How do i remove the rtkt_stitch.d virus

View previous topic View next topic Go down

Solved How do i remove the rtkt_stitch.d virus

Post by tenaj on Tue Oct 07, 2008 3:01 am

Hi everyone. I did a trend micro scan and the rtkt_stitch.d virus was not removed. I can't get on any security website to find out how to fix it. I think the virus blocked the website. I scanned my computer to find it - trend micro told me where it was located but I didn't see it. Any help will be appreciated.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Doctor Inferno on Tue Oct 07, 2008 3:23 am

Hello and welcome to GeekPolice, first of all please proceed [You must be registered and logged in to see this link.] and follow the instructions provided. After that post a HijackThis log here.

I or another staff member will help you, depending on who sees your log first.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Tue Oct 07, 2008 10:36 pm

Wow! Thanks a bunch. I will get busy following the instructions and will post the hijack this when done.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 9:43 pm

I can't download the ATF Clearner. It won't let me go to any security websites like Microsoft support, Trend Micro, etc. What do I do - skip the first part in downloading and using the ATF Cleaner. I got a blue screen warning this morning.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 10:22 pm

Hello Tenaj.
I suspect you may be infected with a rootkit known as tdssserv. Last time I battled with tdssserv, my user couldn't access security related sites also.

Just a suspect though.
Can you access this?

88.221.171.190/portal/en-US/_download/HiJackThis.exe


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 10:25 pm

[You must be registered and logged in to see this link.] wrote:Hello Tenaj.
I suspect you may be infected with a rootkit known as tdssserv. Last time I battled with tdssserv, my user couldn't access security related sites also.

Just a suspect though.
Can you access this?

88.221.171.190/portal/en-US/_download/HiJackThis.exe
NO i get
Invalid URL
The requested URL "/portal/en-US/_download/HiJackThis.exe", is invalid.

Reference #9.8a8dd58.1223504714.0

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 10:27 pm

I got that also.
Can you download HJT from here?

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 10:30 pm

[You must be registered and logged in to see this link.] wrote:I got that also.
Can you download HJT from here?

[You must be registered and logged in to see this link.]
Yes I was able to download that.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 10:31 pm

Thought you would.
This is how my user had to get tools I uploaded.

Can you install it and post a log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 10:32 pm

[You must be registered and logged in to see this link.] wrote:Thought you would.
This is how my user had to get tools I uploaded.

Can you install it and post a log please.
Yes, I will do that. Thanks.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 10:34 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:03 PM, on 10/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: &ieSpell Options - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - [You must be registered and logged in to see this link.] Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: x-mem2 - {1B2A56AA-ABC0-47FF-A80D-302E4FA2A118} - C:\Program Files\Screenbook Maker\eztoolslib2lite.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 12243 bytes

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 10:39 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.


Delete this file:
C:\WINDOWS\system32\drivers\svchost.exe <-- delete it only in the drivers folder.

====
Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 10:45 pm

OK thanks.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 10:53 pm

I edited in MBAM instructions. If you didn't see it, please run it. Goofy


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 10:57 pm

I don't see c:/program files/common files\installshield\driver\1050\intel 32\idriverT.exe file missing. I take it I have to delete that from the [You must be registered and logged in to see this link.] drive. I just don't want to assume anything and follow your directions. Like I will delete this C:\WINDOWS\system32\drivers\svchost.exe <-- delete it only in the drivers folder.

is that correct?

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 10:58 pm

I see you new instructions.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 11:02 pm

I can not download this

Download Malwarebytes' Anti-Malware from Here

I get connection interrupted again.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 11:05 pm

I hate tdssserv.

Rapidshare'd.
[You must be registered and logged in to see this link.]

Download and follow instructions at bottom of page 1.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 11:16 pm

I did Fix Checked and could not deleted [You must be registered and logged in to see this link.] files/Common Files\installShield.....

