Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Anyone Tell Me The Answer To This Plz


  • Please log in to reply
9 replies to this topic

#1 skitzofrenix

skitzofrenix

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 24 April 2008 - 06:11 PM

Hi all


im trying to find what a entrie in a log means ,its a virus or spyware related but i need someone to explain what a certain part of the file means



heres the entrie



C:\WINDOWS\System32\ 1htk1j.exe /k



now i know its not good to keep it and just delete it but i want to know what the /k means

is it to do with recognizing a certain virus or something

maybe a security analysis would know?


or even post a lik to where i can read about it.


thanks

Edited by skitzofrenix, 24 April 2008 - 06:13 PM.


BC AdBot (Login to Remove)

 


#2 rowal5555

rowal5555

    Just enough info to be armed & dangerous...


  • Members
  • 2,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Kilda, Dunedin. South Island. NZ
  • Local time:04:33 PM

Posted 24 April 2008 - 06:42 PM

Hi skitzofrenix

Welcome to Bleeping Computer.

That file is definitely bad news as you are aware http://www.softwaretipsandtricks.com/dange...-1htk1jexe.html


I couldn't find a thing on your /k question so will hope that someone else will be able to answer you.

Cheers

Edited by rowal5555, 24 April 2008 - 06:53 PM.


#3 skitzofrenix

skitzofrenix
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 24 April 2008 - 11:18 PM

Hi thanks for your time, i was aware of it being bad its just the /k part i need to know about its got something to do with the certain type of infection within a hijackthis log but i need to find out why.


can anyone else shine some light upon this one for me.


log file:



O4 - HKLM\..\RunOnce: [1htk1j.exe] C:\WINDOWS\System32\1htk1j.exe /k

Edited by skitzofrenix, 24 April 2008 - 11:22 PM.


#4 Platypus

Platypus

  • Moderator
  • 13,995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:33 PM

Posted 24 April 2008 - 11:50 PM

Since it's a command line switch, the program will get the instruction "k" when it runs. The only way to know what that instruction means (apart from asking the author of the program) would be to decompile the program code and see what routine it follows if it finds the /k switch.

Since it is under RunOnce: the program will run each time a new user logs in. That being the case, we could perhaps guess that /k may tell the program to function as a keylogger to harvest login details. But that's purely a speculation.

Top 5 things that never get done:

1.


#5 rowal5555

rowal5555

    Just enough info to be armed & dangerous...


  • Members
  • 2,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Kilda, Dunedin. South Island. NZ
  • Local time:04:33 PM

Posted 25 April 2008 - 12:25 AM

Just found this which may have some relevance.


Fill the screen with kiosk mode
Internet Explorer's kiosk mode, toggled by pressing F11, totally fills the screen and autohides the menu and toolbars. To put a public computer in display-only kiosk mode with no menu or toolbars, go to the Start menu and click Run, then enter -iexplore -k followed by a URL.

#6 Platypus

Platypus

  • Moderator
  • 13,995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:33 PM

Posted 25 April 2008 - 01:20 AM

The principle is the same, putting IE into kiosk mode, but what /k means to the malware program is determined by whoever wrote it.

Top 5 things that never get done:

1.


#7 skitzofrenix

skitzofrenix
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 25 April 2008 - 01:27 AM

is it possible that it could mean kill process as its from a hijackthis log and the file is a virus 1htk1j.exe

and the /k is a command (or instruction on what to do with it) ,reason i ask is since i posted ive tried looking everywhere and noticed some also use /u = uninstall and few others

Edited by skitzofrenix, 25 April 2008 - 01:27 AM.


#8 Platypus

Platypus

  • Moderator
  • 13,995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:33 PM

Posted 25 April 2008 - 02:15 AM

hijackthis is reporting the contents of that registry key, which includes the /k instruction to the 1htk1j.exe program. It's not hijackthis putting the /k there to indicate anything, it's already there in the registry. If you run regedit and navigate to that key, you should find it contains the /k appended to 1htk1j.exe.

That indicates something to the 1htk1j.exe program when it runs, in the same way that, as you've mentioned, some programs accept an "uninstall" instruction if you run them from the command prompt with the /u switch.

Top 5 things that never get done:

1.


#9 skitzofrenix

skitzofrenix
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 27 April 2008 - 08:17 PM

Found the answer at last, the / k is a switch

heres a link to explain if anyone else comes across it:

http://support.microsoft.com/kb/142040

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:33 PM

Posted 27 April 2008 - 08:39 PM

the / k is a switch


That has only been mentioned twice already; once by you. :huh:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users