Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jan 8th, 2009, 1:06pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Keyfinder.exe		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Keyfinder.exe  (Read 5857 times)
bobp5
Newbie
*





   


Posts: 1
Keyfinder.exe
« on: Jul 5th, 2006, 10:18am »		 Quote Quote  Modify Modify
This file which is part of Magical Jelly Bean Counter,  utility used to get the license cd key from Windows OS's is coming up as: Found trojan file: C:\temp\kf141.zip/keyfinder.exe (Riskware.PSWTool.RAS.100)
 
Trojan was not found in memory.
 
Has anyone seen this and is it a legit trojan?  
IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4121
Re: Keyfinder.exe
« Reply #1 on: Jul 5th, 2006, 10:40am »		 Quote Quote  Modify Modify
It's "Riskware" - some trojans use it to steal your Windows product key. If you know the program is legitimate you can ignore this alert.
IP Logged
SPkOgqeQ
Newbie
*





   


Posts: 5
Re: Keyfinder.exe
« Reply #2 on: Aug 6th, 2006, 8:43pm »		 Quote Quote  Modify Modify
Huh I've found  RISKWARE.PSWTool.Ras.100 with TrojanHunter in a legitimate program called Registry Drill that I have, is it safe to shred it? Your TrojanHunter v.4.5  was unable to clean the trojan file because it is contained in an archive, but it Renamed the file C:\Program Files\Registry Drill\key.dll to C:\Program Files\Registry Drill\key.dll.tcf. I don't trust it, I would like to shred it, if it's safe to do so. What are your thoughts?
 
Thankyou.
Best Regards.
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Keyfinder.exe
« Reply #3 on: Aug 7th, 2006, 1:48am »		 Quote Quote  Modify Modify
Welcome to the forum SPkOgqeQ  Wink
 
The mechanism that TH uses to "quarantine" or neutralize malware is to add the .tcf extension to the file.  TH currently does not remove files from your hard drive.  So TH did "remove" the infection...using its technique of adding the .tcf extension.  (This will change in the next version of TH currently under beta testing.  TH is will be "quarantining" files using the same procedure that most other anti-malware programs do.)
 
As far as removing/shredding the Key.dll.tcf file that was found in your legit program named Registry Drill, you should first make sure that Registry Drill works properly without it.  It may be that its key.dll is needed to retrieve registration validation, etc. each time you run the program.  The KEY.DLL is totally neutralized as it is right now because of .tcf extension added by TH.  Removing the .tcf extension will place the Key.dll back in service if needed.  
 
You might wish to contact the Registry Drill developers and query them concerning key.dll.  
 
HTHs
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
SPkOgqeQ
Newbie
*





   


Posts: 5
Re: Keyfinder.exe
« Reply #4 on: Aug 12th, 2006, 6:16pm »		 Quote Quote  Modify Modify
Cool The Trojan Hunter is great but annoying. I've had the TrojanHunter v.4.5 - clean :: RISKWARE.PSWTool.Ras.100. It Renamed file C:\Program Files\Registry Drill\key.dll to C:\Program Files\Registry Drill\key.dll.tcf
 
Every time doing a new scan, the old result that has been taken care of keeps showing up. It would be great to have an ignore feature for earlier scan results...
 
Thankyou.
Best Regards.
IP Logged
Hawkeyelom
Full Member
***





   


Gender: male
 Posts: 202
Under Options: Add to ignore list
« Reply #5 on: Aug 12th, 2006, 8:12pm »		 Quote Quote  Modify Modify
You need to read the help file and review the program, so as to learn how to use it...
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Keyfinder.exe
« Reply #6 on: Aug 12th, 2006, 11:17pm »		 Quote Quote  Modify Modify
Quote:
Every time doing a new scan, the old result that has been taken care of keeps showing up. It would be great to have an ignore feature for earlier scan results...

 
I'm a bit confused as to what keeps showing up.  Would you please post a log of a TH scan so I can see what you are referring to.  
 
You can save a log for posting by running a scan and then going to FILE on the top menu bar of TH scanner.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
SPkOgqeQ
Newbie
*





   


Posts: 5
Re: Keyfinder.exe
« Reply #7 on: Aug 13th, 2006, 4:36pm »		 Quote Quote  Modify Modify
Cool  
 
http://i107.photobucket.com/albums/m297/moonraker_01/TrojanHunterwithCri tter.png
 
http://i107.photobucket.com/albums/m297/moonraker_01/TrojanHunter1.png
 
http://i107.photobucket.com/albums/m297/moonraker_01/TrojanHunter2.png
 
http://i107.photobucket.com/albums/m297/moonraker_01/TrojanHunter3.png
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Keyfinder.exe
« Reply #8 on: Aug 13th, 2006, 4:41pm »		 Quote Quote  Modify Modify
Gotcha,
 
What I suggest that you do is tell TH not to scan the Registry Drill folder.  
 
1.  Open TH Scanner
2.  Click on the Scan Icon to show the disks being scanned.
3.  Click on the + sign next to the C hard drive to expand it.
4.  Drill down to the Registry Drill folder and uncheck it.  
 
That will keep TH from picking up Key.DLL when it scans.
 
Let us know that whether this satisfies your need.  Wink
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
SPkOgqeQ
Newbie
*





   


Posts: 5
Re: Keyfinder.exe
« Reply #9 on: Aug 14th, 2006, 4:18pm »		 Quote Quote  Modify Modify
Smiley two thumbs up!
IP Logged
SPkOgqeQ
Newbie
*





   


Posts: 5
Re: Keyfinder.exe
« Reply #10 on: Aug 21st, 2006, 12:15am »		 Quote Quote  Modify Modify
Hello siliconman01, Once again I got hit ...
 
I've just scanned my computer today Aug 20, after I updated the TrojanHunter and got this:  
Removed registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\Security
Removed registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\Enum
Removed registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL
 
Renamed file C:\WINDOWS\system32\dllcache\ws2ifsl.sys to C:\WINDOWS\system32\dllcache\ws2ifsl.sys.tcf
Renamed file C:\WINDOWS\system32\drivers\ws2ifsl.sys to C:\WINDOWS\system32\drivers\ws2ifsl.sys.tcf
Trojan cleaning finished.
 
After the cleaning the Windows File Proctection popped up saying ... Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability. Windows must restore the original versions of these files. Insert your Windows XP Home Edition CD-ROM now. First of all, I don't have Windows XP Home Edition CD-ROM; the computer came pre-installed with OS. Secondly the computer seems to be working fine so far. And thirdly what's all this about, do you know anything about this?
 
Thanks.
Best Regards.
 
http://img84.imageshack.us/img84/1158/ws2ifslsysriler102diversyx8.png
 
http://img241.imageshack.us/img241/7303/ws21fslsysriler102dillcachelt4.p ng
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Keyfinder.exe
« Reply #11 on: Aug 21st, 2006, 1:27am »		 Quote Quote  Modify Modify
Please update to the very latest rulesets for TH.  After you update, check the number of rulesets which is viewed by clicking on the Trojan icon on the left icon sidebar of TH scanner.  You should have 80031 as of 20-Aug-06.  
 
Then scan again...the problem should be fixed.  This was a false positive....sorrry... Sad
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register