I tried a number of tools and the only one reporting this problem is Spybot so I am wondering if this is a false positive. I am running the beta 1.6.1.38 and I have the beta detections.

Thanks for any help you can provide.

Here us what is reported by Spybot: (below this is a Hijackthis log)
----------------------------------------------------------------

Win32.Hidden.RTK: [SBI $DBA82710] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}

Win32.Hidden.RTK: [SBI $69F7AE33] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}

Win32.Hidden.RTK: [SBI $E3982564] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}

Win32.Hidden.RTK: [SBI $D4A72638] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}

Win32.Hidden.RTK: [SBI $F4BEC18A] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}

Win32.Hidden.RTK: [SBI $35D3B2E1] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}

Win32.Hidden.RTK: [SBI $AD3B5ADE] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}

Win32.Hidden.RTK: [SBI $53E4EB11] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}

Win32.Hidden.RTK: [SBI $835F952E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}

Win32.Hidden.RTK: [SBI $EFC77804] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}

Win32.Hidden.RTK: [SBI $1A04BFBC] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}

User abort!: Scan was not completed successfully. ()



--- Spybot - Search & Destroy version: 1.6.1 (build: 20081112) ---

2008-11-13 blindman.exe (1.0.0.8)
2008-06-05 SDDelFile.exe (1.0.2.5)
2008-11-13 SDFiles.exe (1.6.1.7)
2008-11-13 SDMain.exe (1.0.0.6)
2008-11-13 SDShred.exe (1.0.2.4)
2008-11-13 SDUpdate.exe (1.6.0.11)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-11-13 SpybotSD.exe (1.6.1.38)
2008-11-13 TeaTimer.exe (1.6.4.26)
2008-11-18 unins000.exe (51.49.0.0)
2008-11-13 Update.exe (1.6.0.7)
2008-11-13 advcheck.dll (1.6.2.14)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-11-13 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-11-13 Tools.dll (2.1.6.10)
2008-11-04 Includes\Adware.sbi (*)
2008-11-25 Includes\AdwareC.sbi (*)
2008-11-26 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-11-18 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-18 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-11-25 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-25 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-11-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


Edit: FYI Please do NOT post hjt logs in the Spybot forum, (http://forums.spybot.info/showthread.php?t=1266)
A detective will look at the Spybot-S&D detections, cheers.

I tried Fix Selected issues and Spybot could not remove them, so I chose to have Spybot run at start up to see if they could be removed then... no luck.

hello,

please do a scan with the rootalyzer (http://forums.spybot.info/downloads.php?id=8)
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

hello,

please do a scan with the rootalyzer (http://forums.spybot.info/downloads.php?id=8)
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

>> I have the same problem (apparently due to LicCtrl hidden process)
>> Could you please notify if is a real threat and possible manual turnaround ?
Thank You for Your help and solicitude

hello,

please do a scan with the rootalyzer (http://forums.spybot.info/downloads.php?id=8)
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

All logs sent to detections-at-spybot.info as requested, even the second batch as requested by email.

Thanks for your help :)

hello,

please do a scan with the rootalyzer (http://forums.spybot.info/downloads.php?id=8)
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

Should I also try the fix suggested here:
http://forums.spybot.info/showthread.php?t=37255&highlight=Win32.Hidden.rtk

...I am running the beta 1.6.1.38 and I have the beta detections....

...Here us what is reported by Spybot:

Win32.Hidden.RTK: [SBI $DBA82710] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
...
Same here. These are the same keys that are reported as "Key name contains embedded nulls" by Sysinternal's RKR scan.

I have the same problem, same 11 entries. If I go to REGEDIT and look at one of the entries, REGEDIT gives an error:

"InprocServer32 cannot be opened. An error is preventing this key from being opened. Details: The system cannot find the file specified."

I have not tried to remove these entries via REGEDIT.

I am running SpyBot 1.6.0.31 on Vista HP sp1.

Should I also try the fix suggested here:
http://forums.spybot.info/showthread.php?t=37255&highlight=Win32.Hidden.rtk

Tried this as requested, did not work. Problem remains the same..

I am also suffering from the dreaded Win32.Hidden.RTK issue.

I also had no luck with removing the thang at startup via Spybot.

I ran SDFix as suggested in the Strange rtk detection from spybot (http://forums.spybot.info/showthread.php?t=37255&highlight=Win32.Hidden.rtk) thread, and here are my results:

My Avira Premium Security Suite has been reporting:


Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\WINDOWS\SYSTEM32\DRIVERS\TDSSmhct.sys.
Action performed: Deny access
And I haven't been able to remove this (but I think SDFix has :) ).

After running SDFix, however, Spybot still reports that Win32.Hidden.RTK is lurking about on my PC.....

These certainly are trying times. Help!

Hello Mr Plop, everyone,

Please do not try 'fixes' given to another member in the malware removal forum.

If Spybot-S&D or other security software does not detect or remove an item, follow the procedure in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)





Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar.

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a helper will advise you as soon as available.

Cheers.

Woops, sorry! Got too excited! :oops:

The problem has gone away, or at least Spybot is no longer reporting it as of today's updates

:bigthumb:

thanks for all the help for everyone. Considering that none of the things we did were effective and that the problem disappeared when after a Spybot update. do you think that this was a false positive?

I ask for my own peace of mind. I do a lot to make sure that my system is clean and stays that way.

Thanks, Ian

hello,

we consider this a false positive, apart from being hidden and not being removable it did not show any malicious behavior. There is a lot of legit software which hides stuff for various reasons, for instance security software.