NWEREBOOT - What is it? How do I get rid of it?

[ockerb]

Hi fellas
In my registry under windows\current version\run there is the name NWEREBOOT. There is no data following that entry. In the startup section there is a startup entry with no name and no command but the location is in the windows\current version\run section of the registry. If I take the tick out, it immediately comes back as soon as I open the startup tab again. Same for the registry, if I delete the name nwereboot it returns immediately. I have run up to date versions of ad aware, hijack this and spyremover. The "no name" entry in msconfig does not come up in any result nor do any of the programs find a problem. In my search through numerous forums the name NWEREBOOT seems to be associated with a file called "Dummy.exe". I can't find that file on my system as well.
So, I'm not sure what the "NWEREBOOT" is doing in the registry, I don't know why it isn't shown in the startup section of msconfig and I don't know what the "no name" entry in startup\msconfig is doing.
Any ideas would be greatly appreciated
Thanks for your time

 

[ockerb]

Hi fellas
I have just replied to my own post to bring it back to the top again. I haven't had any replies as yet and I was afraid it would get lost in the hundreds of posts that keep coming in. If someone knows anything about this registry and startup entry and knows how to get rid of it (or confidently tell me that it's nothing to worry about) I would greatly appreciate it.

Thanks for your time

ockerb

 

[noblehill]

Maybe you could use the Autoruns-utility from SysInternals.

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

It will tell you who's the publisher of the file and the path to the folder. I'm not sure if this is helpful or if it is able to give you any new information, but try it out. I also failed to discover specific knowledge about nwereboot, weird!

 

[gpalmer711]

I did quite an extensive search for this yesterday but could come up with not a single confirmed case of this being malware.

The fact that it automatically would normally suggest that it is malware - or at least annoyware like Real Player.

As for the dummy.exe file that it is pointing to, there are quite a few reports of Trojans and Viruses using the name dummy.exe.

The best advice that I can give is to follow the advice here -

http://www.palmersoft.co.uk/support/virusfaq.htm

- this should pick anything up that is known.

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[gpalmer711]

Also download the Hijack This software and post the log file back here. On further investigation I have found 2 possible ligitimate uses for Dummy.exe.

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[ockerb]

Thanks noblehill
I will try that but the entry in the registry only shows that name, there is no followup details or data so I don't know what file to look for that is responsible for that entry.

gpalmer711, thanks for your tips, here is the hikack this log:
Logfile of HijackThis v1.99.0
Scan saved at 7:04:58 PM, on 3/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\g3torrent\g3torrent.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\AAAA\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.defcredit.com.au/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.yahoo.com/search/ie.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://search.yahoo.com/search/pref...http://search.yahoo.com/search/preferences?p=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [Cleaner] C:\Program Files\RAM&HDD Cleaner\Cleaner.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -

http://www2.incredimail.com/contents/setup/downloader/imloader.cab

O23 - Service: InCD File System Service - Unknown - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
-----------------------

And here is a copy of my registry for the run keys, notice that hijack this didn't show up the NWEReboot key.

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
Class Name: <NO CLASS>
Last Write Time: 1/3/2005 - 5:28 AM
Value 0
Name: Fix-It AV
Type: REG_SZ
Data: C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
Value 1
Name: AWMON
Type: REG_SZ
Data: "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-
Watch.exe"
Value 2
Name: RCScheduleCheck
Type: REG_SZ
Data: C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
Value 3
Name: NWEReboot
Type: REG_SZ
Data:
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\AutorunsDisabled
Class Name: <NO CLASS>
Last Write Time: 1/2/2005 - 6:10 PM
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\OptionalComponents
Class Name: <NO CLASS>
Last Write Time: 4/24/2003 - 1:17 PM
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\OptionalComponents\IMAIL
Class Name: <NO CLASS>
Last Write Time: 4/24/2003 - 1:17 PM
Value 0
Name: Installed
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\OptionalComponents\MAPI
Class Name: <NO CLASS>
Last Write Time: 4/24/2003 - 1:17 PM
Value 0
Name: Installed
Type: REG_SZ
Data: 1
Value 1
Name: NoChange
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\OptionalComponents\MSFS
Class Name: <NO CLASS>
Last Write Time: 4/24/2003 - 1:17 PM
Value 0
Name: Installed
Type: REG_SZ
Data: 1


Thanks for your time mate, hope this can help you to help me some more

ockerb

 

[ockerb]

Hi noblehill
This is a copy of the autoruns log:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ AWMON Ad-Watch System Protector (Not verified) Lavasoft Sweden c:\program files\lavasoft\ad-aware se professional\ad-watch.exe

