This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.


Thread Starter
Jan 23, 2007
According to spyware doctor (see screenie), I have rootkit.foop. I googled it and found some info on the swd website, and a suggestion to scan in safe mode with avg. I tried the safe mod scan and avg didn't find it in the registry (i got new defs right before i scanned). I have spybot + adaware, and normally they work fine for me - every now and then I d/l spyware doctor and do a trial scan to make sure I am safe...this is the first time I have come across something I can't get rid of by myself. This is the file I have from hijackthis!:
Logfile of HijackThis v1.99.1
Scan saved at 6:59:18 PM, on 1/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe
D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Filseclab\xfilter\xfilter.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaMonitor.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\WinRAR\WinRAR.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PRONoMgr.exe] D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XFILTER] "D:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MSConfig] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.735\msconfig.exe /auto
O4 - HKLM\..\Run: [SanaSafeConnect] "D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKCU\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) -
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) -
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) -
O20 - Winlogon Notify: tecake - D:\WINNT\SYSTEM32\ejsuzabq.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: SanaSafeConnectAgent - Unknown owner - D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe" SanaSafeConnectAgent (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Jan 24, 2007
I run the Malware Research Centre for PC Tools where we build the database Spyware Doctor uses. One of my analysts looked at your problem and concluded it is NOT a FP. Here is her report:
I did some research on Rookit.Foop and also asked the other guys who worked on the threat in question.
Rootkit.Foop(ntio256.sys) is dropped by another threat called Trojan.Proxy.Wopla.AC. Once ntio256.sys is registered into the system, it adds keys, which are "HKLM\SYSTEM\*ControlSet*\Services\ntio256" and "HKLM\SYSTEM\*ControlSet*\Enum\root\legacy_ntio256", to the registry. As those keys clearly refer to "ntio256.sys", which is a rootkit, and information on those keys searched on google only shows examples of their malicious behaviour, I'm certain they are not FP.It might be confusing since there are other legitimate .sys files, such as ntio.sys, ntio404.sys, ntio411.sys, ntion412.sys and ntio804.sys, in the Windows system directory but "ntio256.sys" is not one of them.

Also, Benon mentioned about those services and legacy keys not being removed due to an permission issue in the registry. If the user don't have full permission to their registry, then they wouldn't be able to remove those keys. This theory can explain the screenshot in the forum as "ntio.sys" being removed and services and legacy keys left out due to the permission problem.

David pointed out there were suspicious entries* in the user's hijackthis.log and this might indicate the user's system actually being infected by malware and that could be how he ended up getting those services and legacy keys in his system.

*[O4 - HKLM\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe ]
[O4 - HKCU\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe ] [O20 - Winlogon Notify: tecake - D:\WINNT\SYSTEM32\ejsuzabq.dll]

Overall, I'd sugguest "HKLM\SYSTEM\*ControlSet*\Services\ntio256" and "HKLM\SYSTEM\*ControlSet*\Enum\root\legacy_ntio256" are not FP.


Thread Starter
Jan 23, 2007
Okay, I am not sure I understand what you are saying about those registry keys...I have had my eye on monrebbk for a while, though since when I google it I get no response I havn't deleted it on account of I do not know whether or not it is safe...
(pardon my n00bness, but is fp false possitive or foop? o_O)
Also, if fp = false positive, and you are saying it is not a false positive (please excuse my n00bness...)would you suggest that I delete ntio256.sys? or do the registry keys contain the true spyware? Is this Trojan.Proxy.Wopla.AC something that comes in, drops the file, and deletes itself or is it still on my system?
Thanks Bullant!
Jan 24, 2007
I don't think those keys which were shown in your SpywareDoctor's screenshot (HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256) is False Positive. They only get added to the registry by "ntio256.sys" which is Rootkit.Foop. I assume you might had another threat in your pc and that dropped "ntio256.sys" to your system. Since you said you scanned your pc with other anti-spyware scanners, I suppose all the other threat apart from the key, "HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256", were detected/removed by them. To make sure you are not infected by either Rootkit.Foop or Trojan.Proxy.Wopla.AC, please update SpywareDoctor's database and full scan you pc. Also, check if you have full permission for the key in question, so SpywareDoctor can detect/remove it on full scan.
Jan 24, 2007
The key: HKLM\SYSTEM\*ControlSet*\Services\ntio256 is NOT False positive, this key is belongs to ntio256.sys just like other members written about.:cool:

You may have another Trojan running that may stop you to delete the keys or you don't have full permission to remove malicious keys.(n)

If you are sure that there are no other trojans are active then try to set full permission to the key and remove it manually or use Anti-Spyware tools.(y)


Retired Moderator
Oct 19, 2002
All of you guys that are responding here need to check the TSG Rules before your next post. Pay particular attention to the following:

Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield
next to their name. Anyone wishing to participate in a training program should contact a Moderator for more information.
Please leave the malware to qualified folks from the security team here at TSG.
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online