kpwn1.exe

Did you run a Spybot scan during this? I'm wondering why the Regmon log shows so much about Spybot.

Please locate the below files and put them into a ZIP file and upload it here.
c:\WINDOWS\vvbyk1.dll
c:\WINDOWS\vvbyk1.upd
c:\WINDOWS\system32\com9.knu
C:\autoexec.bat

 

Those messages from ZA have nothing to do with this problem. They may be for your ISP. Is the below your ISP:

Code:

[B]IP Address[/B]   : 66.230.175.39 [ 66.230.175.39 ]
[B]ISP          :[/B] ISPrime
[B]Organization :[/B] Phantographics LLC
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/au.gif[/IMG] AU, Australia

To Search for hidden files you must configure special search options:

Click Start and select Search
Now Select "All files and folders"
Enter the vvbyk1.dll in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

Now repeat for the below:
c:\WINDOWS\vvbyk1.upd
c:\WINDOWS\system32\com9.knu




The autoexec.bat file is empty. Is that how it appears on your end?

 

Download and install this: ExplorerXP Do those files show up using this utility instead of Windows Explorer.

If not, see if BlackLight is still detecting them.

 

I need you to respond to message # 106. Also when you ran BlackLight last time, did you have it clean/fix what it found????

Also do the below:

Click Start, Run, and enter ipconfig /flushdns and click OK.
Note there is a space between ipconfig and the /flushdns

Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

 

Okay then see this link about ISPrime and Phantographics

http://www.charlesarthur.com/blog/?p=437


Attach a new ShowNew log and a new HJT log.

Also run Microworld Anti Virus & Spyware Toolkit Utility and save a log to attach here.

To save a log you will probably have to click in the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We just want to use it to try to identify anything that is bad.



I want to make sure nothing new has found its way in.

 

Yes! But do things in the below order!

1. Have BlackLight fix those files.
2. Stop any kpwnX.exe process
3. Manually delete all kpwnX.exe process in C:\Windows\Temp (yes even delete the fake one I created)
4. Use HJT to fix both O4 lines in your HJT log
5. run the ipconfig /flushdns command
6. run the Hoster procedure
7. run Microworld Anti Virus & Spyware Toolkit Utility and attach the log here for me to see before continuing.
8. Then before you even start FileMon and Regmon, make sure that the kpwn stuff has not come back yet. If it has repeat all necessary steps above (execept do not run steps 5, 6 & 7) Then setup Regmon and Filemon and let them start capturing. Stop the capture when the kpwn stuff comes back.
9. Attach the Regmon and Filemon logs (make sure you do not run any other scans in between to avoid making logs get to long).

 

I'm not sure what is going on but something is changing your priviledges all the time.

Let's try this new tool out: Sophos Anti-Rootkit 1.0

Let me know what it finds. If it finds the samething, try to fix them.


Run steps 5, 6, & 7 from my previous procedure no matter what happens.

 

You can just tell ZoneAlarm to block silently! That way it will stop getting in your way. You can always look at the log anytime you want to see what activity may still be occurring.

 

Please run this WareOut Removal and attach the requested report aftwarwards.

Rename the below nOw.exe file to nOw.xxx:
C:\Program Files\Common Files\Microsoft Shared\nOw.exe

Go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

At one point in the last process did you enable Filemon and Regmon? There still seems to be other activity not related to just waiting for the kpwn process to startup again. It even looks like a defrag of the harddisk may have been started. It is strange that the Filemon log starts at 7:53:41 PM with a ZoneAlarm access (vsmon.exe is zonealarm) trying to access the C:\windows\temp\kpwn1.exe process and then you ran until at 9:39:33 PM before stopping the log.

Also the Regmon log shows that you were access stuff with FireFox

Also something or you had a command prompt opened (cmd.exe) which made an attempted access to registry keys about this file:

When you have been deleting all the kpwn stuff (registry and files) have you also been emptying the Windows Prefetch folder. This file was shown there C:\WINDOWS\Prefetch\KPWN1.EXE-1F483450.pf You must always make sure to either delete all files in the prefetch folder or at a minimum delete any files with kpwnX.exe in the name.

Try using PocketKillbox (I know you have used it earlier in this thread) to delete the below file on reboot:
C:\WINDOWS\vvbyk1.dll

Does PocketKillbox find and delete the file. Is Avast still finding it. What about Sophos or BlackLight?

Let me ask a question! With this process (whatever it is) still periodically appearing, what is the overall performance of your PC like. In otherwords, other than this and ZA popping up about it, how is your PC running?

