|
-
February 22nd, 2002, 03:16 AM
#1
Kak rears its ugly head again
A friend has had problems with her computer hanging etc and I asked her to post her startup log - see below. Ok - KAK sticks out like a sore thumb and I have sent her the fix - is there anything else that I should be looking at? Thanks
C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 02-22-2002 6:55:29.25p
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.55) - Release Date 2/19/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE /LOADQUIET"
"VsecomrEXE"="C:\\PROGRA~1\\PLUS!\\Viruscan\\VSECOMR.EXE"
"Vshwin32EXE"="C:\\PROGRAM FILES\\PLUS!\\VIRUSCAN\\VSHWIN32.EXE"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Vshwin32EXE"="C:\\PROGRAM FILES\\PLUS!\\VIRUSCAN\\VSHWIN32.EXE"
"SchedulingAgent"="mstask.exe"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
run=
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
REM [Header]
@ECHO OFF
REM [CD-ROM Drive]
REM [Miscellaneous]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]
@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\AOL Tray Icon.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"StubPath"="c:\\windows\\SYSTEM\\ie4uinit.exe"
"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-
@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
-=================-
[rename]
nul=c:\windows\TEMP\~ef7194.tmp
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
scrnsave.exe=C:\WINDOWS\ELVIS.SCR
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=c:\windows\TEMP
TEMP=C:\windows\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
------------------
Moderator at Suggest A Fix
-
February 22nd, 2002, 08:37 AM
#2
I'd watch that Elvis screensaver. 
-
February 22nd, 2002, 08:49 AM
#3
Gee thanks zipulrich - ummm Patch - wasnt keen on it myself
------------------
Moderator at Suggest A Fix
-
February 22nd, 2002, 09:15 AM
#4
More info - Lorenza (my friend) tells me she has searched her computer for kak.hta and kak.html and nothing shows up. I took her into sysedit and asked her to look at autoexec.bat however she told me there was nothing relating to kak. Hmmmm - wondering - there is a big gap in autoexec.bat, maybe she didnt scroll down far enough ????? Apparently, nothing in the sig file either so why in the start up loog ?????
PS No prior Kak infection
------------------
Moderator at Suggest A Fix
[This message has been edited by AnnMarie (edited 02-22-2002).]
-
February 22nd, 2002, 10:28 AM
#5
It almost appears that KAK was installed on the PC, but is no longer there.
You won't find the HTA file, because the autoexec deletes it, after it starts it.
C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~\Programs\StartUp\kak.hta
Out of curiousity, you could delete the last statement (the DEL) from the autoexec, reboot and then check again for the HTA file.
There is nothing in the startlog that shows anything abnormal running, but if the HTA file appears again, we know we have missed something (and we need to update the startlog).
-
February 22nd, 2002, 10:10 PM
#6
Thanks WhitPhil - I will give that a try and see what happens. Incidentally, the main reason I asked her to run StartUp Log was because she was trying to extract (I think she was a bit excited when she rang me) a file from her Win98 CD and got a message saying that she couldnt perform this action as a MS DOS program was running etc. She had no idea what that might be (and neither do I). She also swears she has never had a virus infection. It looks like I'm going to have to go over there tommorrow - if anyone has any further thoughts in the meantime, it would be appreciated.
------------------
Moderator at Suggest A Fix
-
February 23rd, 2002, 12:58 AM
#7
AnnMarie, your friend needs to enable 'show all files' in folder options to find those kak files. Read through and follow the removal instructions here, it tells you what to look for:
http://securityresponse.symantec.com...t.kakworm.html
Also, delete that entire line in autoexec.bat as Symantec says to do:
@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
del C:\Windows\STARTM~1\Programs\StartUp\kak.hta
------------------
"Be sober, be vigilant; because your adversary the devil, as a roaring lion, walketh about, seeking whom he may devour." 1 Peter 5:8
[This message has been edited by Kento (edited 02-22-2002).]
"Be sober, be vigilant; because your adversary the devil, as a roaring lion, walketh about, seeking whom he may devour." 1 Peter 5:8
-
February 23rd, 2002, 02:00 AM
#8
Thanks Kento - well she just rang and it seems that she has restored something (what I dont know) from from her Win98CD on the advice of the store she bought her PC from and now has fullblown KAK. My problem is that she is Spanish and although she speaks very good english when she gets excited - it 50% english and 50% spanish LOL (and I dont speak spanish). I'm going over tomorrow armed with all this good advice and will get rid of it (one way or another). Thanks everyone.
------------------
Moderator at Suggest A Fix
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
