Windows 10: Trojan or not ?

Hi all,

Not quite sure when this started but roughly somewhere around July I noticed a file called NTUSER.rhk that resides in
"Users\My username".

Googling for the .rhk file extension gave me a bit of a scare as most sites suggest this is associated with Trojan.
Somehow I doubt it as no anti-virus software I ran seems to flag it.
I can delete this file all I want but it keeps on cropping up.
It only resides in my user folder together with NTUSER.DAT.
Does anyone have a clue what it's for or have it too ?

TIA, *Wink

:)

 

Trojan virus: Win32/Winexert!rfn

Click Remove all on that screen.

And by the way, note that there is no such thing as a "Trojan Virus." It's either a Trojan (full name: Trojan Horse) *or* a virus. They are two different types of malware. What you have is Trojan, not a Virus.

 

How do I remove a Trojan or Virus?

First, note that there is no such thing as a "Trojan virus." It's either a trojan *or* a virus. Trojans and viruses are two different kinds of malware.

So assuming you have a trojan, what trojan is it (what is its name?)? How do you know you have it?

What anti-virus program do you run? And what other anti-malware software? Have you tried to remove it using these?

 

It's definitely not part of Windows. You should only have a NTUSER.DAT, NTUSER.dat.LOG# and some regtrans-ms and blf files

I would grab procmon https://technet.microsoft.com/en-us/...ssmonitor.aspx and set a filter for this file. This should tell you what is creating it.

 

fdegrove,

Welcome to the forum!

If you want to be sure NTUSER.rhk is not malware, scan the file with VirusTotal:
VirusTotal

It is a free online scanning service.

Please post the scan results URL address in your next reply.

 

Hi,

Thanks for the replies so far guys.

Will do asap. Of course now that I deleted it on this system it seems unwilling to pop up again.... For now that is.*sarc

I just wonder if anyone else has it. Going by the time stamp I see in images it could be AU related.
When it's present it updates itself as I notice the time stamp changing but not necessarily on a daily basis.

Anyhow, I'll keep an eye on it.

Cheers, *Wink

 

fdegrove,

If you deleted NTUSER.rhk, there is no point in using VirusTotal, since it has to scan the file.

The file appears to be an application/octet-stream

 

Hi.
I just checked and I don't have it in my AU system/user folder. I agree, if it pops up again, upload it to virustotal.com and see what the scanners say about it. If it keeps coming back, that could be a sign of a rootkit. Will be interesting to see what the virustotal scan shows. Then again, it could be some malware, and AVs won't pick that up. Have you run ADWCleaner?

 

Hi,

I retrieved a copy of the file from an image created last night.
Uploaded it to VirusTotal :

It appears to be benign so I guess it is indeed an application octet-stream as you suggest.
I'll try to find out which app it is but I suspect either Ccleaner or Wise's Registry Cleaner.

Yes, I did but nothing suspicious was found.

Thanks for all the help, guys.

EDIT: Found the guilty app: It is Wise's Registry Cleaner and more precisely its Registry Defrag part that generates the file.
A second similar file is created called "UsrClass.rhk" in "C:\Users"UserName"\AppData\Local\Microsoft\Windows".
Just thought I'd let you know.

Cheers, *Wink

 

Great! Thanks for letting us know.

 

fdegrove,

Can you tell us what sort of Antivirus, malware protection program is installed on your computer.

Also, you may want to consider what is mentioned here:
Registry Cleaners: Digital Snake Oil | Malwarebytes Labs

 

*Ditto*Ditto

 

Hi,

I only have MS Windows Defender installed but have a few stand alone apps that I run whenever I suspect something.

As for Registry Cleaners and consorts, sure there's a lot of junk out there.
I have my reasons to keep the registry junk free. It's a database after all, no need to fill it with unnecessary entries.
Whether or not there's any benefit to it is a matter of opinion.

Cheers, *Wink

 

Yep, even MS does not support their use:
https://support.microsoft.com/en-us/kb/2563254

But to each his/her own...*Smile

MM

 

Hi,

They used to though. Guess too many people messed up their system because they had no clue what they were doing.

Anyhow, this has been discussed here a couple of times :

Registry Cleaning

Cheers, *Wink