kak

Greetings … I ran McAfee Free Virus Scan, and it found the kak worm- more specifically JS/Kak.bat.a- in my Windows folder. I downloaded avast! 4, and it didn’t eliminate it. And after searching avast.com, I don’t see any mention of kak anywhere.

Microsoft.com advised searching for kak files on the hard drive, deleting them, then installing a patch. But strangely enough, no kak files have been found. I believe I was infected before with this, so I’m fairly certain of McAfee’s findings, but how should I go about eradicating this?

Any and all thoughts are welcome … thanks.

You should be able to delete/move/rename the files Mcafee reported as Malware in windows Safe mode or feel free to post a hijackthis log here.

http://www.tomcoyote.org/hjt/
Download then unzip the file and double click on the “HijackThis” icon.
When finished loading click on the “Scan button”.
Next click on the “Save Log” button.
After that the Windowseditor should pop up, than copy/paste the content of the editor as a reply here.
(Info: partial taken from SpybotSD Supportforum)

Thanks for the reply … here it is.

Logfile of HijackThis v1.97.6
Scan saved at 8:35:31 AM, on 11/17/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Program Files\Mediascape\OnScreen Display\OSD.exe
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sub-search.com/startnow/mini/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sub-search.com/startnow/mini/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sub-search.com/startnow/mini/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sub-search.com/startnow/mini/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchnow.ws/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchnow.ws/search/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM..\Run: [FontFix] c:\windows\options\systools\fntfix.exe
O4 - HKLM..\Run: [Necbar] C:\PROGRA~1\NECASS~1\NECBAR.EXE
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [Multimedia Keyboard] C:\Program Files\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM..\Run: [OnScreen Display] C:\Program Files\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM..\Run: [PWSTray] PwsTray.exe
O4 - HKLM..\Run: [cAg0u] C:\WINDOWS\SYSTEM\C71531A0.hta
O4 - HKLM..\Run: [Winkuo] C:\WINDOWS\SYSTEM\Winkuo.exe
O4 - HKLM..\Run: [Winkouy] C:\WINDOWS\SYSTEM\Winkouy.exe
O4 - HKLM..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - HKCU..\Run: [IntelProcNumUtility] “C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe” /nosplash
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU..\Run: [cnet] “C:\Program Files\Kontiki\bin\kontiki.exe” -s cnet -q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.greatplugin.com/diallerfiles/013605.exe
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://spweather.whenu.com/WeatherAutoCAST0010.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4302/mcfscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Let Hijackthis fix the following:
O4 - HKLM..\Run: [cAg0u] C:\WINDOWS\SYSTEM\C71531A0.hta
O4 - HKLM..\Run: [Winkuo] C:\WINDOWS\SYSTEM\Winkuo.exe
O4 - HKLM..\Run: [Winkouy] C:\WINDOWS\SYSTEM\Winkouy.exe

After a restart delete the files. If you want you can check the files here:
http://www.kaspersky.com/remoteviruschk.html
I hope i got them all! :wink:

Hm, maybe let this fix too:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sub-search.com/startnow/mini/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sub-search.com/startnow/mini/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sub-search.com/startnow/mini/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sub-search.com/startnow/mini/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchnow.ws/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchnow.ws/search/