »
I'm not sure if it's related, but ever since running combofix, the internet side of things has been a lot slower than normal. I ran some speed tests and find that where my download used to average 9.6-9.8Mbps, now it's lucky to see 6.5. Did what we did change any setting that would effect that? Also I noticed that autoplay and autorun are disabled.
Also had 2 BSOD's last night, both in IPNAT.sys. That's new as well, haven't seen one of those in years..