kak worm (?) won't die

Discussion in 'NOD32 version 2 Forum' started by brendank, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. brendank

    brendank Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    2
    Location:
    UK
    A friend's computer, Win98, displays a window titled kak.hta whenever it boots. I suggested he download a trial version of NOD32, update it and do a clean with it. Nothing found! So, I've cleared Run in the registry and attempted to stop it starting via msconfig. It returns without failing, having the gall to re-check the startup entry in msconfig. Can someone please point me to where I can find a solution?
     
  2. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    It's strange.
    Try to send the file to: samples@nod32.com for further analyzis.
     
  3. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Kak is a little beast--and can be difficult to remove.

    I would visit this site:

    http://securityresponse.symantec.com/avcenter/venc/data/wscript.kakworm.html

    and read the instructions carefully, as this worm can write to your autoexec.bat files, among others.

    Good luck.
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    please do this
    http://www.wilderssecurity.com/showthread.php?t=15913

    but don't bother with adaaware & spybot in this case, just post a hijackthis log in that forum please
     
  5. brendank

    brendank Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    2
    Location:
    UK
    Thanks for the help. I followed JimIT's guidance and slavishly followed the Symantec routine. It turned out that most of the infestation had gone; the only bit left was hidden in autoexec.bat and amounted only to displaying the wretched window.
    @dvk01. I don't think it's worth a separate post; I had already run AdAware, Spybot and Spysweeper - they found nothing, probably because other than the line in autoexec.bat there was nothing to find. I have never tried hijackthis but I'm certainly now going to look at it.
    Thanks everyone.
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Any time there is a persistant infection it's worth running HJT. all it does is displays the usual places from the registry and ini files that malware uses to start up. It displays them in a manner that makes it easy to see & fix them without actually having to manually edit the registry and the risk of making mistakes

    it's suprising what an experienced eye can spot that doesn't look right

    the automatic removers are very good but the human eye is better in these cases
     
Thread Status:
Not open for further replies.