Win32.Hidden.rtk

[IanHarrop]

I tried a number of tools and the only one reporting this problem is Spybot so I am wondering if this is a false positive. I am running the beta 1.6.1.38 and I have the beta detections.

Thanks for any help you can provide.

Here us what is reported by Spybot: (below this is a Hijackthis log)
----------------------------------------------------------------

Win32.Hidden.RTK: [SBI $DBA82710] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}

Win32.Hidden.RTK: [SBI $69F7AE33] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}

Win32.Hidden.RTK: [SBI $E3982564] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}

Win32.Hidden.RTK: [SBI $D4A72638] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}

Win32.Hidden.RTK: [SBI $F4BEC18A] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}

Win32.Hidden.RTK: [SBI $35D3B2E1] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}

Win32.Hidden.RTK: [SBI $AD3B5ADE] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}

Win32.Hidden.RTK: [SBI $53E4EB11] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}

Win32.Hidden.RTK: [SBI $835F952E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}

Win32.Hidden.RTK: [SBI $EFC77804] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}

Win32.Hidden.RTK: [SBI $1A04BFBC] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}

User abort!: Scan was not completed successfully. ()



--- Spybot - Search & Destroy version: 1.6.1 (build: 20081112) ---

2008-11-13 blindman.exe (1.0.0.8)
2008-06-05 SDDelFile.exe (1.0.2.5)
2008-11-13 SDFiles.exe (1.6.1.7)
2008-11-13 SDMain.exe (1.0.0.6)
2008-11-13 SDShred.exe (1.0.2.4)
2008-11-13 SDUpdate.exe (1.6.0.11)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-11-13 SpybotSD.exe (1.6.1.38)
2008-11-13 TeaTimer.exe (1.6.4.26)
2008-11-18 unins000.exe (51.49.0.0)
2008-11-13 Update.exe (1.6.0.7)
2008-11-13 advcheck.dll (1.6.2.14)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-11-13 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-11-13 Tools.dll (2.1.6.10)
2008-11-04 Includes\Adware.sbi (*)
2008-11-25 Includes\AdwareC.sbi (*)
2008-11-26 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-11-18 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-18 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-11-25 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-25 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-11-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


Edit: FYI Please do NOT post hjt logs in the Spybot forum,
A detective will look at the Spybot-S&D detections, cheers.

[IanHarrop]

I tried Fix Selected issues and Spybot could not remove them, so I chose to have Spybot run at start up to see if they could be removed then... no luck.

[Yodama]

hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

[Serxe]

hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

>> I have the same problem (apparently due to LicCtrl hidden process)
>> Could you please notify if is a real threat and possible manual turnaround ?
Thank You for Your help and solicitude

[IanHarrop]

hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

All logs sent to detections-at-spybot.info as requested, even the second batch as requested by email.

Thanks for your help

[IanHarrop]

hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

Should I also try the fix suggested here:
http://forums.spybot.info/showthread...n32.Hidden.rtk

[neurotran]

...I am running the beta 1.6.1.38 and I have the beta detections....

...Here us what is reported by Spybot:

Win32.Hidden.RTK: [SBI $DBA82710] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
...

Same here. These are the same keys that are reported as "Key name contains embedded nulls" by Sysinternal's RKR scan.

[DeWrek]

I have the same problem, same 11 entries. If I go to REGEDIT and look at one of the entries, REGEDIT gives an error:

"InprocServer32 cannot be opened. An error is preventing this key from being opened. Details: The system cannot find the file specified."

I have not tried to remove these entries via REGEDIT.

I am running SpyBot 1.6.0.31 on Vista HP sp1.

[IanHarrop]

Should I also try the fix suggested here:
http://forums.spybot.info/showthread...n32.Hidden.rtk

Tried this as requested, did not work. Problem remains the same..

[Mr Plop]

I am also suffering from the dreaded Win32.Hidden.RTK issue.

I also had no luck with removing the thang at startup via Spybot.

I ran SDFix as suggested in the Strange rtk detection from spybot thread, and here are my results:

My Avira Premium Security Suite has been reporting:

Code:

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\WINDOWS\SYSTEM32\DRIVERS\TDSSmhct.sys.
Action performed: Deny access

And I haven't been able to remove this (but I think SDFix has ).

After running SDFix, however, Spybot still reports that Win32.Hidden.RTK is lurking about on my PC.....

These certainly are trying times. Help!