Jump to content
Sign in to follow this  
Almirante Risa

RtkBtMnt.exe

Recommended Posts

Hi!!!

I got infected with a virus named RtkBtMnt.exe By then, the only antivirus I was using was AVAST, which I installed on November. I detected the infection in April, let me tell you how.

My computer is an extremely small Acer ASpire 1 AoA110, 1Gb Ram, 8Gb Hd, Windows XP, SP3, and by disabling some functions and the like, I have it running well, with Office 2007 and some features I use for my work, and still, get some 700 Mb free. One day, it slowed down toooooo much. And I chkd everything and my free disk space had dropped down to 30Mb. I ran Avast, and nothing. Then, I ran windows dosk cleaner tool, and disk defrag but nothing changed.

I downloaded and ran CCleaner. It released 400 Mb of rubbish. After a couple of hours, the disk was full again. Ran again CCleaner and removed only 15Mb. I downloaded and ran WiseDiskCleaner, and it released 500 Mb of rubbish. After 3 hours, the disk was full again, so I ran both cleaners and My disk was at 1Gb free. I checked the files they couldnt delete and in a temp file, I found this program: RtkBtMnt.exe with a RealTek sign and logo. I keep the temp foulder open, and in a matter of minutes, it was being filled with language files such as Russian.bin, Chinese.bin, Spanish.bin, etc, and strange foulders that weighed from 5kb to 50Mb. I tried to delete the program, but it said it was being used by another person or program. I downloaded Unlocker and forced deletion. Nothing. I restarted in safe mode but I was unable to find it.

I scan again with Avast but nth happened. I downloaded and ran MalwareBytes Anti Malware. It found and cleaned 3 viruses, and I said to myself this Avast sucks. But it didn't find this. After this sth changed, finally, I was able to delete it,Restarted and it was again there. I repeated, deleted it and found it in a RECYCLER foulder. Deleted it from there, and it went to Prefetch and so on.

I downloaded and ran SuperAntiSpyware. It found 151 infections that Avast and MBAM missed. But not this one. I uninstalled Avast, and if I could, I would have kicked it really hard. Rubbish. MBAM, was corrupted everytime I ran the cleaners, and only detected 3, so I marked it as useless and discarded it too.

I downloaded and ran RemoveIt Pro v4, which detected 13 more viruses including this and cleaned them all. Now, I notice that my computer keeps getting infected by this virus when I connect my Kingston memory stick. Remove it pro 4 free does not clean external disks, just C.

I kept SAS, for it detects some things the other doesn't, and I find it is more complete, but it failing to detect this one. This is the detection scan performed by Remove it pro:

!Infected rtkbtmnt.exe=;c:\docume~1\user\locals~1\temp\;win32.unknown.random.x;a1953a905b76837b637863012e8641a9;212992;Ok;Ok;

!Infected rtkbtmnt.exe=;c:\documents and settings\user\local settings\temp\;sys32.rtkbtmnt;a1953a905b76837b637863012e8641a9;212992;

Clsid c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll[b7899c3e21b299d7a3c0da96cae340bd][408448]

Clsid c:\program files\internet download manager\idmiecc.dll[edc8790e72a6f28e5967e2c30b987f6d][193968]

Clsid c:\program files\java\jre6\bin\jp2ssv.dll[c9ede29f223a27873e187d9fb6045ea6][41760]

Clsid c:\program files\mcafee\virusscan\scriptsn.dll[5b9fcb73f5a4a000c55aff08b639a07c][58688]

Clsid c:\program files\superantispyware\saswinlo.dll[482e8f6fd557d5a0df7363f72df145fe][548352]

Clsid C:\WINDOWS\system32\crypt32.dll[bdaaf79dd63f194434d31a74b9bb8b77][599040]

Clsid C:\WINDOWS\system32\cryptnet.dll[c14350fc0d47d806699c4f907fc6785b][64512]

Clsid C:\WINDOWS\system32\cscdll.dll[515a7fae2070c2b0242b2353443e2f11][101888]

Clsid C:\WINDOWS\system32\igfxdev.dll[1180852dbfadafc375dbba1f6b23eee7][208896]

Clsid C:\WINDOWS\system32\sclgntfy.dll[63ff9068e5bda0bc9ecd38fbbb216e24][20480]

Clsid c:\windows\system32\stobject.dll[50512fc9b7878e3c2c147bc17326a7db][121856]

