Page 1 of 2 12 LastLast

  1. Joined : Oct 2015
    Posts : 1,205
    Windows 10 Pro X64
       23 Oct 2016 #1

    Trojan or not ?


    Hi all,

    Not quite sure when this started but roughly somewhere around July I noticed a file called NTUSER.rhk that resides in
    "Users\My username".

    Googling for the .rhk file extension gave me a bit of a scare as most sites suggest this is associated with Trojan.
    Somehow I doubt it as no anti-virus software I ran seems to flag it.
    I can delete this file all I want but it keeps on cropping up.
    It only resides in my user folder together with NTUSER.DAT.
    Does anyone have a clue what it's for or have it too ?

    TIA,
      My System SpecsSystem Spec

  2.    23 Oct 2016 #2

    It's definitely not part of Windows. You should only have a NTUSER.DAT, NTUSER.dat.LOG# and some regtrans-ms and blf files

    I would grab procmon https://technet.microsoft.com/en-us/...ssmonitor.aspx and set a filter for this file. This should tell you what is creating it.
      My System SpecsSystem Spec


  3. Joined : Aug 2016
    Posts : 269
    Windows 10 Home
       23 Oct 2016 #3

    fdegrove,

    Welcome to the forum!

    If you want to be sure NTUSER.rhk is not malware, scan the file with VirusTotal:
    https://www.virustotal.com/

    It is a free online scanning service.

    Please post the scan results URL address in your next reply.
      My System SpecsSystem Spec


  4. Joined : Oct 2015
    Posts : 1,205
    Windows 10 Pro X64
       23 Oct 2016 #4

    Hi,

    Thanks for the replies so far guys.

    Please post the scan results URL address in your next reply.

    Will do asap. Of course now that I deleted it on this system it seems unwilling to pop up again.... For now that is.

    I just wonder if anyone else has it. Going by the time stamp I see in images it could be AU related.
    When it's present it updates itself as I notice the time stamp changing but not necessarily on a daily basis.

    Anyhow, I'll keep an eye on it.

    Cheers,
      My System SpecsSystem Spec


  5. Joined : Aug 2016
    Posts : 269
    Windows 10 Home
       23 Oct 2016 #5

    fdegrove,

    If you deleted NTUSER.rhk, there is no point in using VirusTotal, since it has to scan the file.

    The file appears to be an application/octet-stream
    Last edited by cottonball; 24 Oct 2016 at 07:26.
      My System SpecsSystem Spec


  6. Joined : Apr 2015
    Posts : 9,115
    W10Prox64
       23 Oct 2016 #6

    fdegrove said: View Post
    Hi all,

    Not quite sure when this started but roughly somewhere around July I noticed a file called NTUSER.rhk that resides in
    "Users\My username".

    Googling for the .rhk file extension gave me a bit of a scare as most sites suggest this is associated with Trojan.
    Somehow I doubt it as no anti-virus software I ran seems to flag it.
    I can delete this file all I want but it keeps on cropping up.
    It only resides in my user folder together with NTUSER.DAT.
    Does anyone have a clue what it's for or have it too ?

    TIA,
    Hi.
    I just checked and I don't have it in my AU system/user folder. I agree, if it pops up again, upload it to virustotal.com and see what the scanners say about it. If it keeps coming back, that could be a sign of a rootkit. Will be interesting to see what the virustotal scan shows. Then again, it could be some malware, and AVs won't pick that up. Have you run ADWCleaner?
      My System SpecsSystem Spec


  7. Joined : Oct 2015
    Posts : 1,205
    Windows 10 Pro X64
       24 Oct 2016 #7

    Hi,


    cottonball said: View Post
    fdegrove,

    If you deleted NTUSER.rhk, ther is no point in using VirusTotal, since it has to scan the file.

