Win32.Hidden.rtk

IanHarrop · Nov 27, 2008

I tried a number of tools and the only one reporting this problem is Spybot so I am wondering if this is a false positive. I am running the beta 1.6.1.38 and I have the beta detections.

Thanks for any help you can provide.

Here us what is reported by Spybot: (below this is a Hijackthis log)
----------------------------------------------------------------

Win32.Hidden.RTK: [SBI $DBA82710] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}

Win32.Hidden.RTK: [SBI $69F7AE33] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}

Win32.Hidden.RTK: [SBI $E3982564] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}

Win32.Hidden.RTK: [SBI $D4A72638] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}

Win32.Hidden.RTK: [SBI $F4BEC18A] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}

Win32.Hidden.RTK: [SBI $35D3B2E1] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}

Win32.Hidden.RTK: [SBI $AD3B5ADE] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}

Win32.Hidden.RTK: [SBI $53E4EB11] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}

Win32.Hidden.RTK: [SBI $835F952E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}

Win32.Hidden.RTK: [SBI $EFC77804] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}

Win32.Hidden.RTK: [SBI $1A04BFBC] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}

User abort!: Scan was not completed successfully. ()

--- Spybot - Search & Destroy version: 1.6.1 (build: 20081112) ---

2008-11-13 blindman.exe (1.0.0.8)
2008-06-05 SDDelFile.exe (1.0.2.5)
2008-11-13 SDFiles.exe (1.6.1.7)
2008-11-13 SDMain.exe (1.0.0.6)
2008-11-13 SDShred.exe (1.0.2.4)
2008-11-13 SDUpdate.exe (1.6.0.11)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-11-13 SpybotSD.exe (1.6.1.38)
2008-11-13 TeaTimer.exe (1.6.4.26)
2008-11-18 unins000.exe (51.49.0.0)
2008-11-13 Update.exe (1.6.0.7)
2008-11-13 advcheck.dll (1.6.2.14)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-11-13 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-11-13 Tools.dll (2.1.6.10)
2008-11-04 Includes\Adware.sbi (*)
2008-11-25 Includes\AdwareC.sbi (*)
2008-11-26 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-11-18 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-18 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-11-25 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-25 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-11-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Edit: FYI Please do NOT post hjt logs in the Spybot forum,
A detective will look at the Spybot-S&D detections, cheers.

IanHarrop · Nov 28, 2008

I tried to remove... couldn't

I tried Fix Selected issues and Spybot could not remove them, so I chose to have Spybot run at start up to see if they could be removed then... no luck.

Yodama · Nov 28, 2008

hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

Serxe · Nov 28, 2008

Interested

Yodama said:
hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

>> I have the same problem (apparently due to LicCtrl hidden process)
>> Could you please notify if is a real threat and possible manual turnaround ?
Thank You for Your help and solicitude

IanHarrop · Nov 29, 2008

Yodama said:
hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

All logs sent to detections-at-spybot.info as requested, even the second batch as requested by email.

Thanks for your help

IanHarrop · Dec 3, 2008

Yodama said:
hello,

please do a scan with the rootalyzer
and attach the log file if it finds something suspicious.

Please also do another scan with Spybot S&D, then expand the results and
click on the blue icon on the right side. This will open the registry editor and automatically navigate to the respective registry key. Export the registry keys given in your result above.

Email the results to detections-at-spybot.info (replace -at- with @)

Should I also try the fix suggested here:
http://forums.spybot.info/showthread.php?t=37255&highlight=Win32.Hidden.rtk

neurotran · Dec 4, 2008

IanHarrop said:
...I am running the beta 1.6.1.38 and I have the beta detections....

...Here us what is reported by Spybot:

Win32.Hidden.RTK: [SBI $DBA82710] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
...

Same here. These are the same keys that are reported as "Key name contains embedded nulls" by Sysinternal's RKR scan.

DeWrek · Dec 4, 2008

I have the same problem, same 11 entries. If I go to REGEDIT and look at one of the entries, REGEDIT gives an error:

"InprocServer32 cannot be opened. An error is preventing this key from being opened. Details: The system cannot find the file specified."

I have not tried to remove these entries via REGEDIT.

I am running SpyBot 1.6.0.31 on Vista HP sp1.

IanHarrop · Dec 5, 2008

IanHarrop said:
Should I also try the fix suggested here:
http://forums.spybot.info/showthread.php?t=37255&highlight=Win32.Hidden.rtk

Tried this as requested, did not work. Problem remains the same..

Mr Plop · Dec 7, 2008

I am also suffering from the dreaded Win32.Hidden.RTK issue.

I also had no luck with removing the thang at startup via Spybot.

I ran SDFix as suggested in the Strange rtk detection from spybot thread, and here are my results:

My Avira Premium Security Suite has been reporting:

Code:

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\WINDOWS\SYSTEM32\DRIVERS\TDSSmhct.sys.
Action performed: Deny access

And I haven't been able to remove this (but I think SDFix has

).

After running SDFix, however, Spybot still reports that Win32.Hidden.RTK is lurking about on my PC.....

These certainly are trying times. Help!

tashi · Dec 7, 2008

Hello Mr Plop, everyone,

Please do not try 'fixes' given to another member in the malware removal forum.

If Spybot-S&D or other security software does not detect or remove an item, follow the procedure in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar.

Then start your own thread in the Malware Removal Forum where a helper will advise you as soon as available.

Cheers.

Mr Plop · Dec 7, 2008

Woops, sorry! Got too excited!

IanHarrop · Dec 10, 2008

The problem has gone away, or at least Spybot is no longer reporting it as of today's updates

tashi · Dec 10, 2008

:bigthumb:

IanHarrop · Dec 11, 2008

thanks for all the help for everyone. Considering that none of the things we did were effective and that the problem disappeared when after a Spybot update. do you think that this was a false positive?

I ask for my own peace of mind. I do a lot to make sure that my system is clean and stays that way.

Thanks, Ian

Yodama · Dec 12, 2008

hello,

we consider this a false positive, apart from being hidden and not being removable it did not show any malicious behavior. There is a lot of legit software which hides stuff for various reasons, for instance security software.

Win32.Hidden.rtk

IanHarrop

New member

IanHarrop

New member

Yodama

New member

Serxe

New member

IanHarrop

New member

IanHarrop

New member

neurotran

New member

DeWrek

New member

IanHarrop

New member

Mr Plop

New member

tashi

Member of Team Spybot

Mr Plop

New member

IanHarrop

New member

tashi

Member of Team Spybot

IanHarrop

New member

Yodama

New member