In my task manager under my processes tab there is a process called Thrones-Maker.exe ...

Now i have no idea what this is, and i was wondering whether anyone else knew what it was. I know that it somehow affects my norton...but i have done a full system scan with norton, and with housecall (trendmicro) and they have come up with nothing..

If anyone can tell me what this is and whether it's bad or not, i'll be very greatful.

Google found this: http://www.thrones-maker.tk/

Try killing it, and see what happens.

The download from that page is an executable called ThroneMaker.exe (cf. Darnessfairy's executable name - it may or may not be the same thing)

It's a rather obvious malware.

The html and the executable are hosted on Angelfire and Geocities on the URL Morganth found rather than the real company it purports to be (Habbo/Sulake).
The meta keywords are "bobba, credits, free, habbo, hobba, rares, thrones" ... to attract dumb/too young to know better/gullible Googlers.

BobbaHotel by Habbo Ltd. is some incredibly lame pseudo mmorpg thing for kiddies that you have to pay to get in-game credits for.

Can't see it fooling anyone older than 8, but given the game's target audience ... well, you can work out the rest ;)

A quick look at even just the human readable strings in the executable code shows it acts as a keylogger, mailing it's logs every now and again to whatever e-mail address.

There's possibly other trojan features in there, but I didn't bother looking any harder.

In short - kill it, and search your registry for it's autostart entries.
Clean your IE favourites too - it looks like it tries to do some tinkering there too.



Edit: In all likelihood it's just a bog standard keylogger trojan executable that's been renamed and tweaked just enough to get past malware scanners looking for whatever it's parent code was. Since this kind of crap mostly gets deliberatley spread by retards that havent got the faintest clue how it works it could have gone though hundreds of hands before it hit Darkness, and could have arrived by almost any vector.

Adaware (http://www.lavasoftusa.com/software/adaware/) + Hijackthis (http://www.spychecker.com/program/hijackthis.html) = problem solved.

In short - kill it, and search your registry for it's autostart entries.
Clean your IE favourites too - it looks like it tries to do some tinkering there too.

Also type "msconfig" in Command Prompt and click the "Startup" tab. Then check the list to see if its there, and uncheck its box to stop it loading on start up.

Ok so i know the problem... My little sister plays on HabboHotel. Well let's say *used* to play...no more :D

Erm... I killed the process in the task manager... Did nothing afaik...
@Marx... I'm not stupid sweetheart, i ran those before i asked the NC community :rolleyes: And no, they came up with nothing.

So i'm stumped as to what to do now really... Any ideas ?

try to view the files/processes in use by this file with process explorer from sysinternals, its a cool tool. :)

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Search the registry for it and your hardrive.

Also get spy bot search & destroy. I run this and adaware. What one misses the other usually gets.

Slaughter

@Marx... I'm not stupid sweetheart, i ran those before i asked the NC community :rolleyes: And no, they came up with nothing.

So i'm stumped as to what to do now really... Any ideas ?
Have you tried the CWSshredder? If the process uses the same exploits that the Cool Web Search shit did, this will track it down fairly nicely.

Ok so after some more lovely help from you geeks out there (no offence intended guys) i think that i have got rid of it....

Couldn't tell you for certain tho :lol: Altho the .dll file in system32 has gone, adaware got nothing when i run a scan straight on boot, it's not in the process list anymore, and hold on a sec .... the registry looks clean too...

Cheers guys

<3