2 strange items in startup

That is not normal - should take no more than a minute or two

Lets see if we can get a dump of the MBR

Run MBRCheck.exe once again.

You will be presented with the following dialog:

[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.

The following dialog will be presented:

[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
[/quote]
Enter 1 and press Enter

It will then ask for a name and location - call it mbr.txt and save to your desktop
Attach it to your next post please

I tried MBRCheck again, here’s what I’ve found.
With Avast running it wants to open it in the sandbox, it I tell it to run normally, it hangs.
If I let it run in the sandbox, it runs to completion, bit says Error opening the drive (I’ll put the entire text of it at the end of this).
If I turn Avast off, it hangs.
I don’t know what it would do if I uninstall Avast and run it.
I do have a mbr.dat file (512 bytes) on my desktop, I believe that appeared after running aswMBR.

And here’s the text from running MBRCheck in the sandbox.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000007c

\.\C: → \.\PhysicalDrive0 at offset 0x0000000000007e00 (NTFS) \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000012f03b4000 (NTFS)
\.\E: → \.\PhysicalDrive0 at offset 0x0000002f`00153a00 (NTFS)

  Size  Device Name          MBR Status

ERROR Opening: \.\PhysicalDrive0 (5)

Done!
Press ENTER to exit…

Not overly happy with the failure to dump the MBR - so lets get the RC installed and if necessary we will reset the MBR from there

Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.

They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal.
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
    Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here’s the log. Oh, I didn’t know Combofix would reboot, so I only had Avast shields set to off until a reboot, hope that wasn’t a problem. And on the reboot, it wanted to Sandbox a lot of things, I told them to all run normally.

How is the system now ?

Are the phantom startups still there ?

All seems well now. Tho the MBR still isn’t right, that is MBRCheck still does its thing. Any ideas for that?

As you have a custom built machine we can replace it with a fresh copy from the recovery console

Reboot to the recovery console, it will now be part of the safe mode menu

Once in the recovery console, at the command prompt type in the following:

Fixmbr

When complete type

Exit

I believe that has fixed the mbr, it did say it wrote it. However MBRCheck still hangs. I ran AswMBR and it now shows it as a Windows XP default mbr. I know I shouldn’t have run that, but I was curious as to whether it really did anything. Is there some service that MBRCheck needs that possibly isn’t running?

The aswMBR.exe is firstly an analysis tool, so long as you don’t try to make any changes it shouldn’t be an issue.

Now you have a default XP MBR code that is a good start. I don’t know if you have rebooted yet after doing the fixmbr, if not I would reboot.

I don’t know why mbrcheck hangs, hopefully essexboy may have some suggestions when he is next on-line later today (currently 00:30am in the UK).

Since the fixmbr worked, I don’t know if essexboy would need the mbrcheck results.

Are you having any other problems ?

I’m not sure if it’s related, but ever since running combofix, the internet side of things has been a lot slower than normal. I ran some speed tests and find that where my download used to average 9.6-9.8Mbps, now it’s lucky to see 6.5. Did what we did change any setting that would effect that? Also I noticed that autoplay and autorun are disabled.
Also had 2 BSOD’s last night, both in IPNAT.sys. That’s new as well, haven’t seen one of those in years…

I rather doubt that the connection speed are related, if there was a problem I would have though it would be an all or nothing issue.

After some windows security updates, Autoplay/run were disabled to prevent the autorun.inf style infections on infected USBs. Though I don’t know if there would also be a setting in combofix that would be related.

Unfortunately it will be a few hours before essexboy is back from work and able to get on-line.

Hi Bluemeanie,
with reference to the strange entries in msconfig/startup. I had the same thing a few months ago.
HKCU/SOFTWARE/Microsoft/Windows NT/Currentversion/Windows Load and Run. (with box symbols).

They turned out to be harmless. They appeared just after I upgraded MBAM to version 1.50 on
2 of my PCs. A few other people had the same problem and it was discussed on another Forum.
I can PM the link to You (and give You more details) if You want it, just let me know.
I didn’t post it here - I don’t know if that is allowed.

Regards,
Presario

You can#'t use the PM function until you have 20 posts, an anti-spam measure. If the link is to the mbam forums then I don’t see any problem.

However, there is no certainty that this is exactly the same, as it could just as easily be for something else.

I have had MBAM Pro on two systems for some time and I don’t see any such blank/Box like startup entry in either system XP/win7.

Hi DavidR,
Thanks for your reply and advice about PMs. I agree, it could be totally unconnected, but here’s the link anyway. http://forums.malwarebytes.org/index.php?showtopic=70243
There’s another link at the bottom of that actual topic to a thread which goes into more detail.

Yes, this is quite an old topic Dec 1010, certainly in security terms and it also point to the fact that it could also be other things. So If the OP is using the latest MBAM 1.51.1 I would say it is likely to be unrelated.

But the topic (second link) does go into detail in how to remove these blank/Box character entries.

Did you get the stop error that ipnat displayed ?

Combofix does disable the autorun settings - would you like them restore ?

Only I could do this, yes, I wrote down the error that was on the BSOD, then this morning like an idiot I threw that piece of paper away. So, if it does it again, I’ll write it down and stick it in my pocket!

For now I can leave the autorun disabled. I kind of like autoplay, but better to have them both the same. Nice to know tho that it was Combofix that did that.

Any ideas on MBRCheck? It’s not a big deal, more curiosity than anything.

Not really - like all programmes sometimes they just fail to work properly for an unknown reason

However as aswMBR is reporting a good copy then it is not really required

Glad to know others had this problem too. Wonder why I didn’t find that when I was trying to find the cause?

I normally don’t use msconfig so I really can’t say when they were put in there, I know they didn’t show in autoruns (that’s what I normally use), so that alone concerned me. Then the fact that unticking them resulted in more of them threw up all kinds of red flags to me.

Yes, Malwarebytes 1.5.1 is what I’m using, I keep that and whatever AV I’m using current, currently Avast and looks to me like that’s the one I’ll stay with for awhile. Now if SuperAntiSpyware would auto notify me of new versions…

Oh, in case you’re wondering, I do full scans about at least once a month and then clone the drive.

I use Autoruns now too, after I had the problems with msconfig and the strange entries (someone recommended it at the MBAM Forum).

I also use Avast, Malwarebytes 1.51.1. and SuperAntispyware 5.0.
I’ve had no problems since I got rid of those entries, but I never did find out what caused them.
No Malware was detected by any Scans.

I hope You get your PC sorted.