eetvpn.sys - Dangerous
%sysdir%\eetvpn.sys
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
eetvpn.sys opens a back door on random TCP port.
eetvpn.sys is used to hide files, processes and registry.
eetvpn.sys is a kernel mode rootkit.
Rootkit injects itself into the winlogon.exe process.
Rootkit injects itself into the explorer.exe process.
Rootkit contacts remote hacker server using HTTP session.
Related files:
%SysDir%\eetvpn.dll
%SysDir%\eetvpn.sys
%SysDir%\eexvpn.sys
%SysDir%\qo.dll
%SysDir%\qo.sys
%SysDir%\KGCTINI.DAT
%SysDir%\LPS.DAT
eexvpn.sys is created new system drivers:
service name: " eexvpn"
display name: " "MCRT accelerator"
Adds the value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eexvpn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eetvpn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\Notify\eetvpn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\eexvpn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\eexvpn.sys
to the Windows startup registry keys.
Added to registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
%Windows%\Explorer.exe = "%Windows%\Explorer.exe:*:Enabled:explorer"
HKEY_CURRENT_USER\Software\RIT\The Bat!