 

Yes flush your System Restore points.

That file you found in the C:\Program Files\Common Files\Microsoft Shared folder has renamed itself again according to Sophos. First it was nOw.exe, then you only found qkhxe.exe. Now Sophos reports, C:\Program Files\Common Files\Microsoft Shared\Aqkc.exe:$EFS

Run Sophos again and fix the two rootkits
1) C:\WINDOWS\system32:c_100rc.nls

2) C:\Program Files\Common Files\Microsoft Shared\Aqkc.exe:$EFS
This second one may have changed names already. I wonder if it is related at all to the kpwnX.exe . Whatever randomly named EXE filename is appearing here is bad and must be deleted. If Sophos does not delete it, delete it yourself.

After fixing those, stop any kpwnX.exe process that it running, then yes go thru and delete all files than have anything saying kpwn in them. Delete all that you showed in your message. Also make sure to delete all files in C:\Windows\Prefetch (to be safe, just delete all files in this folder). Then run HJT and make sure all registry keys that show kpwnX.exe are fixed.

After doing ALL of the above shut down ALL unnecessary processes (including browsers). Make sure no tasks are set to run (like defrags, scans etc). Have ZoneAlarm Lock the Internet connection. Then configure Regmon and Filemon and start capturing. Make note of what time you start them. Try to stop the capture a close to the time the problem pops up. If it does not popup again in a time frame where you normally expect it to popup, then Unlock the Internet block of ZoneAlarm and continue capturing.

 

Yes try booting into safe mode and also physically unplug your cable to the Internet before reboot!

Did you try looking for the first file using ExplorerXP?

Do you have a bootable Windows XP SP2 CD?


I have a feeling that the randomly named file (currently Aqkc.exe) is encrypted and the the $EFS at the end is for the below:

http://www.iopus.com/guides/efs.htm

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true


There were things in your Regmon log that also showed references to encryption and a seed being used. Here is what I mean:

In addition, the files shown in System Restore by Sophos, also appears to be encrypted.

Have you used or did you ever use any kind of encryption software on this PC? Was it used for or is it used for any kind of government work?

 

Yes a bootable Windows CD for your SP level can be quite important. Especially when things like this happen. You could make your own but to do that you would have to have your own legal copy of another Windows XP CD and then you could slipstream in SP2. But that is not a topic for this forum.

You could also possibly make another BootCD that could be used to boot your system and if it still gives you access to your C drive, you may be able to manual delete the hidden files. Again the making of this type of CD is outside the scope of things discussed in this forum. Tools like the below can sometimes be used:

Ultimate Boot CD (Basic)

Bart's PE Builder

And sometimes even a Linux based CD can prove useful. The below is an example of such a CD (click on the English flag at the top to read in English).

http://www.knoppix.org/

 

Well a repair shop has an advantage that the PC will be right in front of them! They will still need to play some games to get rid of these rootkits and to hunt down the source of kpwn. They will more than likely need to boot to the Recovery Console using a Windows XP SP2 CD.

Let me ask a question though. When did all of your malware problems begin? Perhaps a System Restore to a date before they began could help. We have no way of knowing exactly when these rootkits arrive though since your PC seems to running reasonably well even with them.

 

I don't believe we flushed them. We never got to the point where you were clean so we would not have requested it.

That's not easy to answer as you suggested. We just don't know exactly what all of these are and what they could be doing. It I were in your shoes, I would backup all of my personal data and re-partition, format, and reinstall the OS. The problem is that you do not have a valid CD to reinstall from and to reactivate a license from so this is not really a useful suggestion to you. Backing up your data though should be done no matter what. You just don't know what could happen while trying to fix these or if you just continue running with them installed. Also, if you do take it some place for a repair, it could also be dangerous to have not backed up all of your important data. You could loose all of it while attempts at cleaning are performed. Also the final suggestion of the place you take it to may be to format anyway. It could be faster and less costly.

If you like, you could try the new tool (just got it today) to see if it has any better luck:

AVG Anti-Rootkit 1.0.0.13 Beta


Also you could give the below a run a attach a log from it. I' m curious to see if any of those files have Alternate Data Streams (ADS). Don't fix anything with it unless I tell you to. Many valid files will have ADS too.

