Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questionable start up program..


  • Please log in to reply
7 replies to this topic

#1 Citruspop

Citruspop

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 December 2011 - 04:31 PM

For the longest time I have been trying to figure out this program that boots with start up. Normally if it's a .EXE program I can just search it and it will tell me what I need to know and whether or not I can just go ahead and disable it to make it faster, but this one has dumbfounded me. The information I have on it is as follows:

Startup Item - $.roidixqekkk
Manufacturer - Unknown
Command - C:\Windows\System 32\$.roidixqekkk\roidixqekkk.exe
Location - HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Usually I would leave items that boot up with SYS32 alone, but this one is just too fishy as it is not listed anywhere on the internet.

I have a Toshiba Laptop L305-S5945 running Windows Vista Home Premium (6.0, Build 6002)

Any help deciphering what this program could be would be greatly appreciated. At this point I just want to be certain it is not a trojan or something of the sort.

Thanks,
Citruspop

EDIT: Posted over in the Windows Vista Forum first, re-post here for secondary help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:07 PM

Posted 08 December 2011 - 04:50 PM

Hello,The $ represents a hidden or administrative/system folder/file.
I cannot find info on this particular item,so I would suspect a Malware.



Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Citruspop

Citruspop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 December 2011 - 05:05 PM

Well this doesn't look promising...

http://virusscan.jotti.org/en/scanresult/b423728a4024d37c7a31f89413ec4ddf647bc058

http://www.virustotal.com/file-scan/report.html?id=993eb206a255f9f79bdc0e35867190092e573fab84f65c3f711f4fa0a65794e6-1323381964

Leaving for work, any replies will not go unnoticed.

Edited by Citruspop, 08 December 2011 - 05:10 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:07 PM

Posted 08 December 2011 - 05:11 PM

Yes that is ugly.

Lets see if we can get it here,

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Citruspop

Citruspop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 09 December 2011 - 10:45 AM

Finally it is finished.
Here is are the results, and now I'm going to restart so the Roidixqekkk is quarantined properly:

C:\Windows\System32\$.roidixqekkk\roidixqekkk.exe a variant of Win32/VB.NPV trojan cleaned by deleting (after the next restart) - quarantined

Luckily this was the only one.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:07 PM

Posted 09 December 2011 - 11:56 AM

Ok, things are good now??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Citruspop

Citruspop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 09 December 2011 - 12:03 PM

Well it wasn't really causing direct harm to my computer. After doing a check of the file the .BAT file is still there along with the other files, but the .EXE is in fact gone. Being that it is a System 32 file should I go ahead and delete the contents of this folder?

Edit: Not the contents of the System 32 file! This one > C:\Windows\SysWOW64\$.roidixqekkk

Edited by Citruspop, 09 December 2011 - 12:04 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:07 PM

Posted 09 December 2011 - 08:32 PM

Yes it can go.. But first create a New Restore point so there is somewhere to go back too,just in case.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users