Clsid c:\windows\system32\webcheck.dll[cc8915db4e33e8fb29ca0d2dbf75306e][236544]

Clsid C:\WINDOWS\system32\wlnotify.dll[2cc34e8bb667eef78899546e12649196][92672]

Clsid c:\windows\system32\wpdshserviceobj.dll[045e228f71c31901084b64be59093499][133632]

Proc C:\DOCUME~1\user\LOCALS~1\Temp\RtkBtMnt.exe[a1953a905b76837b637863012e8641a9][212992]

Proc c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[8cf3da0be6094c34d7c4a85493e60547][359248]

Proc C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[03fe5c3790a491829eec26a4ee1fc762][176128]

Proc C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe[f211320702d584d5ba0d968cb3c16368][554496]

Proc C:\Program Files\Internet Download Manager\IDMan.exe[c87e05d4195ff53d1b1537f93cb45dc5][3220912]

Proc C:\Program Files\Java\jre6\bin\jqs.exe[39133291cb607bdd87cfc565a4a1e7a5][153376]

Proc C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1e8a0705f9925fad9b2d4f6fc05e1982][1107336]

Proc C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[898637aa2872a16540117ee4e8e0b6e0][1820040]

Proc C:\Program Files\Microsoft Office\Office12\EXCEL.EXE[86075c2a59a89a4a9e7427525513afd6][18352488]

Proc C:\Program Files\Skype\Phone\Skype.exe[70b6d0c45256b688b7dbc10e922fb402][26192168]

Proc C:\Program Files\Skype\Plugin Manager\skypePM.exe[2ce8f1c52f490875592166316c512b6f][80256]

Proc C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[da7680ef3018fef1a27268ad40e85dfa][2403568]

Proc C:\Program Files\Unlocker\UnlockerAssistant.exe[c33ee8245897aef45b7f0c70fde0f78f][15872]

Proc C:\Program Files\Windows Live\Contacts\wlcomm.exe[adc11749e6698fc30c603dfccc4f98f2][26464]

Proc C:\Program Files\Windows Live\Messenger\msnmsgr.exe[b12fafb87a6cbd95089643803c2dea0b][3883856]

Proc C:\Program Files\Windows Media Player\wmplayer.exe[d478331fee85e840f7d89edd06190dfc][64000]

Proc C:\Program Files\Wise Disk Cleaner\WiseDiskCleaner.exe[43e7383057ec3779f99244b07eed6013][1078384]

Proc C:\WINDOWS\Explorer.EXE[12896823fb95bfb3dc9b46bcaedc9923][1033728]

Proc C:\WINDOWS\RTHDCPL.EXE[ca20c44501551c0c2c6a1decfc256bf5][19552872]

Proc C:\WINDOWS\system32\ctfmon.exe[5f1d5f88303d4a4dbc8e5f97ba967cc3][15360]

Proc C:\WINDOWS\system32\lsass.exe[bf2466b3e18e970d8a976fb95fc1ca85][13312]

Proc C:\WINDOWS\system32\services.exe[65df52f5b8b6e9bbd183505225c37315][110592]

Proc C:\WINDOWS\system32\spoolsv.exe[d8e14a61acc1d4a6cd0d38aebac7fa3b][57856]

Proc C:\WINDOWS\system32\svchost.exe[27c6d03bcdb8cfeb96b716f3d8be3e18][14336]

Proc C:\WINDOWS\system32\wscntfy.exe[f92e1076c42fcd6db3d72d8cfe9816d5][13824]

RegRun c:\program files\internet download manager\idman.exe [c87e05d4195ff53d1b1537f93cb45dc5][3220912]

RegRun c:\program files\logmein hamachi\hamachi-2-ui.exe [898637aa2872a16540117ee4e8e0b6e0][1820040]

RegRun c:\program files\quicktime\qttask.exe [f34eb5d4f145ed5fe50033ca3a41ed24][413696]

RegRun c:\program files\realtek\audio\drivers\azmixersel.exe[7cb6cfce5f7d16b87597b4b8e1c5c7ba][59936]

RegRun c:\program files\superantispyware\superantispyware.exe[da7680ef3018fef1a27268ad40e85dfa][2403568]

RegRun c:\program files\unlocker\unlockerassistant.exe[c33ee8245897aef45b7f0c70fde0f78f][15872]

RegRun c:\program files\windows live\messenger\msnmsgr.exe [b12fafb87a6cbd95089643803c2dea0b][3883856]

RegRun C:\WINDOWS\rthdcpl.exe[ca20c44501551c0c2c6a1decfc256bf5][19552872]

RegRun c:\windows\system32\ctfmon.exe[5f1d5f88303d4a4dbc8e5f97ba967cc3][15360]

Service c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe[8cf3da0be6094c34d7c4a85493e60547][359248]

Service c:\program files\common files\microsoft shared\office12\odserv.exe[1f0e05dff4f5a833168e49be1256f002][441712]

Service c:\program files\executive software\diskeeperlite\dkservice.exe[03fe5c3790a491829eec26a4ee1fc762][176128]

Service c:\program files\java\jre6\bin\jqs.exe [39133291cb607bdd87cfc565a4a1e7a5][153376]

Service c:\program files\logmein hamachi\hamachi-2.exe [1e8a0705f9925fad9b2d4f6fc05e1982][1107336]

Service c:\program files\windows media player\wmpnetwk.exe[f74e3d9a7fa9556c3bbb14d4e5e63d3b][913408]

Service c:\program files\winpcap\rpcapd.exe [a780d3eaa74582ea1deb6bd9c7a3d9c9][117264]

Service c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe[0e5e4957549056e2bf2c49f4f6b601ad][34312]

Service c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe[d87acaed61e417bba546ced5e7e36d9c][69632]

Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe[c01ac32dc5c03076cfb852cb5da5229c][881664]

Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe[d34612c5d02d026535b3095d620626ae][132096]

Service c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe[8ba7c024070f2b7fdd98ed8a4ba41789][46104]

Service c:\windows\system32\alg.exe[8c515081584a38aa007909cd02020b3d][44544]

Service c:\windows\system32\cisvc.exe[1cfe720eb8d93a7158a4ebc3ab178bde][5632]

Service c:\windows\system32\clipsrv.exe[34cbe729f38138217f9c80212a2a0c82][33280]

Service c:\windows\system32\dllhost.exe [0a9ba6af531afe7fa5e4fb973852d863][5120]

Service c:\windows\system32\dmadmin.exe [e46050330bd42f33609117f861e32d3c][224768]

Service c:\windows\system32\imapi.exe[30deaf54a9755bb8546168cfe8a6b5e1][150528]

Service c:\windows\system32\locator.exe[aaed593f84afa419bbae8572af87cf6a][75264]

Service c:\windows\system32\lsass.exe[bf2466b3e18e970d8a976fb95fc1ca85][13312]

Service c:\windows\system32\mnmsrvc.exe[d18f1f0c101d06a1c1adf26eed16fcdd][32768]

Service c:\windows\system32\msdtc.exe[a137f1470499a205abbb9aafb3b6f2b1][6144]

Service c:\windows\system32\msiexec.exe [5879d691e842574a20fe63817cb76df9][78848]

Service c:\windows\system32\netdde.exe[b857ba82860d7ff85ae29b095645563b][111104]

Service c:\windows\system32\rsvp.exe[471b3f9741d762abe75e9deea4787e47][132608]

Service c:\windows\system32\scardsvr.exe[86d007e7a654b9a71d1d7d856b104353][95744]

Service c:\windows\system32\services.exe[65df52f5b8b6e9bbd183505225c37315][110592]

Service c:\windows\system32\sessmgr.exe[3c37bf86641bda977c3bf8a840f3b7fa][141312]

Service c:\windows\system32\smlogsvc.exe[c7abbc59b43274b1109df6b24d617051][89600]

Service c:\windows\system32\spoolsv.exe[d8e14a61acc1d4a6cd0d38aebac7fa3b][57856]

Service c:\windows\system32\svchost.exe [27c6d03bcdb8cfeb96b716f3d8be3e18][14336]

Service c:\windows\system32\ups.exe[05365fb38fca1e98f7a566aaaf5d1815][18432]

Service c:\windows\system32\vssvc.exe[7a9db3a67c333bf0bd42e42b8596854b][289792]

Service c:\windows\system32\wbem\wmiapsrv.exe[e0673f1106e62a68d2257e376079f821][126464]

System.ini c:\windows\system32\svchost.exe [27c6d03bcdb8cfeb96b716f3d8be3e18][14336]

I'd like SAS to remove this Virus and its installers in my F: disk so as to get rid of it completely, and not have it reinstalled everytime I connect my memory stick. Please, help me!!!

Thankyou!

Sergio

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...