Trojan or not ?

Page 1 of 2 12 LastLast

  1. Posts : 2,811
    Windows 10 Pro X64
       #1

    Trojan or not ?


    Hi all,

    Not quite sure when this started but roughly somewhere around July I noticed a file called NTUSER.rhk that resides in
    "Users\My username".

    Googling for the .rhk file extension gave me a bit of a scare as most sites suggest this is associated with Trojan.
    Somehow I doubt it as no anti-virus software I ran seems to flag it.
    I can delete this file all I want but it keeps on cropping up.
    It only resides in my user folder together with NTUSER.DAT.
    Does anyone have a clue what it's for or have it too ?

    TIA,
      My Computers

  2. Neemobeer's Avatar
    Posts : 226
    Many
       #2

    It's definitely not part of Windows. You should only have a NTUSER.DAT, NTUSER.dat.LOG# and some regtrans-ms and blf files

    I would grab procmon https://technet.microsoft.com/en-us/...ssmonitor.aspx and set a filter for this file. This should tell you what is creating it.
      My Computer

  3. cottonball's Avatar
    Posts : 575
    Windows 10 Home
       #3

    fdegrove,

    Welcome to the forum!

    If you want to be sure NTUSER.rhk is not malware, scan the file with VirusTotal:
    https://www.virustotal.com/

    It is a free online scanning service.

    Please post the scan results URL address in your next reply.
      My Computer


  4. Posts : 2,811
    Windows 10 Pro X64
    Thread Starter
       #4

    Hi,

    Thanks for the replies so far guys.

    Please post the scan results URL address in your next reply.

    Will do asap. Of course now that I deleted it on this system it seems unwilling to pop up again.... For now that is.

    I just wonder if anyone else has it. Going by the time stamp I see in images it could be AU related.
    When it's present it updates itself as I notice the time stamp changing but not necessarily on a daily basis.

    Anyhow, I'll keep an eye on it.

    Cheers,
      My Computers

  5. cottonball's Avatar
    Posts : 575
    Windows 10 Home
       #5

    fdegrove,

    If you deleted NTUSER.rhk, there is no point in using VirusTotal, since it has to scan the file.

    The file appears to be an application/octet-stream
    Last edited by cottonball; 24 Oct 2016 at 07:26.
      My Computer

  6. simrick's Avatar
    Posts : 16,226
    W10Prox64
       #6

    fdegrove said:
    Hi all,

    Not quite sure when this started but roughly somewhere around July I noticed a file called NTUSER.rhk that resides in
    "Users\My username".

    Googling for the .rhk file extension gave me a bit of a scare as most sites suggest this is associated with Trojan.
    Somehow I doubt it as no anti-virus software I ran seems to flag it.
    I can delete this file all I want but it keeps on cropping up.
    It only resides in my user folder together with NTUSER.DAT.
    Does anyone have a clue what it's for or have it too ?

    TIA,
    Hi.
    I just checked and I don't have it in my AU system/user folder. I agree, if it pops up again, upload it to virustotal.com and see what the scanners say about it. If it keeps coming back, that could be a sign of a rootkit. Will be interesting to see what the virustotal scan shows. Then again, it could be some malware, and AVs won't pick that up. Have you run ADWCleaner?
      My Computer


  7. Posts : 2,811
    Windows 10 Pro X64
    Thread Starter
       #7

    Hi,


    cottonball said:
    fdegrove,

    If you deleted NTUSER.rhk, ther is no point in using VirusTotal, since it has to scan the file.

    The file appears to be an application/octet-stream
    I retrieved a copy of the file from an image created last night.
    Uploaded it to VirusTotal :

    MD5 87f1a5944f426b383ebc5e3b168dfff7 SHA1 1dcd6e9d8a09952b617f7d7b042e34670f546a0d
    SHA256 61cc385149a1cab8ba6a450ad81cb3a5c579f79b66c1ad887f0522d75269d93f
    ssdeep
    12288:eTR5DehlV7OEUzACybL475wJQm+mgpwDjsdxlZI+H6nKhXNru63C:e15EbhUzACybL4npyMH/XNru63C


    File size 1.5 MB ( 1622016 bytes )
    File type unknown
    Magic literal
    MS Windows registry file, NT/2000 or above


    TrID Windows NT Registry Hive (generic) (100.0%)

    VirusTotal metadata

    First submission 2016-10-24 09:33:14 UTC ( 5 minutes ago )
    Last submission 2016-10-24 09:33:14 UTC ( 5 minutes ago )
    File names NTUSER.rhk


    It appears to be benign so I guess it is indeed an application octet-stream as you suggest.
    I'll try to find out which app it is but I suspect either Ccleaner or Wise's Registry Cleaner.

    Then again, it could be some malware, and AVs won't pick that up. Have you run ADWCleaner?
    Yes, I did but nothing suspicious was found.

    Thanks for all the help, guys.

    EDIT: Found the guilty app: It is Wise's Registry Cleaner and more precisely its Registry Defrag part that generates the file.
    A second similar file is created called "UsrClass.rhk" in "C:\Users"UserName"\AppData\Local\Microsoft\Windows".
    Just thought I'd let you know.

    Cheers,
    Last edited by fdegrove; 24 Oct 2016 at 05:31.
      My Computers

  8. simrick's Avatar
    Posts : 16,226
    W10Prox64
       #8

    fdegrove said:
    ...It appears to be benign so I guess it is indeed an application octet-stream as you suggest.
    I'll try to find out which app it is but I suspect either Ccleaner or Wise's Registry Cleaner....

    ...EDIT: Found the guilty app: It is Wise's Registry Cleaner and more precisely its Registry Defrag part that generates the file.
    A second similar file is created called "UsrClass.rhk in C:\Users"UserName"\AppData\Local\Microsoft\Windows.
    Just thought I'd let you know.

    Cheers,
    Great! Thanks for letting us know.
      My Computer

  9. cottonball's Avatar
    Posts : 575
    Windows 10 Home
       #9

    fdegrove,

    Can you tell us what sort of Antivirus, malware protection program is installed on your computer.

    Also, you may want to consider what is mentioned here:
    Registry Cleaners: Digital Snake Oil | Malwarebytes Labs
      My Computer

  10. simrick's Avatar
    Posts : 16,226
    W10Prox64
       #10

    cottonball said:
    fdegrove,

    Can you tell us what sort of Antivirus, malware protection program is installed on your computer.

    Also, you may want to consider what is mentioned here:
    Registry Cleaners: Digital Snake Oil | Malwarebytes Labs
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 08:23.
Find Us




Windows 10 Forums