Author Topic: file type??? (Read 1861 times)

Asuyuki · « **on:** October 19, 2006, 07:27:57 AM »

erm i have a querry on the file type RKProc!tr .....

tis is found in a cheat engine my fren send me .....

is it related to hiding cheat engines?

?

guestolo · « **Reply #1 on:** October 19, 2006, 10:03:08 AM »

The file sounds like a trojan
You can scan it with your virus scanner
Also, you can upload it to one of these online scanners
Post the results
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Asuyuki · « **Reply #2 on:** October 20, 2006, 04:26:28 AM »

ya it is through tis site that i found out that the CE have tis file inside ...

the 1st site only gave me info that it is infected wif RKProc!tr ..... i post a ss la .... as i lazy to rescan ...

as i think the 1st one will not be of much use .... i scanned using the 2nd one as well ... results here~~

Antivirus   Version   Update   Result
AntiVir   7.2.0.31   10.20.2006   no virus found
Authentium   4.93.8   10.20.2006   could be a corrupted executable file
Avast   4.7.892.0   10.19.2006   no virus found
AVG   386   10.20.2006   no virus found
BitDefender   7.2   10.20.2006   no virus found
CAT-QuickHeal   8.00   10.19.2006   (Suspicious) - DNAScan
ClamAV   devel-20060426   10.20.2006   no virus found
DrWeb   4.33   10.20.2006   no virus found
eTrust-InoculateIT   23.73.30   10.20.2006   no virus found
eTrust-Vet   30.3.3143   10.19.2006   no virus found
Ewido   4.0   10.19.2006   no virus found
Fortinet   2.82.0.0   10.20.2006   RKProc!tr
F-Prot   3.16f   10.20.2006   no virus found
F-Prot4   4.2.1.29   10.19.2006   no virus found
Ikarus   0.2.65.0   10.20.2006   no virus found
Kaspersky   4.0.2.24   10.20.2006   no virus found
McAfee   4877   10.19.2006   New RootKit
Microsoft   1.1603    10.20.2006   WinNT/Rootkitdrv.gen!A
NOD32v2   1.1818   10.20.2006   no virus found
Norman   5.80.02   10.19.2006   no virus found
Panda   9.0.0.4   10.19.2006   Suspicious file
Sophos   4.10.0   10.15.2006   Troj/RKProc-Fam
TheHacker   6.0.1.101   10.19.2006   no virus found
UNA   1.83   10.19.2006   no virus found
VBA32   3.11.1   10.19.2006   no virus found

guestolo · « **Reply #3 on:** October 20, 2006, 08:23:49 AM »

I need you to do the following please
This file may have put a rootkit infection on your computer

I need a few logs
Download and save too desktop
F-Secure Blacklight(blbeta.exe)

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".

With that log
Also
Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ï¿½Show Allï¿½.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Let's just eliminate hidden problems please

Also, let's ensure your hijackthis log is clean
From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Asuyuki · « **Reply #4 on:** October 20, 2006, 02:06:03 PM »

ok ..... 1st log ....

10/21/06 02:39:57 [Info]: BlackLight Engine 1.0.47 initialized
10/21/06 02:39:57 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/21/06 02:39:57 [Note]: 7019 4
10/21/06 02:39:57 [Note]: 7005 0
10/21/06 02:40:02 [Note]: 7006 0
10/21/06 02:40:02 [Note]: 7011 3068
10/21/06 02:40:02 [Note]: 7026 0
10/21/06 02:40:02 [Note]: 7026 0
10/21/06 02:40:14 [Note]: FSRAW library version 1.7.1020
10/21/06 02:51:58 [Note]: 2000 1012
10/21/06 02:51:58 [Note]: 2000 1012
10/21/06 02:51:58 [Note]: 2000 1012
10/21/06 02:52:48 [Note]: 7007 0

2nd log

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-21 03:03:14
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EF8C36B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EF8C36B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EF8C36B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EF8C36B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EF8C36B6] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN EEECBC74
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP EEEC8400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP EEEC8400
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible EEECBBCE

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----

Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 2:54:02 AM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\WHidePro\whpro.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PUN KA TSUN\Desktop\gmer.exe
D:\ka tsun's stuff\other junks\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maplestory.nexon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-ap.fujitsu.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\saIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\saIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Fujitsu Menu] C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [FjEvents] C:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [FjDspMon] C:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsHiderPro] C:\Program Files\WHidePro\whpro.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125504900410
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chs.moe.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = chs.moe.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chs.moe.edu.sg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

guestolo · « **Reply #5 on:** October 21, 2006, 10:25:36 AM »

I take it you haven't ran the file on your computer yet?

I would delete the .rar
I wouldn't take the chance to run it, it has rootkit possibilities
Maybe not just to hide cheat engines but may allow open doors for other malware onto your computer

Where did you download this file from
Here at this forum?
Can you give me a link to it please

You can delete blbeta.exe and the log
You can delete gmer.zip and gmer.exe
Also find these files and delete them
C:\Windows\gmer.dll
C:\Windows\gmer.exe
C:\Windows\gmer.ini
C:\Windows\System32\Drivers\gmer.sys

C:\Windows\Prefetch\gmer.exe
C:\Windows\Prefetch\blbeta.exe

Asuyuki · « **Reply #6 on:** October 21, 2006, 09:06:18 PM »

erm my fren ziped it up for me .....

it is quite a lot of different files ....

and the zip is 1mb plus ....

TheTechGuide Forum

News:

Author Topic: file type??? (Read 1861 times)

Asuyuki

file type???

guestolo

file type???

Asuyuki

file type???

guestolo

file type???

Asuyuki

file type???

guestolo

file type???

Asuyuki

file type???