1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Rootkit.foop

Discussion in 'Virus & Other Malware Removal' started by Pillsburry, Jan 23, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Pillsburry

    Pillsburry Thread Starter

    Joined:
    Jan 23, 2007
    Messages:
    4
    According to spyware doctor (see screenie), I have rootkit.foop. I googled it and found some info on the swd website, and a suggestion to scan in safe mode with avg. I tried the safe mod scan and avg didn't find it in the registry (i got new defs right before i scanned). I have spybot + adaware, and normally they work fine for me - every now and then I d/l spyware doctor and do a trial scan to make sure I am safe...this is the first time I have come across something I can't get rid of by myself. This is the file I have from hijackthis!:
    Logfile of HijackThis v1.99.1
    Scan saved at 6:59:18 PM, on 1/23/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINNT\System32\smss.exe
    D:\WINNT\system32\csrss.exe
    D:\WINNT\system32\winlogon.exe
    D:\WINNT\system32\services.exe
    D:\WINNT\system32\lsass.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\system32\spoolsv.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\system32\hidserv.exe
    D:\WINNT\system32\nvsvc32.exe
    D:\WINNT\system32\regsvc.exe
    D:\WINNT\system32\MSTask.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\WINNT\System32\WBEM\WinMgmt.exe
    D:\WINNT\system32\svchost.exe
    D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\Explorer.EXE
    D:\WINNT\system32\RUNDLL32.EXE
    D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    D:\WINNT\system32\sstray.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\Filseclab\xfilter\xfilter.exe
    D:\Program Files\Picasa2\PicasaMediaDetector.exe
    D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
    D:\Program Files\Logitech\MouseWare\system\em_exec.exe
    D:\Program Files\Google\Google Talk\googletalk.exe
    D:\Program Files\Spyware Doctor\swdoctor.exe
    D:\Program Files\QUICKENW\QWDLLS.EXE
    D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
    D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
    D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
    D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
    D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaMonitor.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\WinRAR\WinRAR.exe
    D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX02.016\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [PRONoMgr.exe] D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [XFILTER] "D:\Program Files\Filseclab\xfilter\xfilter.exe" -a
    O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MSConfig] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.735\msconfig.exe /auto
    O4 - HKLM\..\Run: [SanaSafeConnect] "D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
    O4 - HKCU\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe
    O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
    O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing)
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O20 - Winlogon Notify: tecake - D:\WINNT\SYSTEM32\ejsuzabq.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
    O23 - Service: SanaSafeConnectAgent - Unknown owner - D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe" SanaSafeConnectAgent (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    Thanks!
     

    Attached Files:

  2. Bullant

    Bullant

    Joined:
    Jan 24, 2007
    Messages:
    1
    I run the Malware Research Centre for PC Tools where we build the database Spyware Doctor uses. One of my analysts looked at your problem and concluded it is NOT a FP. Here is her report:
    I did some research on Rookit.Foop and also asked the other guys who worked on the threat in question.
    Rootkit.Foop(ntio256.sys) is dropped by another threat called Trojan.Proxy.Wopla.AC. Once ntio256.sys is registered into the system, it adds keys, which are "HKLM\SYSTEM\*ControlSet*\Services\ntio256" and "HKLM\SYSTEM\*ControlSet*\Enum\root\legacy_ntio256", to the registry. As those keys clearly refer to "ntio256.sys", which is a rootkit, and information on those keys searched on google only shows examples of their malicious behaviour, I'm certain they are not FP.It might be confusing since there are other legitimate .sys files, such as ntio.sys, ntio404.sys, ntio411.sys, ntion412.sys and ntio804.sys, in the Windows system directory but "ntio256.sys" is not one of them.

    Also, Benon mentioned about those services and legacy keys not being removed due to an permission issue in the registry. If the user don't have full permission to their registry, then they wouldn't be able to remove those keys. This theory can explain the screenshot in the forum as "ntio.sys" being removed and services and legacy keys left out due to the permission problem.

    David pointed out there were suspicious entries* in the user's hijackthis.log and this might indicate the user's system actually being infected by malware and that could be how he ended up getting those services and legacy keys in his system.

    *[O4 - HKLM\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe ]
    [O4 - HKCU\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe ] [O20 - Winlogon Notify: tecake - D:\WINNT\SYSTEM32\ejsuzabq.dll]

    Overall, I'd sugguest "HKLM\SYSTEM\*ControlSet*\Services\ntio256" and "HKLM\SYSTEM\*ControlSet*\Enum\root\legacy_ntio256" are not FP.
     
  3. Pillsburry

    Pillsburry Thread Starter

    Joined:
    Jan 23, 2007
    Messages:
    4
    Okay, I am not sure I understand what you are saying about those registry keys...I have had my eye on monrebbk for a while, though since when I google it I get no response I havn't deleted it on account of I do not know whether or not it is safe...
    (pardon my n00bness, but is fp false possitive or foop? o_O)
    Also, if fp = false positive, and you are saying it is not a false positive (please excuse my n00bness...)would you suggest that I delete ntio256.sys? or do the registry keys contain the true spyware? Is this Trojan.Proxy.Wopla.AC something that comes in, drops the file, and deletes itself or is it still on my system?
    Thanks Bullant!
     
  4. SpyCracker

    SpyCracker

    Joined:
    Jan 24, 2007
    Messages:
    1
    I don't think those keys which were shown in your SpywareDoctor's screenshot (HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256) is False Positive. They only get added to the registry by "ntio256.sys" which is Rootkit.Foop. I assume you might had another threat in your pc and that dropped "ntio256.sys" to your system. Since you said you scanned your pc with other anti-spyware scanners, I suppose all the other threat apart from the key, "HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256", were detected/removed by them. To make sure you are not infected by either Rootkit.Foop or Trojan.Proxy.Wopla.AC, please update SpywareDoctor's database and full scan you pc. Also, check if you have full permission for the key in question, so SpywareDoctor can detect/remove it on full scan.
     
  5. Consoleman

    Consoleman

    Joined:
    Jan 24, 2007
    Messages:
    1
    The key: HKLM\SYSTEM\*ControlSet*\Services\ntio256 is NOT False positive, this key is belongs to ntio256.sys just like other members written about.:cool:

    You may have another Trojan running that may stop you to delete the keys or you don't have full permission to remove malicious keys.(n)

    If you are sure that there are no other trojans are active then try to set full permission to the key and remove it manually or use Anti-Spyware tools.(y)
     
  6. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    All of you guys that are responding here need to check the TSG Rules before your next post. Pay particular attention to the following:

    Please leave the malware to qualified folks from the security team here at TSG.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Rootkit foop
  1. lunarlander
    Replies:
    5
    Views:
    414
  2. ricincalifornia
    Replies:
    2
    Views:
    251
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537829

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice