Rhakard Posted October 19, 2012 Report Share Posted October 19, 2012 i have just come across something very disturbingmy utorrent client started downloding a small file on its own, but this was no updateit was a file called "little alchemy" which then tried to autoinstall itself.now i couldnt find any information about this program other then another program called "pokke" thats connected to it somehowregardless this third party software being downloaded and installed without my consent, for me, is considered a major invasion of privacy (not to mention illegal) .i would like to know why this is being distributed through utorrentand also who authorized it, Link to comment Share on other sites More sharing options...
ciaobaby Posted October 19, 2012 Report Share Posted October 19, 2012 Do you have any RSS feeds setup that may have initiated the download? Link to comment Share on other sites More sharing options...
Rhakard Posted October 19, 2012 Author Report Share Posted October 19, 2012 none Link to comment Share on other sites More sharing options...
ciaobaby Posted October 19, 2012 Report Share Posted October 19, 2012 Anything in the comments to suggest where it came from?Were you doing anything in particular when it appeared?Have to assume at the moment that it wasn't/isn't a uTorrent "feature" simply because nobody else has seen or been affected by this.And you can be sure that there would be plenty of vitriol flying around if they had! Link to comment Share on other sites More sharing options...
Rhakard Posted October 19, 2012 Author Report Share Posted October 19, 2012 well when this file started to download itself i was seedingi just happend to look at the screen when i walked by the computer and i see a download i didnt startthis "little alchemy" has somthing to do with a program called "pokke" by "sweetlabs software" i sent them an email asking what little alchemy is but they havnt answeredwhat i would like to know is who authorized this thing to be destributed through utorrent"sweetlabs" couldnt just insert it into utorrent's auto updates so it has to be one of utorrent's developers Link to comment Share on other sites More sharing options...
ciaobaby Posted October 19, 2012 Report Share Posted October 19, 2012 it has to be one of utorrent's developersIf it was, common sense and logic determines that more than you would have seen this happen. As it is, this appears to be an isolated incident. So only you can assist in finding the cause at this point in time.Have you searched your machine for a reference to a .torrent file with the same name(s).Looked at the Info tab for the torrent creator, when it was added etc. if it was added with a label group, and so on. Link to comment Share on other sites More sharing options...
Rhakard Posted October 20, 2012 Author Report Share Posted October 20, 2012 to begin with common sense dictates that this MAY be an isolated case or that other users who have had this thing installed in their computer simply didnt notice or didnt see it as a problem or a security breach.as i said it was downloaded in seconds (1.4Mb) and installed just as fast, i was just able to stop the installation at the last second.beyond that there is no .torrent file (my .torrent files are in a their own directory) and i also did a complete search for any files containing anything to do with the program (*little*.* , *alchemy*.* and so on)in the info section there was a line stating it as "official bittorrent content" which indicated , well , nothing really.also in the info line was : "created by : rutorrent (php class adrien gibrat)"this is all the info i was able to gather so far. Link to comment Share on other sites More sharing options...
rafi Posted October 20, 2012 Report Share Posted October 20, 2012 it was a file called "little alchemy" What version are you using ? if it's 3.2.x - search for pref->advanced - "offer" . Do you have them all false/disabled ? Link to comment Share on other sites More sharing options...
Rhakard Posted October 20, 2012 Author Report Share Posted October 20, 2012 first off rafi let me say i found your guide to be very well written and informative and i thank you for itnow on to the matter at handi am using ver 3.2.1and my "offers" are on falseas things stand right now i have "sealed" the potential security breach this incident revealed and to be honest am more interested in getting to the bottom of this out of principle o and thanks btw everyone for indulging my curiosity. Link to comment Share on other sites More sharing options...
ciaobaby Posted October 20, 2012 Report Share Posted October 20, 2012 Help -> About µTorrentAs it is BitTorrent content it probably came as part of a "bundle" that you downloaded. If you set bt.auto_dl_enable in Preferences -> Advanced to false that should give you the chance to see the files that make up the BitTorrent bundle and deselect them. Link to comment Share on other sites More sharing options...
ciaobaby Posted October 20, 2012 Report Share Posted October 20, 2012 Do you happen to have BitTorrent installed on your machine?Just out of curiosity I installed BitTorrent 7, andLook what I found. Link to comment Share on other sites More sharing options...