+ Fix-It AV SystemSuite Virus Scanner MemCheck (Not verified) V Communications, Inc. c:\program files\vcom\systemsuite\memcheck.exe

+ RCScheduleCheck File not found: C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ SpySubtract.lnk SpySubtract Program EXE (Not verified) InterMute, Inc. c:\program files\intermute\spysubtract\spysub.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ BlockAds Ad Blocker of Tweak-XP (Not verified) Totalidea Software c:\program files\tweak-xp\blads.exe

+ Cleaner File not found: C:\Program Files\RAM&HDD Cleaner\Cleaner.exe

+ Cleaner File not found: C:\Program Files\RAM&HDD Cleaner\Cleaner.exe

+ CTFMON.EXE CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe

+ HistoryKill HistoryKill privacy utility (Not verified) SwankSoft Technologies, Inc. c:\program files\historykill\histkill.exe

+ IncrediMail IncrediMail Application (Not verified) IncrediMail, Ltd. c:\program files\incredimail\bin\incmail.exe

some things of note:
It doesn't show the NWEReboot entry that is in the registry; and
Cleaner.exe and RCSCHED.exe are files that have been removed from my computer (as can be seen by the log) but everytime I turn my computer on they reappear in the startup of msconfig with a tick in the box....

go figure that???

Thanks for your time mate

ockerb

 

[gpalmer711]

Do you use a piece of software called Radmin? It is a remote administration utility. If not then you should be concerned with this line

O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe

It's actually a very good piece of software - however some people have manipulated the software for Trojan like purposes.

As for the NWEReboot entry i'm at a loss. The only thing I can tell you is that if the Data field is blank then it is not starting anything.

Perhaps it was left behind by a previous virus cleanup? It may also be down to incredimail. This is an application I would add to my annoyware category. Simply because it is not easy to uninstall - it also regenerates the Startup entries each time you start the application.

The rest of your log looks file to me.



Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[ockerb]

hi gpalmer

Yes I do use the remote administrator service to maintain contact with my main computer with my laptop when I'm on the road.

I have had incredimail on for about 2 years so I would tend to disregard this as being the responsible program. This issue has arisen within the last 2 weeks or so.

My main concern is "I can't get rid of it" Therefore, there is an underlying concern that it may be doing something underhanded.

Also did you read my reply to noblehill about the other 2 entries that keep coming back with a tick in the startup box of msconfig. That is weird as well because both of these programs and the residual folder/files have been removed from the computer....strange one there as well

Thanks mate

 

[gpalmer711]

You can try the following:

Turn Off System Restore - Start > Right Click My Computer > Select Properties > System Restore Tab > Tick Turn off system restore for all drives > Click Apply > Click OK

Run

AdAware
Spybot
Giant Antispyware -

http://www.tucows.com/preview/377898.html

At least one online scan from

http://www.palmersoft.co.uk/support/virusfaq.htm

Clear the recycle bin
Restart

Repeat steps again

Now see what the situation is.


Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[ockerb]

Thanks Greg, I know its been a while since I posted this problem, I have been awfully busy. I did try all the steps that you advised but to no avail. My situation remains the same. The registry shows in windows current version\run the name "NWEREBOOT" but there is no corresponding data. In my msconfig under startup the is a box with a tick in it, no command and the location is windows\current version\run. I am assuming they are one and the same but not with any evidence or confidence. I have tried heaps of different things to get rid of it or even to find out what program is responsible for it. Any further assistance in this matter would be greatly appreciated.

Ockerb

 

[jimp56]

could it be a component of one of those various utility programs you are using (memcheck, spysubtract, etc)? Have any of those been added recently, and more importantly, do you recall specifically installing them? I would take a long look through add/remove programs and remove anything you know wasnt there for a reason (ignoring updates and patches of course).

i only say thhis because it sounds similar to the behavior of quicktime and other programs that always add their autoupdater or quick start functions -- and they always return despite manual removal. if scanners arent returning known malware, then that seems to be the most likely reason.

 

[bcastner]

If Sysinternals AutoStart does not show the entry, nor does your HijackThis log as a type 04 key, then the only thing is to open regedit an examine the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key itself. If you see nothing, ignore the issue.

 

[cbmudd]

I have the same entry in msconfig. However I can untic it and it stays unchecked. I have the regestry entry and can remove it. It moves to HKLM software microsoft shared tools
msconfig startupreg once it is unchecked.

There is no file associated with it. The only info I have been able to figure out is that it is instaled by both My Printer driver (Epson r-300) and Nero. Allthogh they both deny it and say it is a microsoft problem.........