Hi (I accidently placed this in the dvd ripping forum instead of here, I didn't click off scroll and wasn't aware it had changed the forum I selected. Not sure how to get it closed. I am really sorry about doing so.) Suddenly Nwereboot.exe popped up in my startup. It has never been there before. From what I have found it could be a virus or it could just be part of Nero. However I have had Nero for years and this has never been in my startup before. I have spywareblaster, Ad-Aware and have run AVG virus scan, housecall, bitdefender & Panda virus scan. All have come up clean. I also ran AVG & Ad-Aware in safe mode just to be sure. I downloaded something called True Sword and when I was running it came up that I had all these trojans and malicious spyware etc. However to fix them I would need to purchase the product (which makes me sceptical about it's accuracy). This is the only scan that has shown up anything and I have done many different spyware scans!! I thought the best thing to do was to attach a hijack this log and see if anything sinister is lurking on my computer or if this NWEReboot.exe is nothing to be worried about. I think I have followed the instructions - I am a complete novice at this so please bear with me. I don't know if you need this info but it is Windows 2000, all the microsoft updates are up to date. I have Zone Alarm & Grisoft AVG with the latest updates. Thanks. Logfile of HijackThis v1.99.1 Scan saved at 1:37:01 PM, on 15/09/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\tcpsvcs.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\locator.exe C:\WINNT\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\iinet web accelerator\PropelAC.exe C:\Program Files\Qualcomm\Eudora\Eudora.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\PROGRA~1\SPYWAR~2\swdoctor.exe C:\Program Files\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\iiNet Web Accelerator\prpl_IePopupBlocker.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\iiNet Web Accelerator\pac-addwl.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\iiNet Web Accelerator\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\iiNet Web Accelerator\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1123047995953 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20040...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-lo...846/mcfscan.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/set...er/imloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{07E2103A-F376-46D8-8CF4-34EEA5B01514}: NameServer = 203.0.178.191 O17 - HKLM\System\CS1\Services\Tcpip\..\{07E2103A-F376-46D8-8CF4-34EEA5B01514}: NameServer = 203.0.178.191 O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe Like I said Ihope I have done this correctly. Regards Laura
Nwereboot.exe is in fact related to Nero. It acts as a temporary file while CD writing is in process. If all the programs you listed came up clean then more than likely you are clean as I see nothing bad in your HijackThis log either. The entires True Sword finds are probably false positives 'cause all those scanners would pick up atleast one bad file. So, could you please list some names True Sword is listing? Oh, and to get your thread closed just ask a mod to close it. If not, they will move it here and then they will close it after seeing this thread. No worries.
Thanks for that. True Sword is saying that I have RBOT.AWS wor, AGOBOT.LG Worm, HAXDOOR D Trojan, Lowzone Trojan, NEVEG.A Trojan, CHODE-J Worm, MYTOB.B Worm...the list goes on. There are about 20 others that I supposedly have. I have looked a few of them up on the net and my computer does not seem to be exhibiting any signs from what I have read, but I am no expert in this area.
True sword is a rogue anti-spyware scanner. It gives false positives so that you buy it, so uninstall it immediately because those infections aren't really on your PC. Be careful whe downloading anti-spyware products because they aren't always what they seem to be.
True. In fact, all but a few of the paid anti-spyware products are either don't work, or are spyware themselves. You were right in being suspicious. You have a good assortment of anti-virus and anti-spyware tools though SpyBot Search and Destroy is missing from your list. One thing I noticed though is that you're running Internet Explorer. Use some other browser like Firefox or Opera and stop using IE immediately - IE is the door through which most malware enters anyway. Spyware, viruses and trojans wouldn't be nearly as prevalent as they are today, if it weren't for Internet Explorer. And it's best to run any browser with Java disabled.
I would like to thank you all for your help and exepertise. I have already unistalled True Sword and I do have Spy Bot as well. Am going to get firefox today. Once again thanks for the help, it is much appreciated. Laura
