"Reboot Helper" and a few other odds and ends

Hello,

I've been through everything in the read and run me first thread and it's cleared up almost all of the malware on my brother's PC. The one noticeable thing I'm left with is a "Reboot Helper" window which comes up on each reboot. I think it's relating to his Alltel DSL and I see a link to it in HJT, but I don't know if that's really the right way to take care of it.

I saw a thread that appeared to be this exact issue but the guy went off on his own before it was really resolved correctly:
http://forums.majorgeeks.com/showthread.php?t=84544

some possibly relevant info:

- I had already downloaded HJT 2.0.2 before coming across the read and run me first thread, so I used that and copied the executable into the location it's supposed to be in for the batch file. If that's no good, I'll get the other version.

- For some reason, possibly a slow machine (Windows ME not helping) when I run the MGtools batch file, it says there is a sharing violation with temp\tmpUnKey.txt, the result being that that tempUnKey.txt is full of info but GetUnKey.txt just has the header and no info in it. I'll attach tempUnKey.txt too.

- One note from a quick glance at newfiles.txt (I was curious) - something called "Internet Worm Protection" shows up in the uninstall list there but not in the add/remove programs list. Guessing that's irrelevant but thought I'd ask those with knowledge!

- I can see at least some junk in the HJT log that I believe can be cleaned up but I figured I'd leave it as I found it and get better advice than what I know on my own...

Finally....thanks in advance for the help.

 

Hi Giggity Giggity!
Happy New Year and Welcome to Major Geeks!!


When you ran SuperAntispyware was there an option to have it fix everything it finds? In your log it shows detections but no deletions or quarantines.

I will get back to you with more instructions, but while you're waiting, please redo the above scan. Before you run it, please run CCleaner. The instructions for CCleaner are located in the READ & RUN ME FIRST


Thanks.
abri

 

I ran the scan first, and then manually choose to fix everything. I thought it was odd that that did not show up in the log (the fixes in the log, I mean). After I did it, it just put green checkmarks down the list showing that it had no problems doing any of the fixes I assume, but I don't believe it updated a log at all as I believe that's the only one there is.

Is that ok or do I still need to run it again?

PS...I choose the option to delete everything (no quarantines), though I guess form reading it backs stuff up, safely I'm sure.

I ran CCleaner also (before it as in the read and trun me first thread)....I wondered why it didn't get the rebootcleaer.exe process as it was in a temp folder....unless it was in use or something. (I had the process killed at the time FWIW.) But I can run again if you would like.

 

Hi GiggityGiggity!

I would advise that you call the dsl company and ask them why you are getting this pop-up and what you can do to make it stop. It may be something where you will have to uninstall and reinstall the dsl software.

I think Intenet Worm Protection is part of Symantec.

And now please do the following:

1) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment Standard Edition v1.3.1_02"
- Java 2 Runtime Environment, SE v1.4.1_04

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) Please scan the following file(s) at either jotti or VirusTotal and let me know the results.

C:\WINDOWS\CTSYNWDM.INI


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.ultimatebet.com

After you click fix, just close hijackthis.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the results of the scan from jotti or VirusTotal.

Let me know how things are now.
abri