# Rootkit.foop

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

#### Pillsburry

According to spyware doctor (see screenie), I have rootkit.foop. I googled it and found some info on the swd website, and a suggestion to scan in safe mode with avg. I tried the safe mod scan and avg didn't find it in the registry (i got new defs right before i scanned). I have spybot + adaware, and normally they work fine for me - every now and then I d/l spyware doctor and do a trial scan to make sure I am safe...this is the first time I have come across something I can't get rid of by myself. This is the file I have from hijackthis!:
Logfile of HijackThis v1.99.1
Scan saved at 6:59:18 PM, on 1/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\hidserv.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
D:\WINNT\system32\sstray.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Filseclab\xfilter\xfilter.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaMonitor.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX02.016\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PRONoMgr.exe] D:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [XFILTER] "D:\Program Files\Filseclab\xfilter\xfilter.exe" -a O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [MSConfig] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.735\msconfig.exe /auto
O4 - HKLM\..\Run: [SanaSafeConnect] "D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKCU\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O20 - Winlogon Notify: tecake - D:\WINNT\SYSTEM32\ejsuzabq.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: SanaSafeConnectAgent - Unknown owner - D:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe" SanaSafeConnectAgent (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Thanks!

#### Attachments

• 152.7 KB Views: 84

#### Bullant

I run the Malware Research Centre for PC Tools where we build the database Spyware Doctor uses. One of my analysts looked at your problem and concluded it is NOT a FP. Here is her report:
I did some research on Rookit.Foop and also asked the other guys who worked on the threat in question.
Rootkit.Foop(ntio256.sys) is dropped by another threat called Trojan.Proxy.Wopla.AC. Once ntio256.sys is registered into the system, it adds keys, which are "HKLM\SYSTEM\*ControlSet*\Services\ntio256" and "HKLM\SYSTEM\*ControlSet*\Enum\root\legacy_ntio256", to the registry. As those keys clearly refer to "ntio256.sys", which is a rootkit, and information on those keys searched on google only shows examples of their malicious behaviour, I'm certain they are not FP.It might be confusing since there are other legitimate .sys files, such as ntio.sys, ntio404.sys, ntio411.sys, ntion412.sys and ntio804.sys, in the Windows system directory but "ntio256.sys" is not one of them.

Also, Benon mentioned about those services and legacy keys not being removed due to an permission issue in the registry. If the user don't have full permission to their registry, then they wouldn't be able to remove those keys. This theory can explain the screenshot in the forum as "ntio.sys" being removed and services and legacy keys left out due to the permission problem.

David pointed out there were suspicious entries* in the user's hijackthis.log and this might indicate the user's system actually being infected by malware and that could be how he ended up getting those services and legacy keys in his system.

*[O4 - HKLM\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe ]
[O4 - HKCU\..\Run: [monrebbk] D:\WINNT\system32\monrebbk.exe ] [O20 - Winlogon Notify: tecake - D:\WINNT\SYSTEM32\ejsuzabq.dll]

Overall, I'd sugguest "HKLM\SYSTEM\*ControlSet*\Services\ntio256" and "HKLM\SYSTEM\*ControlSet*\Enum\root\legacy_ntio256" are not FP.

#### Pillsburry

Okay, I am not sure I understand what you are saying about those registry keys...I have had my eye on monrebbk for a while, though since when I google it I get no response I havn't deleted it on account of I do not know whether or not it is safe...
(pardon my n00bness, but is fp false possitive or foop? )
Also, if fp = false positive, and you are saying it is not a false positive (please excuse my n00bness...)would you suggest that I delete ntio256.sys? or do the registry keys contain the true spyware? Is this Trojan.Proxy.Wopla.AC something that comes in, drops the file, and deletes itself or is it still on my system?
Thanks Bullant!

#### SpyCracker

I don't think those keys which were shown in your SpywareDoctor's screenshot (HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256) is False Positive. They only get added to the registry by "ntio256.sys" which is Rootkit.Foop. I assume you might had another threat in your pc and that dropped "ntio256.sys" to your system. Since you said you scanned your pc with other anti-spyware scanners, I suppose all the other threat apart from the key, "HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256", were detected/removed by them. To make sure you are not infected by either Rootkit.Foop or Trojan.Proxy.Wopla.AC, please update SpywareDoctor's database and full scan you pc. Also, check if you have full permission for the key in question, so SpywareDoctor can detect/remove it on full scan.

#### Consoleman

The key: HKLM\SYSTEM\*ControlSet*\Services\ntio256 is NOT False positive, this key is belongs to ntio256.sys just like other members written about.

You may have another Trojan running that may stop you to delete the keys or you don't have full permission to remove malicious keys.

If you are sure that there are no other trojans are active then try to set full permission to the key and remove it manually or use Anti-Spyware tools.

#### JohnWill

##### Retired Moderator
All of you guys that are responding here need to check the TSG Rules before your next post. Pay particular attention to the following:

Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield
next to their name. Anyone wishing to participate in a training program should contact a Moderator for more information.
Please leave the malware to qualified folks from the security team here at TSG.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

As Seen On