There is no Drivers folder when I navigate there

I deleted C:\windows\system\32\drivers\svchost.exe file

BUT

I get connection interrupted when I try to download Malwarebytes' anti-Malware here link.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 11:25 pm

Nevermind about the 23 item in Hijack This, it's only a dead service.
The bad file is gone, and rapidshare got connection interupted?
I'll put it up at a different host. Evil or enraged


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 11:27 pm

MBAM is doing a quick scan now. Be back with the results. Thanks for helping me out Belahzur.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Wed Oct 08, 2008 11:28 pm

Ah, so rapidshare worked? LMBO or ROFL
MBAM caught the rootkit last time we battled, so I have trust in MBAM and after it's gone, you should be able to access security sites.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Wed Oct 08, 2008 11:58 pm

OK this is my MBAM results

Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 2

10/08/2008 7:35:42 PM
mbam-log-2008-10-08 (19-35-42).txt

Scan type: Quick Scan
Objects scanned: 59814
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

This is my fresh scan of hijact this log - there were two files not corrected.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:27 PM, on 10/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: &ieSpell Options - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - [You must be registered and logged in to see this link.] Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: x-mem2 - {1B2A56AA-ABC0-47FF-A80D-302E4FA2A118} - C:\Program Files\Screenbook Maker\eztoolslib2lite.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 12089 bytes

THE TWO FILES THAT ARE INFECTED BUT NOT REMOVED ARE
HKEY LOCALMACHINE\software\microsoft\windows NT current version\winlogon\userinit\Data: c:\windows\system32\

and

HKEY LOCALMACHINE\software\microsoft\windows NT current version\winlogon\userinit\Data: c:\windows\system32\

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 12:01 am

I still have two trogans in my registry and I just tried to get on the Trend Micro sight and I got connection interrupted again but I'm glad to get this far and is thankful for all your help.

THE TWO FILES THAT ARE INFECTED BUT NOT REMOVED ARE
HKEY LOCALMACHINE\software\microsoft\windows NT current version\winlogon\userinit\Data: c:\windows\system32\

and

HKEY LOCALMACHINE\software\microsoft\windows NT current version\winlogon\userinit\Data: c:\windows\system32\

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Thu Oct 09, 2008 12:05 am

Hmmm.
MBAM log wasn't complete?
This might find it, you might want to copy these instructions into a notepad file because you won't have access to here to read the instructions from here.

This is on a different host, see if you can download from here before I post another link.

Download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 12:14 am

it won't let me go to this site

Download SDFix and save it to your Desktop.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Thu Oct 09, 2008 12:15 am

[You must be registered and logged in to see this link.]

Download and extract it.

If this doesn't work, I'm going after it full blast. Evil or enraged


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 12:23 am

Megamanager is now a Plugin in my foxfire browser.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 12:25 am

When I click on your SDfix link I get this

[You must be registered and logged in to see this link.]

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Thu Oct 09, 2008 12:29 am

This might fix it.

I need you to do this:
Start > Run > type in regedit and press enter.

This will open the registry editor.
Try to follow this path. (Press the little + image at the side of each key to open a new menu to follow the path)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

Once you get to the winlogon part, don't press the + at the side, click the word winlogon only once, it will show a big list of stuff at the right hand pane.

See this image:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 12:39 am

I was hoping I didn't have to go into the registry. Here it goes. :=.=':

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 12:46 am

OK I'm there - I didn't click on the + on winlogon but clicked the word itself and the right pane got a lot of stuff there.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Thu Oct 09, 2008 12:49 am

Good.
Double click "userinit" and you already have it set to "C:\windows\system32\", you need to add "userinit.exe" to the end so it will change the data value to:

"C:\windows\system32\userinit.exe"


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 12:55 am

C:\WINDOWS\system32\userinit.exe is already there and it has a comma on the end as well.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Thu Oct 09, 2008 1:02 am

Well there goes my idea. Evil or enraged
Exit the registry editor.

Here's a last shot in the dark.

Download OTMoveIt3 from here.
[You must be registered and logged in to see this link.]

Download and open it.
In the "Paste instructions for items to be moved", paste this:


:Files
C:\WINDOWS\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat


Press the red MoveIt! button, it will make a report in the right hand pane.
Copy and paste it back here.

