Can Anyone Tell Me The Answer To This Plz

Can Anyone Tell Me The Answer To This Plz file type

#1 skitzofrenix

New Member

Group: Members
Posts: 4
Joined: 24-April 08

Posted 24 April 2008 - 06:11 PM

Hi all

im trying to find what a entrie in a log means ,its a virus or spyware related but i need someone to explain what a certain part of the file means

heres the entrie

C:\WINDOWS\System32\ 1htk1j.exe /k

now i know its not good to keep it and just delete it but i want to know what the /k means

is it to do with recognizing a certain virus or something

maybe a security analysis would know?

or even post a lik to where i can read about it.

thanks

This post has been edited by skitzofrenix: 24 April 2008 - 06:13 PM

#2 rowal5555

Just enough info to be armed & dangerous...

Group: Members
Posts: 2,635
Joined: 18-March 06
Gender:Male
Location:St Kilda, Dunedin. South Island. NZ

Posted 24 April 2008 - 06:42 PM

Hi skitzofrenix

Welcome to Bleeping Computer.

That file is definitely bad news as you are aware http://www.softwaretipsandtricks.com/dange...-1htk1jexe.html

I couldn't find a thing on your /k question so will hope that someone else will be able to answer you.

Cheers

This post has been edited by rowal5555: 24 April 2008 - 06:53 PM

rowal5555 (Rob )
Avid supporter of Bleeping Computer's
Team 38444
You can help find a cure

#3 skitzofrenix

New Member

Group: Members
Posts: 4
Joined: 24-April 08

Posted 24 April 2008 - 11:18 PM

Hi thanks for your time, i was aware of it being bad its just the /k part i need to know about its got something to do with the certain type of infection within a hijackthis log but i need to find out why.

can anyone else shine some light upon this one for me.

log file:

O4 - HKLM\..\RunOnce: [1htk1j.exe] C:\WINDOWS\System32\1htk1j.exe /k

This post has been edited by skitzofrenix: 24 April 2008 - 11:22 PM

#4 Platypus

Forum Addict

Group: Moderator
Posts: 3,038
Joined: 28-January 06
Gender:Male
Location:Australia

Posted 24 April 2008 - 11:50 PM

Since it's a command line switch, the program will get the instruction "k" when it runs. The only way to know what that instruction means (apart from asking the author of the program) would be to decompile the program code and see what routine it follows if it finds the /k switch.

Since it is under RunOnce: the program will run each time a new user logs in. That being the case, we could perhaps guess that /k may tell the program to function as a keylogger to harvest login details. But that's purely a speculation.

Pleased to have been a Microsoft MVP (Windows Desktop Experience) 2007/8, 2008/9

I pressed F5, and I'm feeling refreshed...

#5 rowal5555

Just enough info to be armed & dangerous...

Group: Members
Posts: 2,635
Joined: 18-March 06
Gender:Male
Location:St Kilda, Dunedin. South Island. NZ

Posted 25 April 2008 - 12:25 AM

Just found this which may have some relevance.

• Fill the screen with kiosk mode
Internet Explorer's kiosk mode, toggled by pressing F11, totally fills the screen and autohides the menu and toolbars. To put a public computer in display-only kiosk mode with no menu or toolbars, go to the Start menu and click Run, then enter -iexplore -k followed by a URL.

rowal5555 (Rob )
Avid supporter of Bleeping Computer's
Team 38444
You can help find a cure

#6 Platypus

Forum Addict

Group: Moderator
Posts: 3,038
Joined: 28-January 06
Gender:Male
Location:Australia

Posted 25 April 2008 - 01:20 AM

The principle is the same, putting IE into kiosk mode, but what /k means to the malware program is determined by whoever wrote it.

Pleased to have been a Microsoft MVP (Windows Desktop Experience) 2007/8, 2008/9

I pressed F5, and I'm feeling refreshed...

#7 skitzofrenix

New Member

Group: Members
Posts: 4
Joined: 24-April 08

Posted 25 April 2008 - 01:27 AM

is it possible that it could mean kill process as its from a hijackthis log and the file is a virus 1htk1j.exe

and the /k is a command (or instruction on what to do with it) ,reason i ask is since i posted ive tried looking everywhere and noticed some also use /u = uninstall and few others

This post has been edited by skitzofrenix: 25 April 2008 - 01:27 AM

#8 Platypus

Forum Addict

Group: Moderator
Posts: 3,038
Joined: 28-January 06
Gender:Male
Location:Australia

Posted 25 April 2008 - 02:15 AM

hijackthis is reporting the contents of that registry key, which includes the /k instruction to the 1htk1j.exe program. It's not hijackthis putting the /k there to indicate anything, it's already there in the registry. If you run regedit and navigate to that key, you should find it contains the /k appended to 1htk1j.exe.

That indicates something to the 1htk1j.exe program when it runs, in the same way that, as you've mentioned, some programs accept an "uninstall" instruction if you run them from the command prompt with the /u switch.

Pleased to have been a Microsoft MVP (Windows Desktop Experience) 2007/8, 2008/9

I pressed F5, and I'm feeling refreshed...