| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 23759 | 2002-08-24 23:18:00 | what is this file for? | petemit (1134) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 73633 | 2002-08-24 23:18:00 | hi im running win 98 with explorer 6 when i use ctrl alt delete it says the program" qktlkbd" is running i havnt been able to find what it is or what it does does any one know thanks | petemit (1134) | ||
| 73634 | 2002-08-24 23:47:00 | I have only found one reference online to this and that guy claims its a virus/trojan/worm. To try and track it down go to home.earthlink.net and download startlog.com and run it. It will generate a text file onto your desktop. Copy the contents of the startup.log (do not need contents of stubpath.txt) generated and post it here. |
John Grieve (367) | ||
| 73635 | 2002-08-24 23:49:00 | My suspicion is that it is a keyboard logger in which case you need to change ALL of your passwords just in case they have already been captured. | John Grieve (367) | ||
| 73636 | 2002-08-24 23:49:00 | Look's like it may be a program to assist a multimedia keyboard (the ones with lots of extra buttons ie. Internet, Volume Control, etc). If you have one of these keyboards and use those buttons, leave it running; otherwise turn it off (Start > Run > type msconfig, hit Enter. On the Startup tab, look for qktlkbd, remove the tick for that line and click OK). |
antmannz (28) | ||
| 73637 | 2002-08-25 09:56:00 | thanks john and antmanzz i do have a multimedia type keyboard i am running zonealarm (the free version ) and have norton antivirus ive spent some more time checking and by useing ctrl . alt . delete ive been able to work out that the program apears after i use a program called magic folders after i log in the program (if thats what it is apears )ill send the start log up to you there is no indication that it loads from start folder magic folder is called "holder "so you will know what that refers to thanks for your time peter __________________________________________________ ________________________ StartUp Log Index 1 . HKLM Run 2 . HKCU Run 3 . HKLM RunOnce 4 . HKCU RunOnce 5 . HKLM RunServices 6 . HKLM RunServicesOnce 7 . WIN . INI file 8 . SYSTEM . INI file 9 . AUTOEXEC . BAT file 10 . StartUp folder 11 . All Users StartUp 12 . Misc . StartUp Configurations __________________________________________________ ________________________ __________________________________________________ ________________________ The following is a list of your current Start-Ups __________________________________________________ ________________________ __________________________________________________ ________________________ 1 . HKLM Run - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "ScanRegistry"="C:\\WINDOWS\\scanregw . exe /autorun" "TaskMonitor"="C:\\WINDOWS\\taskmon . exe" "SystemTray"="SysTray . Exe" "LoadPowerProfile"="Rundll32 . exe powrprof . dll,LoadCurrentPwrScheme" "CLMFrontPanel"="clmpanel /i" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32 . EXE" "TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc . exe -osboot" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL] "Installed"="1" ================================================== ======================== __________________________________________________ ________________________ 2 . HKCU Run - Registry [RegPath] "StartUp" [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run] ================================================== ======================== __________________________________________________ ________________________ 3 . HKLM RunOnce - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce] ================================================== ======================== __________________________________________________ ________________________ 4 . HKCU RunOnce - Registry [RegPath] "StartUp" *(RegPath not found . . )* ================================================== ======================== __________________________________________________ ________________________ 5 . HKLM RunServices - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices] "ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ . exe\" -reg" "SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray . exe \"Norton SystemWorks\"" "TrueVector"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\VSMON . EXE -service" "MiniLog"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\MINILOG . EXE -service" ================================================== ======================== __________________________________________________ ________________________ 6 . HKLM RunServicesOnce - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce] ================================================== ======================== __________________________________________________ ________________________ 7 . WIN . INI File - (c:\windows\win . ini) Your win . ini run/load lines should look like run= and load= exclusively . There should be nothing to the right of the equal signs . These are the run and load lines in your WIN . INI file run= load= ================================================== ======================== __________________________________________________ ________________________ 8 . SYSTEM . INI File - (c:\windows\system . ini) Your system . ini shell line should look like shell=Explorer . exe exclusively . You should only see Explorer . exe following the equal sign . This is the shell line in your SYSTEM . INI file shell=Explorer . exe ================================================== ======================== __________________________________________________ ________________________ 9 . AUTOEXEC . BAT File - (c:\autoexec . bat) (Some trojans have been known to start from this file) These are your program startups and set paths in your autoexec . bat file LH D:\HOLD . EXE ================================================== ======================== __________________________________________________ ________________________ 10 . StartUp Folder - (c:\windows\start menu\programs\startup) Shortcuts to any program will automatically start when placed here . These are the shortcuts located in your StartUp folder *(No start-ups found)* ================================================== ======================== __________________________________________________ ________________________ 11 . All Users Folder - (c:\windows\all users\start menu\programs\startup) Shortcuts to any program will automatically start when placed here . These are the shortcuts located in your All Users StartUp folder C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm . lnk ================================================== ======================== __________________________________________________ ________________________ 12 . Miscellaneous StartUp Configurations -============================- Registry StartUp Directories -============================- Should show the Start Menu StartUp and All Users StartUp directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [1] HKCU - Shell Folders HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [2] HKCU - User Shell Folders HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\User Shell Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [3] HKLM - Shell Folders HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\Shell Folders "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [4] HKLM - User Shell Folders HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -=======================- Registry Shell Spawning -=======================- Open Commands for Executable File Types @="\"%1\" %*" ( . exe file - RegPath = HKCR\exefile\shell\open\command) @="\"%1\" %*" ( . com file - RegPath = HKCR\comfile\shell\open\command) @="\"%1\" /S" ( . scr file - RegPath = HKCR\scrfile\shell\open\command) @="\"%1\" %*" ( . bat file - RegPath = HKCR\batfile\shell\open\command) @="\"%1\" %*" ( . pif file - RegPath = HKCR\piffile\shell\open\command) @="C:\\WINDOWS\\SYSTEM\\MSHTA . EXE \"%1\" %*" ( . hta file - RegPath = HKCR\htafile\shell\open\command) -=========================- HKLM RunOnceEx - Registry -=========================- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx] -=========================- HKU ( . Default) Run - Registry -=========================- [HKEY_USERS\ . Default\Software\Microsoft\Windows\Cur rentVersion\Run] -==============================- HKU ( . Default) RunOnce - Registry -==============================- *(RegPath not found . . )* -================================- StubPaths - Registry (Partial Listing) -================================- (Please see the StubPath . txt on your desktop for complete listing) HKLM\Software\Microsoft\Active Setup\Installed Components "OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit . exe" "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT . EXE" "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk . exe /L" "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50 . exe\" /APP:OE /CALLER:IE50 /user /install" "StubPath"="wupdmgr . exe -shortcut" "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl . exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1 . crl" "StubPath"="" "StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50 . exe\" /APP:WAB /CALLER:IE50 /user /install" -=================- WININIT . BAK File - (c:\windows\wininit . bak) (name) (type) (size)(modified)(time) wininit bak 39 08-22-02 8:28p -=================- [rename] NUL=C:\WINDOWS\win386 . swp-=====================- Screen Saver Settings (Possible system . ini start-up) -=====================- SCRNSAVE . EXE=C:\WINDOWS\SYSTEM\WINDOW~2 . SCR ================================================== ======================== __________________________________________________ ________________________ - Supplemental Environment Information - TMP=C:\WINDOWS\TEMP TEMP=C:\WINDOWS\TEMP winbootdir=C:\WINDOWS PATH=C:\WINDOWS;C:\WINDOWS\COMMAND COMSPEC=C:\WINDOWS\COMMAND . COM windir=C:\WINDOWS File - c:\windows\Wininit . bak ================================================== ======================== __________________________________________________ ________________________ - End - |
petemit (1134) | ||
| 73638 | 2002-08-25 22:55:00 | Alright this just got trickier. There is no obvious file loading thats leads to the process you want to know about loading but there is one entry in the Autoexec.bat file that I cannot find out anyhting about. The line loading the file called hook.exe (which is on your D drive) in Autoexec.bat. Try finding hook.exe on your D drive and right click on it and look at the properties for hook.exe. Is there any info at all in the properties about version/company etc?? If not I would suspect this file of no good. If there is no obvious properties then rename hook.exe to hook.old then open Autoexec.bat in edit mode and place a semi-colon ( ; ) before the entry for hook.exe then reboot and see if qktlkbd still appears in the ctl/alt/del list. If that is not it then you need to identify where this process starts from and what it is actually doing and luckily there is another free program that can help with this. Go here www.xmlsp.com and download Prcview, read the instructions, make sure qktlkbd is in the ctl/alt/del list then run Prcview. It should give you lots of info about the process including what started it. When you have identified what starts it with this tool you can find those starter files and right click and look at the properties which may just give enough info to identify what this thing is. If this qktlkbd is indeed innocent then why is it so hard to find anything about it on the net? You would think that 100's of individuals who check their ctl/alt/del lists regularly would have noticed it ,asked questions and got answers which we could then refer to to put our minds at rest. |
John Grieve (367) | ||
| 73639 | 2002-08-26 07:18:00 | I think what you're refering to, John, is the line D:\HOLD.EXE It looks to me that this is used to start Magic Folders on startup as per the top of the post. But as to what qktlkbd does, it's sure got me beat. |
antmannz (28) | ||
| 73640 | 2002-08-26 08:57:00 | I should have taken more notice before of this Magic Folders. I made the assumption it would just be some sort of Icon changing program or program to add extra right click functionality to a folder. It is of course the encrypting/hide your folders tool here I take it? www.netaction.org If so then I would hazard a guess that this qktlkbd is part of the encryption/hide engine for the software and of course info about what it is and does would be best kept secret so hackers cannot use it to bypass it. Perhaps you could email the Magic Folders developers and find out if it's theirs? Hook.exe must be part of the "hide folder at boot" part of the tool so your hidden folders stay properly hidden. |
John Grieve (367) | ||
| 73641 | 2002-08-27 10:46:00 | hi thanks for your help im working my way though your ideas it might take a while thanks again peter |
petemit (1134) | ||
| 1 | |||||