L Miller
2008-12-08, 20:45
I have the same issue reported elsewhere on the forum. Spybot reports Win32.Hidden.RTK with 11 registry entries that cannot be removed by Spybot or by manual deletion in regEdit. In addition, on the affected machine, IE and Firefox have both been compromised and on startup, try to redirect to an 'official' page that tries to sell a product from a URL www.defender-review.com
I have also tried to run spybot from safe mode and it cannot remove from there either. The keys in question are locked upon windows start up.
Please assist in removing the problem.
Also, can you suggest real anti-virus /anti-malware or other that should have caught this before it got a chance to infect system. Norton obviously leaves much to the imagination...
Thanks in advance.
L Miller
2008-12-09, 19:38
The problems in the browsers seem to be caused by a fake notification scam that Malwarebytes was able to ferret out and remove. The file names removed were kjzna1562565.exe and spcffwl.dll as well as various replaced dll's. Malwarebytes just earned my business, that's for sure. :)
Once that was cleaned, the browsers seem to work correctly again and the fake popup saying Trojan.Zlob.G is on the machine is gone.
AntiVira seems to have caught the sober worm and removed it.
Spybot and RootAlyzer are still catching the Win32.Hidden.RTK entries as zero entries in the following registry entries. Nothing I have tried seems to be able to take care of these as they are locked on entry to windows. Does anyone know if these are indicative of a particular problem or false positives?
The registry entries are:
Win32.Hidden.RTK: [SBI $DBA82710] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
Win32.Hidden.RTK: [SBI $69F7AE33] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}
Win32.Hidden.RTK: [SBI $E3982564] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}
Win32.Hidden.RTK: [SBI $D4A72638] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}
Win32.Hidden.RTK: [SBI $F4BEC18A] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}
Win32.Hidden.RTK: [SBI $35D3B2E1] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}
Win32.Hidden.RTK: [SBI $AD3B5ADE] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}
Win32.Hidden.RTK: [SBI $53E4EB11] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}
Win32.Hidden.RTK: [SBI $835F952E] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}
Win32.Hidden.RTK: [SBI $EFC77804] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}
Win32.Hidden.RTK: [SBI $1A04BFBC] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
These are the same reported in numerous other threads, but I could not find an answer of how to deal with them anywhere or even a general direction to pursue. Anyone have any ideas?
Also, does anyone have links to comparisons of AVG vs. AntiVira vs. Kaspersky, etc.?