ADSspy

 

So these are back again too! Did those connections to that IP address come back too. Didn't Sophos remove these last time ? Please see if you can get copies of those to files into a ZIP file and attach it here. While looking, also check to see if the following files exist: C:\WINDOWS\vvbyk1.dll and C:\WINDOWS\vvbyk1.upd (also see if there are any other files that begin with vvbyk1 ) Then also run Sophos and or Blacklight to see if it will remove them.

You're right! I forgot that we had tried to clean upi that stuff in System Restore. Sorry about that.

In realitty it would probably be cheaper for you to just purchase a legal full copy of Windows XOP SP2 and just fdisk, repartition, format, and reinstall on your own. It is not really that difficult. You could save the money on the repair shop and get a full copy of Windows while doing it.

Sorry to say there is not absolute perfect solution. Following the suggestions in the How to protect thread are a great help though. Reading and understanding and then following the suggestions there are very important. You are the first and last line of defense. So the better educated you are, the safer you and your PC will be. My personal preference for antispyware applications is Spy Sweeper. For some people on slower machines it can be a little to resource intensive, but that is also because it does a more comprehensive job then other tools. Avast is fine however many people like AVG more.

Your welcome.

Let's continue to look at some stuff (at least until you decide to call it quits and format).
I should have had you change the options on ADS Spy to select a Full scan (all NTFS drives). The log seems to indicate only a small part of your drive was scanned. Also only ADS streams that occured due to Kaspersky being run where found. Let's clean up those streams from Kaspersky and then run a new Full scan.


Download the utility Klstreamremover.zip
Unzip the archive in the root folder of driive C so we can clear the ADS streams
Run Klstreamremover.exe with the parameter –r To easily do this open a command prompt window and change directories to the root of drive C where this tool was extracted ( cd C:\ ). Then type in Klstreamremover -r
Wait utility work to finish

Note: if there you have other NTFS partitions on your computer, repeat previously described actions for each partition.
After doing the above run ADSspy and change the default option to be

Full scan (all NTFS drives)

Then run a new scan and attach the new log.

 

I told you how to clean them up in my last post and you needed to do that before running ADSspy.

 

Well that shows us nothing of interest. The Zone.Identifier stream that shows is normal. [FONT=Arial, sans-serif]This stream is generated by Internet Explorer and Outlook when saving files from to local disk from different security zones. [/FONT]

Sorry to say but at this point all I can suggest is that you backup all of your personal data and downloads and take your PC someplace for a full reinstall (or see if a local tech who can actually sit in front of your keyboard and PC can repair it).

 

Well personally I prefer XP Pro, but you have to decide what your budget allows. What ever you choose, make sure you are get a valid license for Windows XP and that they are not using some OEM copy to install on dozens of PCs.

You're welcome. I'm sorry that we were not able to get this fixed.

 

I'm not sure of all the differences because I have only had Win XP Pro, but that is one difference. Others are differences occur may be in multimedia areas and various admin type things. You may get a better answer for this in the Software Forum.

That's nice (but I assume you meant Small-BGT ??). We knew it was bad all along! Hey! A new Sophos Anti-Rootkit 1.1 just came out. If you have not taken the PC in for reinstall and if you feel like it, give it a try and see if it does a better job at fixing any of those problems we were seeing. I would also suggest that when you run it that you physically unplug your cable to the internet and then shutdown every application that you have running other than Sophos (even shutdown antispyware, antivirus, and firewall). Run it once in normal boot mode and save a log. Then reboot into safe mode (make sure everything is shutdown again) and run it again and save a log.

Then reboot into normal mode and make sure your antispyware, antivirus, and firewall are back on and connect to the internet and come here and post your results.

PS: It's just hard to call it quits!

And having said that, also give the below a try:

a-squared (a²) Free edition - you will have to give them a valid email address

Trojan Remover - 30 day trial - makes sure you get all updates

 

Well that did not change anything except that I did not see the kpwn1.exe file in c:\windows\temp\ in the logs.

Did you actually try having Sophos fix what it found even though they do not recommend it?

I would disable System Restore (and leave it disabled) then I would run Sophos (only once in normal boot mode) and let it fix what it finds. Then attach the new log.

 

I'm not sure what you have done with your PC! But we now know a bit more about your problem and it related all the way back to the LinkOptimizer item I had you remove way back. Read the Technical Details from Symantec here:

Trojan.Linkoptimizer

It describes those files in the Temp and Microsoft Shared folder we were trying to remove.


You should give the below tool a try if you have not yet formatted your PC.

Let me know the results of the scan!

 

Looks better!

If you run the Gromozon tool again does it come up clean?

Is your HJT log clean (you know the kpwn1 line)?