"little alchemy"

[Rhakard]

i have just come across something very disturbing

my utorrent client started downloding a small file on its own, but this was no update

it was a file called "little alchemy" which then tried to autoinstall itself.

now i couldnt find any information about this program other then another program called "pokke" thats connected to it somehow

regardless this third party software being downloaded and installed without my consent, for me, is considered a major invasion of privacy (not to mention illegal) .

i would like to know why this is being distributed through utorrent

and also who authorized it,

[ciaobaby]

Do you have any RSS feeds setup that may have initiated the download?

[Rhakard]

none

[ciaobaby]

Anything in the comments to suggest where it came from?

Were you doing anything in particular when it appeared?

Have to assume at the moment that it wasn't/isn't a uTorrent "feature" simply because nobody else has seen or been affected by this.

And you can be sure that there would be plenty of vitriol flying around if they had!

[Rhakard]

well when this file started to download itself i was seeding

i just happend to look at the screen when i walked by the computer and i see a download i didnt start

this "little alchemy" has somthing to do with a program called "pokke" by "sweetlabs software"

i sent them an email asking what little alchemy is but they havnt answered

what i would like to know is who authorized this thing to be destributed through utorrent

"sweetlabs" couldnt just insert it into utorrent's auto updates so it has to be one of utorrent's developers

[ciaobaby]

it has to be one of utorrent's developers

If it was, common sense and logic determines that more than you would have seen this happen. As it is, this appears to be an isolated incident. So only you can assist in finding the cause at this point in time.

Have you searched your machine for a reference to a .torrent file with the same name(s).

Looked at the Info tab for the torrent creator, when it was added etc. if it was added with a label group, and so on.

[Rhakard]

to begin with common sense dictates that this MAY be an isolated case or that other users who have had this thing installed in their computer simply didnt notice or didnt see it as a problem or a security breach.

as i said it was downloaded in seconds (1.4Mb) and installed just as fast, i was just able to stop the installation at the last second.

beyond that there is no .torrent file (my .torrent files are in a their own directory) and i also did a complete search for any files containing anything to do with the program (*little*.* , *alchemy*.* and so on)

in the info section there was a line stating it as "official bittorrent content" which indicated , well , nothing really.

also in the info line was : "created by : rutorrent (php class adrien gibrat)"

this is all the info i was able to gather so far.

[rafi]

it was a file called "little alchemy"

What version are you using ? if it's 3.2.x - search for pref->advanced - "offer" . Do you have them all false/disabled ?

[Rhakard]

first off rafi let me say i found your guide to be very well written and informative and i thank you for it

now on to the matter at hand

i am using ver 3.2.1

and my "offers" are on false

as things stand right now i have "sealed" the potential security breach this incident revealed

and to be honest am more interested in getting to the bottom of this out of principle

o and thanks btw everyone for indulging my curiosity.

[ciaobaby]

Help -> About µTorrent

As it is BitTorrent content it probably came as part of a "bundle" that you downloaded. If you set bt.auto_dl_enable in Preferences -> Advanced to false that should give you the chance to see the files that make up the BitTorrent bundle and deselect them.

[ciaobaby]

Do you happen to have BitTorrent installed on your machine?

Just out of curiosity I installed BitTorrent 7, and

Look what I found.

[pr0xZen]

Hi! I'm bumping this thread as I just experienced this myself, and this is probably the closest thing to a hitI got on google.

Running uTorrent 3.2.3 (build 28705).

Just walked by my computer, and it seems that two hours ago, when no one was home, it "automatically" downloaded the following torrents:

BitTorrent-EpicMealTime (218MB) (Contents; 2x. mp3 files, 2x .mp4 files)

EdgeWorld-BitTorrent-h (2.61MB) (contents: Edgeworld.exe, run.txt)

PCPerformer-BitTorrent-a (607kB) (contents: PCPerformerSetup_BT.exe, run.txt)

PirateStorm-BitTorrent-m (2.62MB) (contents: PirateStorm.exe, run.txt)

WinZip2-BitTorrent-a (555kB) (contents: Bittorent_LREC_signed.exe, run.txt)

All run.txt only contain the file name for the corresponding .exe in the torrent,

As I was not present when the torrents were downloaded, I was unable to see if anything ran after they were winished downloading.

Anyone care to have a look?

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 17:50:56, on 12.02.2013

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe

C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Windows\PLFSetI.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Windows\system32\igfxext.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\system32\conhost.exe

C:\Program Files\DAEMON Tools Lite\DTLite.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Users\Smiley\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Windows\explorer.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe

C:\Windows\explorer.exe

C:\Program Files\Total Commander XP\TOTALCMD.EXE

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Windows Live\Mail\wlmail.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Users\Smiley\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Smiley\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&m=ao532h&r=27b50210r205l03c4wwi5w5952r855

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&m=ao532h&r=27b50210r205l03c4wwi5w5952r855

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&m=ao532h&r=27b50210r205l03c4wwi5w5952r855

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll

O2 - BHO: Windows 7 Starter Helper - {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} - C:\Program Files\Oceanis\SystemSetting\StarterHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s

O4 - HKLM\..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

O4 - HKLM\..\Run: [EgisTecLiveUpdate] "C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe"

O4 - HKLM\..\Run: [mwlDaemon] C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe

O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\Smiley\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [Xvid] C:\Program Files\Xvid\CheckUpdate.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETTVERKSTJENESTE')

O4 - Startup: Dropbox.lnk = Smiley\AppData\Roaming\Dropbox\bin\Dropbox.exe

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe

O4 - Global Startup: Acer VCM.lnk = ?

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send bilde til &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send side til &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{81A4568F-EBD7-4229-AF9E-788ED109F30D}: NameServer = 217.13.7.140,217.13.4.24

O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F69CF2-C5E5-4D13-BEFF-A5109858E2D4}: NameServer = 208.122.23.22,208.122.23.23

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files\Launch Manager\dsiwmis.exe

O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files\Acer\Registration\GregHSRW.exe

O23 - Service: Googles oppdateringstjeneste (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google-oppdatering-tjenesten (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe

O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\Partner.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe

O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

O23 - Service: Updater Service - Acer - C:\Program Files\Acer\Acer Updater\UpdaterService.exe

--

End of file - 11321 bytes

[jbenwa]

I think the same thing has happened to me. I am not computer savvy so do I now have to sort through this crapor pay someone to? I have already had Norton antivirus do exactly the same thing previously to me. This is why I don't use these programs (I have a far better antivirus program, recommended by computer shop).... Can anyone direct me to an easy website for removing this utorrent bug that was not solicited by me. By saying something like 'It is your responsibility because you okayed the program' reeks of denying that it is companies like utorrent that are corrupting people and computers in this fashion. Just like the Indan people who keep ring me to say 'Madam, there is a problem with your Microsoft windows program....). Let's just prey on people like the elderly and people who don't have time to deal with this stuff shall we? Kharma is coming to those who are part of this.