I've left a note for another helper to help out, he should be online in a few hours.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Thu Oct 09, 2008 1:10 am

Hopefully you'll see this post.
You should be able to analyze this yourself, if OTMoveIt says Moved Successfully, then the files were present, OTMoveIt killed them now.

If it says Not found, the rootkit wasn't there and my idea is gone again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 1:11 am

========== FILES ==========
Invalid Environment Variable: System

OTMoveIt3 by OldTimer - Version 1.0.4.1 log created on 10082008_210823

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Belahzur on Thu Oct 09, 2008 1:12 am

I edited the post, I made a typo, try again. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 1:32 am

========== FILES ==========
File move failed. C:\WINDOWS\system32\drivers\ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.

OTMoveIt3 by OldTimer - Version 1.0.4.1 log created on 10082008_211343

Files moved on Reboot...
C:\WINDOWS\system32\drivers\\UMDF moved successfully.
C:\WINDOWS\system32\drivers\\etc moved successfully.
Folder move failed. C:\WINDOWS\system32\drivers\\disdn scheduled to be moved on reboot.
C:\WINDOWS\system32\drivers\\AU_Backup\2\553648256 moved successfully.
C:\WINDOWS\system32\drivers\\AU_Backup\2\16 moved successfully.
C:\WINDOWS\system32\drivers\\AU_Backup\2 moved successfully.
C:\WINDOWS\system32\drivers\\AU_Backup moved successfully.
Folder move failed. C:\WINDOWS\system32\drivers\ scheduled to be moved on reboot.
C:\WINDOWS\system32\\XPSViewer\en-us moved successfully.
C:\WINDOWS\system32\\XPSViewer moved successfully.
Folder move failed. C:\WINDOWS\system32\\xircom scheduled to be moved on reboot.
C:\WINDOWS\system32\\wins moved successfully.
Folder move failed. C:\WINDOWS\system32\\wbem\xml scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\wbem\snmp scheduled to be moved on reboot.
C:\WINDOWS\system32\\wbem\Repository\FS moved successfully.
C:\WINDOWS\system32\\wbem\Repository moved successfully.
C:\WINDOWS\system32\\wbem\Performance moved successfully.
C:\WINDOWS\system32\\wbem\mof\good moved successfully.
C:\WINDOWS\system32\\wbem\mof\bad moved successfully.
C:\WINDOWS\system32\\wbem\mof moved successfully.
C:\WINDOWS\system32\\wbem\Logs moved successfully.
C:\WINDOWS\system32\\wbem\AutoRecover moved successfully.
Folder move failed. C:\WINDOWS\system32\\wbem scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\usmt scheduled to be moved on reboot.
C:\WINDOWS\system32\\URTTemp moved successfully.
C:\WINDOWS\system32\\spool\XPSEP\i386\i386 moved successfully.
C:\WINDOWS\system32\\spool\XPSEP\i386 moved successfully.
C:\WINDOWS\system32\\spool\XPSEP\amd64\amd64 moved successfully.
C:\WINDOWS\system32\\spool\XPSEP\amd64 moved successfully.
C:\WINDOWS\system32\\spool\XPSEP moved successfully.
C:\WINDOWS\system32\\spool\prtprocs\x64 moved successfully.
C:\WINDOWS\system32\\spool\prtprocs\w32x86 moved successfully.
C:\WINDOWS\system32\\spool\prtprocs moved successfully.
C:\WINDOWS\system32\\spool\PRINTERS moved successfully.
C:\WINDOWS\system32\\spool\drivers\w32x86\hpofficejet_5500_ser7a11 moved successfully.
C:\WINDOWS\system32\\spool\drivers\w32x86\3 moved successfully.
C:\WINDOWS\system32\\spool\drivers\w32x86 moved successfully.
Folder move failed. C:\WINDOWS\system32\\spool\drivers\color scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\spool\drivers scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\spool scheduled to be moved on reboot.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.374 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups2.dll moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups.dll\5.8.0.2469 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wups.dll moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.0.6000.374 moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup\ServiceStartup moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution\Setup moved successfully.
C:\WINDOWS\system32\\SoftwareDistribution moved successfully.
C:\WINDOWS\system32\\ShellExt moved successfully.
Folder move failed. C:\WINDOWS\system32\\Setup scheduled to be moved on reboot.
C:\WINDOWS\system32\\scripting moved successfully.
Folder move failed. C:\WINDOWS\system32\\Restore scheduled to be moved on reboot.
C:\WINDOWS\system32\\ReinstallBackups\0006\DriverFiles moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0006 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0005\DriverFiles moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0005 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0004\DriverFiles\i386 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0004\DriverFiles moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0004 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0003\DriverFiles moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0003 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0001\DriverFiles\B_26199 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0001\DriverFiles moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0001 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0000\DriverFiles\i386 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0000\DriverFiles moved successfully.
C:\WINDOWS\system32\\ReinstallBackups\0000 moved successfully.
C:\WINDOWS\system32\\ReinstallBackups moved successfully.
C:\WINDOWS\system32\\ras moved successfully.
C:\WINDOWS\system32\\PreInstall\WinSE\wxp_x86_0409_v1 moved successfully.
C:\WINDOWS\system32\\PreInstall\WinSE moved successfully.
C:\WINDOWS\system32\\PreInstall moved successfully.
C:\WINDOWS\system32\\pcintro\tools moved successfully.
C:\WINDOWS\system32\\pcintro\reminder\Warranty moved successfully.
C:\WINDOWS\system32\\pcintro\reminder\Register moved successfully.
C:\WINDOWS\system32\\pcintro\reminder moved successfully.
C:\WINDOWS\system32\\pcintro\elements\titleblocks moved successfully.
C:\WINDOWS\system32\\pcintro\elements\timeline\7 moved successfully.
C:\WINDOWS\system32\\pcintro\elements\timeline\6 moved successfully.
C:\WINDOWS\system32\\pcintro\elements\timeline\5 moved successfully.
C:\WINDOWS\system32\\pcintro\elements\timeline\4 moved successfully.
C:\WINDOWS\system32\\pcintro\elements\timeline\3 moved successfully.
C:\WINDOWS\system32\\pcintro\elements\timeline moved successfully.
C:\WINDOWS\system32\\pcintro\elements\ro_icons moved successfully.
C:\WINDOWS\system32\\pcintro\elements\plusHP_photos moved successfully.
C:\WINDOWS\system32\\pcintro\elements moved successfully.
C:\WINDOWS\system32\\pcintro moved successfully.
C:\WINDOWS\system32\\oobe\setup moved successfully.
C:\WINDOWS\system32\\oobe\sample moved successfully.
C:\WINDOWS\system32\\oobe\regerror moved successfully.
C:\WINDOWS\system32\\oobe\isperror moved successfully.
C:\WINDOWS\system32\\oobe\images moved successfully.
C:\WINDOWS\system32\\oobe\icserror moved successfully.
C:\WINDOWS\system32\\oobe\html\sconnect moved successfully.
C:\WINDOWS\system32\\oobe\html\oemreg moved successfully.
C:\WINDOWS\system32\\oobe\html\oemhw moved successfully.
C:\WINDOWS\system32\\oobe\html\oemcust moved successfully.
C:\WINDOWS\system32\\oobe\html\mouse\images moved successfully.
C:\WINDOWS\system32\\oobe\html\mouse moved successfully.
C:\WINDOWS\system32\\oobe\html\isptype moved successfully.
C:\WINDOWS\system32\\oobe\html\ispsgnup moved successfully.
C:\WINDOWS\system32\\oobe\html\iconnect moved successfully.
C:\WINDOWS\system32\\oobe\html\dslmain moved successfully.
C:\WINDOWS\system32\\oobe\html moved successfully.
C:\WINDOWS\system32\\oobe\hpoobe\Agent moved successfully.
C:\WINDOWS\system32\\oobe\hpoobe moved successfully.
C:\WINDOWS\system32\\oobe\error moved successfully.
C:\WINDOWS\system32\\oobe\actsetup moved successfully.
Folder move failed. C:\WINDOWS\system32\\oobe scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\npp scheduled to be moved on reboot.
C:\WINDOWS\system32\\mui\dispspec moved successfully.
Folder move failed. C:\WINDOWS\system32\\mui\0C0A scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0816 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0804 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0427 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0426 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0425 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0424 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\041f scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\041e scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\041D scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\041b scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\041a scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0419 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0418 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0416 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0415 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0414 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0413 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0412 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0411 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0410 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\040e scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\040D scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\040C scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\040b scheduled to be moved on reboot.
C:\WINDOWS\system32\\mui\0409 moved successfully.
Folder move failed. C:\WINDOWS\system32\\mui\0408 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0407 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0406 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0405 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0404 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0402 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0401 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui\0009 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\mui scheduled to be moved on reboot.
C:\WINDOWS\system32\\MsDtc\Trace moved successfully.
C:\WINDOWS\system32\\MsDtc moved successfully.
C:\WINDOWS\system32\\Microsoft\Protect\S-1-5-18\User moved successfully.
C:\WINDOWS\system32\\Microsoft\Protect\S-1-5-18 moved successfully.
C:\WINDOWS\system32\\Microsoft\Protect moved successfully.
C:\WINDOWS\system32\\Microsoft moved successfully.
C:\WINDOWS\system32\\Macromed\update moved successfully.
C:\WINDOWS\system32\\Macromed\Shockwave 10\Xtras moved successfully.
C:\WINDOWS\system32\\Macromed\Shockwave 10 moved successfully.
C:\WINDOWS\system32\\Macromed\Flash\FlashPlayerTrust moved successfully.
C:\WINDOWS\system32\\Macromed\Flash moved successfully.
C:\WINDOWS\system32\\Macromed\Director moved successfully.
C:\WINDOWS\system32\\Macromed\Common moved successfully.
C:\WINDOWS\system32\\Macromed moved successfully.
C:\WINDOWS\system32\\LogFiles\WUDF moved successfully.
C:\WINDOWS\system32\\LogFiles moved successfully.
Folder move failed. C:\WINDOWS\system32\\inetsrv scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\IME\TINTLGNT scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\IME\PINTLGNT scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\IME\CINTLGNT scheduled to be moved on reboot.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 1:32 am

Folder move failed. C:\WINDOWS\system32\\IME scheduled to be moved on reboot.
C:\WINDOWS\system32\\icsxml moved successfully.
C:\WINDOWS\system32\\ias moved successfully.
C:\WINDOWS\system32\\FxsTmp moved successfully.
C:\WINDOWS\system32\\export moved successfully.
C:\WINDOWS\system32\\en-us moved successfully.
C:\WINDOWS\system32\\DRVSTORE\wlphonecv_B88DA7978559975500983DADC0107CF3AA89C14C moved successfully.
C:\WINDOWS\system32\\DRVSTORE\usbaapl_97B931EF204A3188AFFD15A9A5337268E8B6F312 moved successfully.
C:\WINDOWS\system32\\DRVSTORE moved successfully.
Folder move failed. C:\WINDOWS\system32\\drivers\disdn scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\drivers scheduled to be moved on reboot.
C:\WINDOWS\system32\\DNAML moved successfully.
Folder move failed. C:\WINDOWS\system32\\dllcache scheduled to be moved on reboot.
C:\WINDOWS\system32\\DirectX\Dinput moved successfully.
C:\WINDOWS\system32\\DirectX moved successfully.
C:\WINDOWS\system32\\dhcp moved successfully.
C:\WINDOWS\system32\\config\systemprofile\WINDOWS\system moved successfully.
C:\WINDOWS\system32\\config\systemprofile\WINDOWS moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Templates moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Start Menu\Programs\Startup moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Start Menu\Programs\Online Services moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Start Menu\Programs\Accessories\Entertainment moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Start Menu\Programs\Accessories\Accessibility moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Start Menu\Programs\Accessories moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Start Menu\Programs moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Start Menu moved successfully.
C:\WINDOWS\system32\\config\systemprofile\SendTo moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Recent moved successfully.
C:\WINDOWS\system32\\config\systemprofile\PrintHood moved successfully.
C:\WINDOWS\system32\\config\systemprofile\NetHood moved successfully.
C:\WINDOWS\system32\\config\systemprofile\My Documents\My Pictures moved successfully.
C:\WINDOWS\system32\\config\systemprofile\My Documents\My Music moved successfully.
C:\WINDOWS\system32\\config\systemprofile\My Documents moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XRONGTWG moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SO53CL3I moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G58IO9NJ moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4N1K03D4 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3LD1EAOB moved successfully.
Folder move failed. C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing moved successfully.
Folder move failed. C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temporary Internet Files scheduled to be moved on reboot.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Temp moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100820081009 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100720081008 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100620081007 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092920081006 moved successfully.
Folder move failed. C:\WINDOWS\system32\\config\systemprofile\Local Settings\History\History.IE5 scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\config\systemprofile\Local Settings\History scheduled to be moved on reboot.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050} moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\Works\Portfolio moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\Works moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\Windows moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\Media Player moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Microsoft moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\Google moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data\ApplicationHistory moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Local Settings\Application Data moved successfully.
Folder move failed. C:\WINDOWS\system32\\config\systemprofile\Local Settings scheduled to be moved on reboot.
C:\WINDOWS\system32\\config\systemprofile\Favorites\Links moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Favorites moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Desktop moved successfully.
