PDA

View Full Version : what is this file for?



petemit
25-08-2002, 10:18 AM
hi im running win 98 with explorer 6 when i use ctrl alt delete it says the program" qktlkbd" is running i havnt been able to find what it is or what it does does any one know thanks

John Grieve
25-08-2002, 10:47 AM
I have only found one reference online to this and that guy claims its a virus/trojan/worm.

To try and track it down go to http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html and download startlog.com and run it. It will generate a text file onto your desktop. Copy the contents of the startup.log (do not need contents of stubpath.txt) generated and post it here.

John Grieve
25-08-2002, 10:49 AM
My suspicion is that it is a keyboard logger in which case you need to change ALL of your passwords just in case they have already been captured.

antmannz
25-08-2002, 10:49 AM
Look's like it may be a program to assist a multimedia keyboard (the ones with lots of extra buttons ie. Internet, Volume Control, etc).

If you have one of these keyboards and use those buttons, leave it running; otherwise turn it off (Start > Run > type msconfig, hit Enter. On the Startup tab, look for qktlkbd, remove the tick for that line and click OK).

petemit
25-08-2002, 08:56 PM
thanks john and antmanzz i do have a multimedia type keyboard
i am running zonealarm (the free version ) and have norton antivirus
ive spent some more time checking and by useing ctrl. alt .delete ive been able to work out that the program apears after i use a program called magic folders after i log in the program (if thats what it is apears )ill send the start log up to you there is no indication that it loads from start folder magic folder is called "holder "so you will know what that refers to thanks for your time peter

__________________________________________________ ________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________ ________________________
__________________________________________________ ________________________

The following is a list of your current Start-Ups
__________________________________________________ ________________________
__________________________________________________ ________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"CLMFrontPanel"="clmpanel /i"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.EXE"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


================================================== ========================
__________________________________________________ ________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]


================================================== ========================
__________________________________________________ ________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]


================================================== ========================
__________________________________________________ ________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"

*(RegPath not found..)*

================================================== ========================
__________________________________________________ ________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""
"TrueVector"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\VSMON.EXE -service"
"MiniLog"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\MINILOG.EXE -service"


================================================== ========================
__________________________________________________ ________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]


================================================== ========================
__________________________________________________ ________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

================================================== ========================
__________________________________________________ ________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

================================================== ========================
__________________________________________________ ________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file


LH D:\HOLD.EXE
================================================== ========================
__________________________________________________ ________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

================================================== ========================
__________________________________________________ ________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk

================================================== ========================
__________________________________________________ ________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.................................................. ...................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.................................................. ...................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\User Shell Folders


.................................................. ...................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.................................................. ...................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders


.................................................. ...................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-

*(RegPath not found..)*

-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"="wupdmgr.exe -shortcut"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"=""
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"

-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 39 08-22-02 8:28p
-=================-



[rename]
NUL=C:\WINDOWS\win386.swp-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\WINDOW~2.SCR

================================================== ========================
__________________________________________________ ________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS

File - c:\windows\Wininit.bak

================================================== ========================
__________________________________________________ ________________________

- End -

John Grieve
26-08-2002, 09:55 AM
Alright this just got trickier. There is no obvious file loading thats leads to the process you want to know about loading but there is one entry in the Autoexec.bat file that I cannot find out anyhting about. The line loading the file called hook.exe (which is on your D drive) in Autoexec.bat.

Try finding hook.exe on your D drive and right click on it and look at the properties for hook.exe. Is there any info at all in the properties about version/company etc?? If not I would suspect this file of no good. If there is no obvious properties then rename hook.exe to hook.old then open Autoexec.bat in edit mode and place a semi-colon ( ; ) before the entry for hook.exe then reboot and see if qktlkbd still appears in the ctl/alt/del list.

If that is not it then you need to identify where this process starts from and what it is actually doing and luckily there is another free program that can help with this. Go here http://www.xmlsp.com/pview/prcview.htm and download Prcview, read the instructions, make sure qktlkbd is in the ctl/alt/del list then run Prcview. It should give you lots of info about the process including what started it. When you have identified what starts it with this tool you can find those starter files and right click and look at the properties which may just give enough info to identify what this thing is.

If this qktlkbd is indeed innocent then why is it so hard to find anything about it on the net? You would think that 100's of individuals who check their ctl/alt/del lists regularly would have noticed it ,asked questions and got answers which we could then refer to to put our minds at rest.

antmannz
26-08-2002, 06:18 PM
I think what you're refering to, John, is the line
D:\HOLD.EXE

It looks to me that this is used to start Magic Folders on startup as per the top of the post.

But as to what qktlkbd does, it's sure got me beat.

John Grieve
26-08-2002, 07:57 PM
I should have taken more notice before of this Magic Folders. I made the assumption it would just be some sort of Icon changing program or program to add extra right click functionality to a folder. It is of course the encrypting/hide your folders tool here I take it? http://www.netaction.org/encrypt/encrypt_magic_fldrs.html

If so then I would hazard a guess that this qktlkbd is part of the encryption/hide engine for the software and of course info about what it is and does would be best kept secret so hackers cannot use it to bypass it. Perhaps you could email the Magic Folders developers and find out if it's theirs?

Hook.exe must be part of the "hide folder at boot" part of the tool so your hidden folders stay properly hidden.

petemit
27-08-2002, 09:46 PM
hi thanks for your help im working my way though your ideas it might take a while
thanks again peter