BleepingComputer.com: Questionable start up program..

For the longest time I have been trying to figure out this program that boots with start up. Normally if it's a .EXE program I can just search it and it will tell me what I need to know and whether or not I can just go ahead and disable it to make it faster, but this one has dumbfounded me. The information I have on it is as follows:

Startup Item - $.roidixqekkk
Manufacturer - Unknown
Command - C:\Windows\System 32\$.roidixqekkk\roidixqekkk.exe
Location - HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Usually I would leave items that boot up with SYS32 alone, but this one is just too fishy as it is not listed anywhere on the internet.

I have a Toshiba Laptop L305-S5945 running Windows Vista Home Premium (6.0, Build 6002)

Any help deciphering what this program could be would be greatly appreciated. At this point I just want to be certain it is not a trojan or something of the sort.

Thanks,
Citruspop

EDIT: Posted over in the Windows Vista Forum first, re-post here for secondary help.

Hello,The $ represents a hidden or administrative/system folder/file.
I cannot find info on this particular item,so I would suspect a Malware.



Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Well this doesn't look promising...

http://virusscan.jotti.org/en/scanresult/b423728a4024d37c7a31f89413ec4ddf647bc058

http://www.virustotal.com/file-scan/report.html?id=993eb206a255f9f79bdc0e35867190092e573fab84f65c3f711f4fa0a65794e6-1323381964

Leaving for work, any replies will not go unnoticed.

This post has been edited by Citruspop: 08 December 2011 - 05:10 PM

Yes that is ugly.

Lets see if we can get it here,

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

NOTE: In some instances if no malware is found there will be no log produced.

Finally it is finished.
Here is are the results, and now I'm going to restart so the Roidixqekkk is quarantined properly:

C:\Windows\System32\$.roidixqekkk\roidixqekkk.exe a variant of Win32/VB.NPV trojan cleaned by deleting (after the next restart) - quarantined

Luckily this was the only one.

Ok, things are good now??

Well it wasn't really causing direct harm to my computer. After doing a check of the file the .BAT file is still there along with the other files, but the .EXE is in fact gone. Being that it is a System 32 file should I go ahead and delete the contents of this folder?

Edit: Not the contents of the System 32 file! This one > C:\Windows\SysWOW64\$.roidixqekkk

This post has been edited by Citruspop: 09 December 2011 - 12:04 PM

Yes it can go.. But first create a New Restore point so there is somewhere to go back too,just in case.

The easiest and safest way to do this is:

• Go to > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to > Run... and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
  
• Disk Cleanup in Vista
  
• Disk Cleanup in Windows 7