Folder move failed. C:\WINDOWS\system32\\config\systemprofile\Cookies scheduled to be moved on reboot.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Symantec moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Real\rnadmin moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Real\RealPlayer\ErrorLogs moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Real\RealPlayer moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Real\Msg moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Real moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\SystemCertificates\My moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\SystemCertificates moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-776561741-1229272821-725345543-500 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\Protect moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\MMC moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\Media Player moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\Crypto\RSA moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\Crypto moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\Credentials moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.0.3705 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\CLR Security Config moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft\Address Book moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Microsoft moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\MEGAUPLOADTOOLBAR\NewCfg moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\MEGAUPLOADTOOLBAR\downfile moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\MEGAUPLOADTOOLBAR moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\GERB7WK2 moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia\Flash Player moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Macromedia moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Intuit\Quicken\Data moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Intuit\Quicken\Config moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Intuit\Quicken moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Intuit moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Identities\{D7262387-AED1-4256-8BFF-22265B0B5C06} moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Identities moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\EmailNotifier moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data\Digital Interactive Systems Corporation moved successfully.
C:\WINDOWS\system32\\config\systemprofile\Application Data moved successfully.
Folder move failed. C:\WINDOWS\system32\\config\systemprofile scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\config scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\system32\\Com scheduled to be moved on reboot.
C:\WINDOWS\system32\\CatRoot_bak moved successfully.
Folder move failed. C:\WINDOWS\system32\\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} scheduled to be moved on reboot.
C:\WINDOWS\system32\\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} moved successfully.
Folder move failed. C:\WINDOWS\system32\\CatRoot2 scheduled to be moved on reboot.
C:\WINDOWS\system32\\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} moved successfully.
C:\WINDOWS\system32\\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} moved successfully.
C:\WINDOWS\system32\\CatRoot moved successfully.
C:\WINDOWS\system32\\appmgmt\S-1-5-21-3063714465-1978530528-3707306470-1008 moved successfully.
C:\WINDOWS\system32\\appmgmt\MACHINE moved successfully.
C:\WINDOWS\system32\\appmgmt moved successfully.
C:\WINDOWS\system32\\Adobe\Shockwave 11\Xtras moved successfully.
C:\WINDOWS\system32\\Adobe\Shockwave 11 moved successfully.
C:\WINDOWS\system32\\Adobe\Director moved successfully.
C:\WINDOWS\system32\\Adobe moved successfully.
C:\WINDOWS\system32\\3com_dmi moved successfully.
C:\WINDOWS\system32\\3076 moved successfully.
C:\WINDOWS\system32\\2052 moved successfully.
C:\WINDOWS\system32\\1054 moved successfully.
C:\WINDOWS\system32\\1042 moved successfully.
C:\WINDOWS\system32\\1041 moved successfully.
C:\WINDOWS\system32\\1037 moved successfully.
Folder move failed. C:\WINDOWS\system32\\1033 scheduled to be moved on reboot.
C:\WINDOWS\system32\\1031 moved successfully.
C:\WINDOWS\system32\\1028 moved successfully.
C:\WINDOWS\system32\\1025 moved successfully.
Folder move failed. C:\WINDOWS\system32\ scheduled to be moved on reboot.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by Doctor Inferno on Thu Oct 09, 2008 3:38 am

