I think I've partially cured (but probably not fully removed) a rootkit or something similar; I would appreciate comments.

The symptoms were popups, both casino and antivirus offers. In addition, windows (XP) disk cleanup crashed, defragmenter hung when showing the log and Norton Windoctor would not start.

I think the culprit was a program vkaloepwtj.exe. This is a packed image, so did not show up with anything except sysinternals process explorer. RootkitRevealer also showed it, plus some additional entries such as vkaloepwtj.dat, vkaloepwtj_nav.dat, vkaloepwtj_navps.dat in WINDOWS\system32. It was launched somewhere in the startup, but presumably because it was packed did not show anywhere except using NetSwitcher II.

I believe that I've partially cured it by first killing it (via process explorer) then stopping it from starting using Netswitcher. Both disk cleanup and Norton now work. However, I'm not certain that I've removed it fully, and would welcome suggestions.

N.B., Ad-Aware, Spybot, Windows Defender, F-Prot (and some others) only cured the symptoms (e.g. tracking cookies and a java trojan) and did not cure the problem.

Can you run a KAV online scan and post the results?

Please do an online scan with Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
  
• Once the scanner is installed and the definitions downloaded, click Next.
  
• Now click on Scan Settings
  
• In the scan settings make that the following are selected:
  
  • Scan using the following Anti-Virus database:
    
    • Extended (If available otherwise Standard) << very important to use extended if possible
      
  • Scan Options:
    
    • Scan Archives
      
    • Scan Mail Bases
      
• Click OK
  
• Now under select a target to scan select My Computer
  
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  
• Now click on the Save as Text button:
  
• Save the file to your desktop.
  
• Copy and paste that information in your next post.
  

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 279226
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:53:22

Infected Object Name / Virus Name / Last Action
C:\Software\Aol-Spam\XoftSpySE429_191.exe/stream/data0041 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Software\Aol-Spam\XoftSpySE429_191.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Software\Aol-Spam\XoftSpySE429_191.exe NSIS: infected - 2 skipped
C:\Software\Games\freesol.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Software\Games\freesol.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.TimeSinc skipped
C:\Software\Games\freesol.exe WiseSFX: infected - 2 skipped
C:\WINDOWS\system32\vkaloepwtj.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.t skipped

Hi,
Please download KillBox, extract it to your desktop.

Open Killbox.exe. Check the following box:-
Delete on Reboot
Highlight all the entries in the quote box below and then Copy them:-

Thanks. I had already isolated vkaloepwtj.exe (and vkaloepwtj.dat vkaloepwtj_nav.dat vkaloepwtj_navps.dat) as a tarball using cygwin. I've transferred them to a HP/Unix box (sftp). I also gzip'd freesol.exe and transferred this as well. However, I'm 99% certain that this is a false positive. This is a ~2000 vintage free solitaire from the people who sell goodsol, and was not installed (has not been for years).

I've attached the results of the GMER scan below. For reference, it wants to copy itself to C:\WINDOWS\GMER.exe which my system is not allowing. I don't see anything obvious, but Netswitcher is still reporting a deactivated registry startup entry for vkaloepwtj which I cannot see anywhere else (Xteq-dotec X-Setup 6.6, Startup Cop 1.0.1.0, Startup Control Panel 2.8 ). I can go hunting in the registry....

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-11 11:24:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT 89380528 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BA279220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [BA279480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2795A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [BA2795D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BA279220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [BA279480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2795A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [BA2795D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BA279220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [BA279480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2795A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [BA2795D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BA279220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [BA279480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2795A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [BA2795D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BA279220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [BA279480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2795A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [BA2795D0] wpsdrvnt.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL [A8356912] DLAIFS_M.SYS

---- Files - GMER 1.0.10 ----

File C:\RECYCLER\NPROTECT
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}

---- EOF - GMER 1.0.10 ----

Hi,
Glad to hear that you have already removed those files. And, GMER log looks clean too. The wpsdrvnt.sys driver belongs to Sygate Firewall (or Panda AV). Yes, GMER copies itself to Windows folder, it's normal!
Can you please post the Rootkit Revealer log? To minimize the false positives, please leave the PC idle when Rootkit Revealer is scanning the system. You can download the latest version here.

I've included the rootkit revealer log below. (Note for the rootkit developers: when saving the log the Desktop link wants to go to C:\Documents and Settings\LocalService\Desktop; ignoring this it does go to the desktop. Minor bug for patching.) It looks clean to me except for some Norton protection files (probably created then deleted by rootkit revealer).

I'm still concerned about the presence of a disabled startup entry that only Netswitcher knows about. I went into regedit and did a search and found three instances of vkaloepwtj.exe:

Windows:ShellNoRoam:MUICache c:\WINDOWS\system32\vkaloepwtj.exe
Software:JWHance:NetSwitcher for Windows:...:HLM ..the same...
Windows:currentVersion:Run NetSw Disabled ..the same...

I'm inclined to backup my registry then delete these three entries. The last two look like NetSwitcher entries, the other (from what I can google) looks like some relic of the malware startup although I'm not sure and would appreciate advice.

Rootkit Revealer Log:

C:\RECYCLER\NPROTECT 7/11/2006 11:45 PM 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000000 7/11/2006 11:44 PM 568.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000001 7/11/2006 11:44 PM 532.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000002 7/11/2006 11:44 PM 8.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000003 7/11/2006 11:44 PM 532.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000004 7/11/2006 11:44 PM 8.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000005 7/11/2006 11:44 PM 5.05 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000006 7/11/2006 11:44 PM 104.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000007 7/11/2006 11:44 PM 568.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000008 7/11/2006 11:44 PM 60.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000009 7/11/2006 11:44 PM 32.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000010 7/11/2006 11:45 PM 28.55 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000011 7/11/2006 11:45 PM 5.65 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000015 7/11/2006 11:45 PM 18.70 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\NPROTECT.LOG 7/11/2006 1:46 PM 631.38 KB Hidden from Windows API.

I went ahead and deleted the entries, since I needed to reconnect my laptop to my office network and did not want anything left. No apparent problems. This case can probably be closed, unless there is a good reason to deposit the rootkit files somewhere for forensic purposes.

Hi,
Sorry for my late reply, I was out of town and had no Internet access.
Those NPROTECT things are related to Norton, it uses "rootkit like" techniques! Looks like deleting those stray Registry solved the problem.

No entries found -- full log below

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 7/14/2006 3:07:58 PM for strings:
; 'vkaloepwtj'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

Hi,

Good news I suppose everything's fine now.

_________________
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
- Albert Einstein

No apparent problems. Thanks for your help.