    The file appears to be an application/octet-stream
    I retrieved a copy of the file from an image created last night.
    Uploaded it to VirusTotal :

    MD5 87f1a5944f426b383ebc5e3b168dfff7 SHA1 1dcd6e9d8a09952b617f7d7b042e34670f546a0d
    SHA256 61cc385149a1cab8ba6a450ad81cb3a5c579f79b66c1ad887f0522d75269d93f
    ssdeep
    12288:eTR5DehlV7OEUzACybL475wJQm+mgpwDjsdxlZI+H6nKhXNru63C:e15EbhUzACybL4npyMH/XNru63C


    File size 1.5 MB ( 1622016 bytes )
    File type unknown
    Magic literal
    MS Windows registry file, NT/2000 or above


    TrID Windows NT Registry Hive (generic) (100.0%)

    VirusTotal metadata

    First submission 2016-10-24 09:33:14 UTC ( 5 minutes ago )
    Last submission 2016-10-24 09:33:14 UTC ( 5 minutes ago )
    File names NTUSER.rhk


    It appears to be benign so I guess it is indeed an application octet-stream as you suggest.
    I'll try to find out which app it is but I suspect either Ccleaner or Wise's Registry Cleaner.

    Then again, it could be some malware, and AVs won't pick that up. Have you run ADWCleaner?
    Yes, I did but nothing suspicious was found.

    Thanks for all the help, guys.

    EDIT: Found the guilty app: It is Wise's Registry Cleaner and more precisely its Registry Defrag part that generates the file.
    A second similar file is created called "UsrClass.rhk" in "C:\Users"UserName"\AppData\Local\Microsoft\Windows".
    Just thought I'd let you know.

    Cheers,
    Last edited by fdegrove; 24 Oct 2016 at 05:31.
      My System SpecsSystem Spec


  8. Joined : Apr 2015
    Posts : 9,115
    W10Prox64
       24 Oct 2016 #8

    fdegrove said: View Post
    ...It appears to be benign so I guess it is indeed an application octet-stream as you suggest.
    I'll try to find out which app it is but I suspect either Ccleaner or Wise's Registry Cleaner....

    ...EDIT: Found the guilty app: It is Wise's Registry Cleaner and more precisely its Registry Defrag part that generates the file.
    A second similar file is created called "UsrClass.rhk in C:\Users"UserName"\AppData\Local\Microsoft\Windows.
    Just thought I'd let you know.

    Cheers,
    Great! Thanks for letting us know.
      My System SpecsSystem Spec


  9. Joined : Aug 2016
    Posts : 269
    Windows 10 Home
       24 Oct 2016 #9

    fdegrove,

    Can you tell us what sort of Antivirus, malware protection program is installed on your computer.

    Also, you may want to consider what is mentioned here:
    Registry Cleaners: Digital Snake Oil | Malwarebytes Labs
      My System SpecsSystem Spec


  10. Joined : Apr 2015
    Posts : 9,115
    W10Prox64
       24 Oct 2016 #10

    cottonball said: View Post
    fdegrove,

    Can you tell us what sort of Antivirus, malware protection program is installed on your computer.

    Also, you may want to consider what is mentioned here:
    Registry Cleaners: Digital Snake Oil | Malwarebytes Labs
      My System SpecsSystem Spec


 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Solved Do I Have A Trojan?
Hello, First post here :) Lately my Windows Defender is finding a Trojan in the Recovery D (Trojan:Win32/Dynamer!ac) It only shows up after a full 3 hour search and not in the fast search A full search with Malwarebytes, Adware and Hitman...
AntiVirus, Firewalls and System Security
Solved Trojan Detected in OneDrive
The odd thing is I don't even use OneDrive except to automatically upload photos from my Android phone to my desktop; nothing has been detected on the phone. I've run another full scan with Bitdefender and Malwarebytes Anti-Malware (free) without...
AntiVirus, Firewalls and System Security
Trojan in My Registry
I have an older 15 inch HP with W10 that I recently updated. I have always had McAfee on the computer, it has never lapsed. I have also run Spybot, Malwarebytes, Google Ghostery and ABP Adblock Popup. When I recently bought a new printer...
AntiVirus, Firewalls and System Security
I have a backdoor Trojan (malware)
I have a backdoor Trojan (malware) on my computer and I couldn't be bothered to reformat my PC until the opportunity was given to me in windows 10. I still want to keep my PC but I want the malware to be completely gone, so in my situation would...
AntiVirus, Firewalls and System Security
Solved Trojan removed by Defender
With the last couple of builds it seems that Defender is always finding stuff to remove every time I start Windows 10. This morning I removed Trojan Win32/GHEUGENT.Alplock after Defender quarantined it and marked it severe. Right now I am running...
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 11:00.
Find Us
Twitter Facebook Google+



Windows 10 Forums