Download [You must be registered and logged in to see this link.], and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here: part of the window:

Code:
Drivers to disable:
tdssserv

Drivers to delete:
tdssserv

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\tdssserv.sys HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Control \ SafeBoot \ Low \ tdssserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\tdssserv.sys HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Control \ SafeBoot \ Network \ tdssserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Services \ tdssserv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ tdssdata
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Network \ UID
HKEY_LOCAL_MACHINE\SOFTWARE\tdss HKEY_LOCAL_MACHINE \ SOFTWARE \ tdss

Files to delete:
C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp\tmp31F.tmp C: \ Documents and Settings \% username% \ Local Settings \ Temp \ tmp31F.tmp
C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp\pgcdmqkl.exe C: \ Documents and Settings \% username% \ Local Settings \ Temp \ pgcdmqkl.exe
C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp\.ttBC.tmp C: \ Documents and Settings \% username% \ Local Settings \ Temp \. TtBC.tmp
C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp\tdsBB.tmp C: \ Documents and Settings \% username% \ Local Settings \ Temp \ tdsBB.tmp
C:\WINDOWS\Temp\tdss6b43.tmp C: \ WINDOWS \ Temp \ tdss6b43.tmp
C:\WINDOWS\Temp\tdssd698.tmp C: \ WINDOWS \ Temp \ tdssd698.tmp
C:\WINDOWS\Temp\tdssd89b.tmp C: \ WINDOWS \ Temp \ tdssd89b.tmp
C:\WINDOWS\Temp\tdssda12.tmp C: \ WINDOWS \ Temp \ tdssda12.tmp
C:\WINDOWS\system32\tdssadw.dll C: \ WINDOWS \ system32 \ tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll C: \ WINDOWS \ system32 \ tdssinit.dll
C:\WINDOWS\system32\tdssl.dll C: \ WINDOWS \ system32 \ tdssl.dll
C:\WINDOWS\system32\tdsslog.dll C: \ WINDOWS \ system32 \ tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll C: \ WINDOWS \ system32 \ tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll C: \ WINDOWS \ system32 \ tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat C: \ WINDOWS \ system32 \ tdssservers.dat
C:\WINDOWS\system32\drivers\tdssserv.sys C: \ WINDOWS \ system32 \ drivers \ tdssserv.sys


* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Solved Re: How do i remove the rtkt_stitch.d virus

Post by tenaj on Thu Oct 09, 2008 3:54 am

once i rebooted from OTMoveIt3 - windows wouldn't start anymore. It said that system32\driver\pci.sys was missing or corrupt and insert the original windows cd and I did and when it recovered i lost everything i had. It said it won't disturb my data files but it did. Microsoft Office is gone. My security software I had to install over. All my custom programs are go. All my programs, all data I had everywhere. Bummer. What a way to get rid of a virus. But one thing is for sure. That dang gum virus is gone. I hope.

Thanks for all the help. You guys tried and I appreciated it.

tenaj
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-10-07

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum