Details that i found/read/etc + Tietokone.fi article
Official status: Trojan
Risk: May clean your account balance!
I saw this at Old / Expired Link (Finnish language).
This is only English topic i found:
See Related Threads:
Official status: Trojan
Risk: May clean your account balance!
I saw this at Old / Expired Link (Finnish language).
This is only English topic i found:
You do not have permission to view link
Log in or register now.
In December 2005 we contracted a programmer to create a rake calculator for us. The rake calculator (known as rbcalc, rbcalc.exe) was an executable file that a player would run on his machine to calculate rake from hands he previously played (stored in hand history files or a poker tracker database).
It has recently come to our attention that early versions of this program that we received contained a virus that installs itself every time the user runs rbcalc.
The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software.
If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.
Open up your C:\Windows\System32\ directory. Look for the following files.
\WINDOWS\system32\d3dclsrv.dll
\WINDOWS\system32\ndsdavsrv.sys
\WINDOWS\system32\comclg32.dll
\WINDOWS\system32\utlsrv.exe
Please note that these files have VERY similar names to system files needed by Windows. This is because they want you to believe these files are important. You are only infected if these file names are EXACTLY the same as above.
If you notice these files then it is safe to assume you are infected. To remove these please delete the following:
\WINDOWS\system32\d3dclsrv.dll
\WINDOWS\system32\ndsdavsrv.sys
\WINDOWS\system32\comclg32.dll
Then open the registry (START > RUN > type ‘regedit’). In the folder view on the right please open up the following path:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ndsdavsrv
In that folder you will see the following:
ImagePath=\??\C:\WINDOWS\System32\ndsdavsrv.sys . Please delete this entry.
Reboot your machine.
Go back to the registry (START > RUN > type ‘regedit’) and open the following path:
HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run (please look in Run- as well, or anything like 'Run' if you notice these folders). Most users will only have a Run folder.
You will see the following key.
Comclg32=C:\WINDOWS\System32\utlsrv.exe /Comclg32.dll
Please delete that entry.
Now bring up your Task Manager (CTRL+ALT+DEL, click the Processes tab). Look for the program utlsrv.exe and right click on it and select End Process.
Open the C:\Windows\System32 folder and find the file utlsrv.exe. Delete it.
CHANGE ALL OF YOUR POKER SITE PASSWORDS
Please delete all instances of rbcalc (RBCalc.exe). We do not want any users running this software. The software will no longer be supported and the web pages will be replaced with the message you are reading now.
Although this software was infected, we have thoroughly examined our websites and have found that none of them were compromised. The person who programmed this file did not have access to any of our sites. He would send updates by way of email, we would virus scan it (what good that did!), and then we would upload it to our website. Any information stored on Rake Tracker, Your Poker Cash, and Check Raised remains secure and safe.
To prevent such situations from happening in the future, we do not plan on developing any executable applications. In addition, all future programming will be done in-house to ensure the maximum safety that we can provide to our users.
We have submitted all of the information that we have to CERT, Symantec, McAfee, and TrendMicro. Please help us heighten awareness of this issue and forward this page to the developer of your anti-virus software.
We are deeply sorry for any trouble we may have caused. We hope that we have not ruined your trust and faith in us, but right now our highest priority is protecting any and all users and removing this potentially damaging software from all computers.
See Related Threads:
Last edited by a moderator: