kpwn1.exe

I took a look inside this executable file. It appears to be an adult content web dialer. I want to look at a few registry keys for some additional information. I will create a small tool to dump this information to a file for us to look at. Hopefully I can do this sometime today.

How do you connect to the internet (analog modem, cable, DSL)???

Comment: When our instructions say things like download such and such to its own folder or extract the contents of to its own folder. We really mean that you need to use a new folder for them. You are downloading and extracting tools to the root folder of your boot drive. This is a VERY BAD IDEA. Here is what you have thus far (I'm only showing new files too):

C:\
cwshre~1.exe 2 Aug 2006 532480 "cwshredder.exe"
getrun~1.bat 1 Aug 2006 41695 "GetRunKey.bat"
getrun~1.zip 9 Aug 2006 47345 "GetRunKey.zip"
hijack~1.zip 29 Aug 2006 212849 "hijackthis.zip"
hoster.zip 3 Aug 2006 234855 "hoster.zip"
kill2me.zip 2 Aug 2006 13726 "kill2me.zip"
newfiles.txt 9 Aug 2006 2149 "newfiles.txt"
runkeys.txt 9 Aug 2006 11836 "runkeys.txt"
shownew.bat 5 Aug 2006 22180 "ShowNew.bat"
shownew.zip 9 Aug 2006 54487 "ShowNew.zip"
window~1.exe 2 Aug 2006 2599840 "Windows-KB890830-V1.18.exe"
winpfind.txt 9 Aug 2006 21944 "WinPFind.Txt"
winpfind.zip 9 Aug 2006 204131 "WinPFind.zip"
xpprof~1.exe 9 Aug 2006 94208 "XPProfiles.exe"

None of these should be located in this folder. They should be in another folder where you save downloads to and then you should extract things to there own folder names so you know what they are later. For example we suggested that you create C:\MGTools and download ShowNew.zip and GetRunKey.zip there. Then also extract the contents of those two zip files into the same folder. The same logic applies to other tools. Also DO NOT use your Desktop unless it is requested.

By the way, you need to go to Add/Remove programs and uninstall LinkOptimizer

Also while in Add/Remove programs, can you tell me what the below are all for:
Copy
Readme
Scan
ScannerCopy
TrayApp
Unload

I also don't see a firewall installed! Why not???? I thought BJ asked you to run the How to protect thread a while back. You must install one now if you have not already done so.

 

Download the attached GetDialer.zip file. Extract the contents to its own folder (you can put this in the same place as GetRunKey and ShowNew, but this should not be the root folder of drive C)

Then locate and run the GetDialer.bat file. This will create a file names c:\dialer.txt
Attach this file to you next message.

 

If it was doing a great job you would not be infected. Yes you still need to install a Software firewall. It may even help block this dialer from being able to respawn, See step 3 in the below link which was recently updated:

How to Protect yourself from malware!

That is what was suggested in the instructions for using them, so yes that would be good.

You really need to understand better what you install on your system. There is way too much stuff that you don't recognize. It is very important in this day & age to keep track of this for your own security.

Download and install this: Your Uninstaller! 2006
Use it to uninstall LinkOptimizer

Let me know if this works to uninstall it.

Now for this kpwn1.exe file, I did not see what I expected in the registry key. I will try to work up a new fix for you to try tomorrow. In the mean time, make sure you have installed a software firewall, I suggest you use ZoneAlarm as a starting point. It is more user friendly on initial startup and recognition of valid programs, It is important that you install ZoneAlarm before continuing. It will ask you to reboot after installation. So after rebooting, come back here and attach a current HijackThis log and a new log from ShowNew. Then I will post a fix to try.

 

No! ZoneAlarm is a firewall and Avast is an antivirus program! Did you see kpwn1.exe come up in ZoneAlarm. If so, make sure you block it. If you did not see it, then look thru ZoneAlarm to make sure that if the process appears in any list that it is blocked (denied access).


Now please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (If it restarts, just ignore it and continue!)

C:\WINDOWS\Temp\kpwn1.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [kpwn1.exe] C:\WINDOWS\Temp\kpwn1.exe

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
C:\Documents and Settings\Administrator\Local Settings\y7ir73cd.exe
C:\Documents and Settings\Administrator\Local Settings\BHO2.tmp
C:\WINDOWS\desktop.html
C:\WINDOWS\xpupdate.exe
C:\WINDOWS\temp\kpwn1.exe
C:\WINDOWS\temp\kpwn1.zip

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locat the below folder and delete it if found:
C:\Program Files\BraveSentry


Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\temp\
C:\Documents and Settings\Administrator\Local Settings\Temp\
C:\Windows\Prefetch <--- delete ALL files in this folder.


Now attach a new HJT log and tell me how the steps went.
Also attach a new log from ShowNew and a new log from GetRunKey.

 

You are not supposed to delete the Recyclers folder (it is not a file, it is a folder. Think of a folder like the drawer of a filing cabinet and the files are the items in the drawer.). It is a required system folder. BJ just wanted you to delete all files in the folder. The proper way to do that is to just right click on the Recycle Bin icon on your Desktop and select Empty Recycle Bin. If the Empty Recycle Bin item is grayed out (i.e., not selectable), it means it is already empty.

 

Boot in safe mode and look for the file yourself. If found, delete it! Let me know the results!

You need to attach the followup logs I requested!

That folder belongs there. Leave it alone! I repeat....... The proper way to remove files from the Recycler is to right click on the Recycle Bin and select Empty. Do not try to delete them by hand!

 

I do not see the process or file in any of your logs! Were they all obtained before it came back. If you get new logs, does it show in them now?

After deleting it, does it ever come back if you only reboot in safe mode?

When it did come back (ie ZoneAlarm poppep up), when was this? Was it right after boot, was it only after running a browser or something else?

 

I thinking of some stuff to try! While I'm doing that, please answer a question.

Is the clock/calendar on your PC setup properly? Look at the data on the two below files:

 

I wonder how they got set to the wrong dates!

Follow the below directions EXACTLY!

1. Create a new folder on drive C name C:\fixkp
2. download the attached patch.zip file to the fixkp folder
3. Extract all files from the patch.zip file into the fixkp folder
4. Run the runfix.bat file by double clicking on it.
5. Upload the C:\fixkp\fixlog.txt file that will be created here as an attachment.
6. Now get a new logs from ShowNew, and HJT and attach them too
7. Now reboot your PC. Get me a second set of logs from ShowNew and HJT (attach them in a second message).

Let me know if you are still getting any warnings from the firewall. If not, let's see if you get any at a later time. What I'm doing is trying to prevent the file from recreating itself by making a dummy file with the same name that is protected (hopefully) and by also using the same registry key to have it call the patch to fix the problem again on each reboot. While this is not a fix, I want to see if it at least blocks the problem or if whatever is creating this, tries to make a new filename to spawn the problem.

 

Okay! The runfix.bat file did not quite do what I wanted. During the procedure it should have deleted the real kpwn1.exe file and replace it with a dummy file that is smaller in size (which would make it easy for me to tell it was replace). The problem is that it did not replace the file. Probably because the process was running. So here is what I want you to do. Kill the kpwn1.exe process like we did in the past using HJT (see message # 59) and then manually get the file deleted yourself. Try deleting it as soon as you kill the process. If you cannot delete it, boot into safe mode and delete it. As soon as you get it deleted, run the steps in message # 70 starting at step 4. And upload the logs again.

When/if the firewall popups up again, attach a new (second) HJT log.

 

Something is not right! The patched file is not being copied to the C:\windows\Temp folder.

Run the Runfix.bat file right now and attach a new log from ShowNew!

 

Also quickly goto the below folder and delete all files (a few from files may not be deleteable because Windows will block them from being deleted):

C:\Documents and Settings\Administrator\Local Settings\Temp


If you wait too long to get the instructions in message number 77 & 78 done. You may have to start message # 74 all over again because the real file may have come back.

 

Okay this is what I was expecting would happen. There is definitely something else hiding that is creating this process. I will probably have to workup a procedure using MSconfig to only load certain processes and services at startup to see if anything you have installed is respawning this. Attach a new ShowNew & HJT log now.

Let's also do some more hunting!

Let's get a Startup List with Hijack This.

Generating Startup Lists with HijackThis

• Run HijackThis, click Open the Misc Tools section
• Put a check in the List also minor sections (full) check box.
• Now click the Generate StartupList Log button.
• This will create a file named startuplist.txt in the same folder that HijackThis is installed into.
• Also a notepad file will open with this startuplist in it.
• Attach the startuplist.txt file to your next message.

Now download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.


Download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on explorer.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.
• Now repeat the above steps but get a log after clicking on iexplore.exe

You will have to use a couple messages to attach all the above logs!


By any chance are you on a wireless network? Does the below link mean anything to you?
http://www.kpwn.4t.com/

 

Run this Look2Me VX2 Removal it should hopefully fix that setting. Attach the Look2Me-Destroyer log.

Just open one IE browser window and then get me the log.

 

I see that kpwn2.exe is running. Use Process Explorer the same way you did for explorer.exe and iexplore.exe and select kpwn2.exe and get me a log too.

 

Are you using an account that has administrator priviledges? Look2Me Destroyer successfully enabled SeDebugPrivilege so it should work now.

How many user accounts on this PC? If you login to other user accounts, does this kpwn1 or kpwn2.exe file also appear.

If you don't have other user accounts, create one. And then login to the new account and see if kpwn shows up.



Download these two tools and extract them to a folder!
- Filemon for WinNT/2K/XP
- Regmon for WinNT/2K/XP


Run Filemon

When it comes up, change the *.* in the Include box to say kpwn*.exe Then click Apply and OK. The Filemon window now comes up and will monitor for anything accessing kpwn*.exe Now just leave this running and continue.

Run Regmon

When it comes up, click the icon that sort of looks like a diamond with some blue color on top. This is the Regmon filter. In this filter, enter the following:
kpwn*.exe

Then click Apply and then OK. It will ask if you want to apply the filter to the current output. Say yes


Now use procedures like we did in the past to stop any kpwn files from running and then delete the kpwn2.exe file in the c:\windows\temp folder. Also run HJT and have it fix the O4 line related to kpwn2.exe

This may help us see if anything runs to to restart it. You can go back to the Filemon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like filemon.log and post it back here as an attachment.



Also after you fix the kpwn stuff and after it pops back up again, Regmon will show the activity. It should also show if anything else is putting the entry back into the registry. So go back to the Regmon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like regmon.log and post it back here as an attachment.


Let me know if you don't understand any of the above proceudre or have a problem getting them to work as desired.

 

Now that's interesting!

Hmmm! I'm not sure what is going on here but something has your permissions all disabled.

Download and install Microsoft's Debugging Tools for Windows 32-bit Version:
http://msdl.microsoft.com/download/s...86_6.4.7.2.exe

Then see if you can get Regmon and Filemon to run. Meanwhile I'll see if I can figure out why your SeDebugPrivilege is not getting enabled.

Do you have WinXP Pro, or Home, or Media?

Thanks! Looks like they changed their pages. You probably have the correct versions, but here they are just in case (and also for anyone else that reads this thread):

Filemon v7.03

Regmon v7.03

 

Download the attached setrights.zip files to the same folder where you have ShowNew installed. Then extract the two files from setrights.zip. Now locate the setrights.cmd file and double click on it. Let me know if you get any error messages.

Now try to run Filemon and Regmon. Any luck?

 

Was the log from Regmon stopped (i.e., saved ) after you had deleted the stopped the kpwn2.exe process (if running), deleted the file, and killed the O4 line with HJT and then waited for it to reappear. What we need to capture is when it reappears. Both Filemon and Regmon should be saved after the file has come back but they obviously need to be running before it comes back. If the logs get to large to upload, compress them into a ZIP file and upload them.

 

Okay but what you need to do is save it after it comes back.

 

Yes it needs to be checked or it will not capture anything. That is how you basically enable and disable the capture.

 

Yes and also hope that they give us some incite into where this is originating from.

After you get these logs, give BlackLight another try!

I'll check into tomorrow morning....... well that is later today. Need to get some sleep now.