pr0xZen Posted February 12, 2013 Report Share Posted February 12, 2013 Hi! I'm bumping this thread as I just experienced this myself, and this is probably the closest thing to a hitI got on google.Running uTorrent 3.2.3 (build 28705).Just walked by my computer, and it seems that two hours ago, when no one was home, it "automatically" downloaded the following torrents:BitTorrent-EpicMealTime (218MB) (Contents; 2x. mp3 files, 2x .mp4 files)EdgeWorld-BitTorrent-h (2.61MB) (contents: Edgeworld.exe, run.txt)PCPerformer-BitTorrent-a (607kB) (contents: PCPerformerSetup_BT.exe, run.txt)PirateStorm-BitTorrent-m (2.62MB) (contents: PirateStorm.exe, run.txt)WinZip2-BitTorrent-a (555kB) (contents: Bittorent_LREC_signed.exe, run.txt)All run.txt only contain the file name for the corresponding .exe in the torrent,As I was not present when the torrents were downloaded, I was unable to see if anything ran after they were winished downloading.Anyone care to have a look?HiJackThis log:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 17:50:56, on 12.02.2013Platform: Windows 7 SP1 (WinNT 6.00.3505)MSIE: Internet Explorer v8.00 (8.00.7601.17514)Boot mode: NormalRunning processes:C:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Acer\Acer ePower Management\ePowerTray.exeC:\Program Files\EgisTec Egis Software Update\EgisUpdate.exeC:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exeC:\Program Files\Launch Manager\LManager.exeC:\Program Files\Apoint2K\Apoint.exeC:\Windows\PLFSetI.exeC:\Program Files\Alwil Software\Avast5\AvastUI.exeC:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files\Apoint2K\ApMsgFwd.exeC:\Windows\system32\igfxext.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Windows\system32\conhost.exeC:\Program Files\DAEMON Tools Lite\DTLite.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Acer\Acer VCM\AcerVCM.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Users\Smiley\AppData\Roaming\Dropbox\bin\Dropbox.exeC:\Windows\explorer.exeC:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exeC:\Windows\explorer.exeC:\Program Files\Total Commander XP\TOTALCMD.EXEC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Program Files\uTorrent\uTorrent.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Program Files\Windows Live\Mail\wlmail.exeC:\Program Files\Windows Live\Contacts\wlcomm.exeC:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\Smiley\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&m=ao532h&r=27b50210r205l03c4wwi5w5952r855R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&m=ao532h&r=27b50210r205l03c4wwi5w5952r855R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&m=ao532h&r=27b50210r205l03c4wwi5w5952r855R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dllO2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dllO2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dllO2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dllO2 - BHO: Windows 7 Starter Helper - {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} - C:\Program Files\Oceanis\SystemSetting\StarterHelper.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dllO3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -sO4 - HKLM\..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exeO4 - HKLM\..\Run: [EgisTecLiveUpdate] "C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe"O4 - HKLM\..\Run: [mwlDaemon] C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exeO4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /noguiO4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLMO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [Google Update] "C:\Users\Smiley\AppData\Local\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorunO4 - HKCU\..\Run: [Xvid] C:\Program Files\Xvid\CheckUpdate.exeO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKAL TJENESTE')O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKAL TJENESTE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETTVERKSTJENESTE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETTVERKSTJENESTE')O4 - Startup: Dropbox.lnk = Smiley\AppData\Roaming\Dropbox\bin\Dropbox.exeO4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exeO4 - Global Startup: Acer VCM.lnk = ?O4 - Global Startup: Bluetooth.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Send bilde til &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO8 - Extra context menu item: Send side til &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO17 - HKLM\System\CCS\Services\Tcpip\..\{81A4568F-EBD7-4229-AF9E-788ED109F30D}: NameServer = 217.13.7.140,217.13.4.24O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F69CF2-C5E5-4D13-BEFF-A5109858E2D4}: NameServer = 208.122.23.22,208.122.23.23O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exeO23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files\Launch Manager\dsiwmis.exeO23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exeO23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files\Acer\Registration\GregHSRW.exeO23 - Service: Googles oppdateringstjeneste (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google-oppdatering-tjenesten (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exeO23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exeO23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\Partner.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exeO23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exeO23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exeO23 - Service: Updater Service - Acer - C:\Program Files\Acer\Acer Updater\UpdaterService.exe--End of file - 11321 bytes Link to comment Share on other sites More sharing options...
jbenwa Posted March 19, 2013 Report Share Posted March 19, 2013 I think the same thing has happened to me. I am not computer savvy so do I now have to sort through this crapor pay someone to? I have already had Norton antivirus do exactly the same thing previously to me. This is why I don't use these programs (I have a far better antivirus program, recommended by computer shop).... Can anyone direct me to an easy website for removing this utorrent bug that was not solicited by me. By saying something like 'It is your responsibility because you okayed the program' reeks of denying that it is companies like utorrent that are corrupting people and computers in this fashion. Just like the Indan people who keep ring me to say 'Madam, there is a problem with your Microsoft windows program....). Let's just prey on people like the elderly and people who don't have time to deal with this stuff shall we? Kharma is coming to those who are part of this. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.