rootkit

[tam wei lun]

dear all,

there is a rootkit call kadaj.exe appeared with a smiley face at the taskbar of my desktop. the smiley face call doozo yoshitku. it is very irritating and it cant remove or delete by the avast home edition. any one have any idea how to deal with it??? thanks

[Lisandro]

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

If not a program detects it, it will be good a full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

[polonus]

Hi tam wei lun,

Here some additional info on kadaj,exe:
AUTOMATED SOFTWARE PROFILE, ANALYSIS, REMOVAL AND SIGNATURE INFORMATION:
DEFINITION OF: PATCHHACK(KAJAD)[1].EXE

    * Safety Rating: Safe
    * First seen: Feb 22 2006 (GMT)
    * Last seen: Feb 22 2006 (GMT)
    * File Size: 5,934,535 bytes
    *
SOFTWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY
1. COVERT ANALYSIS OF: PATCHHACK(KAJAD)[1].EXE

    * File Names Used: 37
    * Paths Used: 95
    * Common File Name: PATCHHACK(KAJAD)[1].EXE
    * Common Path: %DESKTOP%\
    * Vendor Information: No Vendor details specified
    * Product Information: Setup Application
    * Version Information: 6.0.1.4
    * PATCHHACK(KAJAD)[1].EXE may use 37 or more path and file names, these are the most common:
    * 1 :%CACHE%\CONTENT.IE5\??\HYD[1].192.PATCH.EXE
    * 2 :%CACHE%\CONTENT.IE5\??\KADAJ-CLIENT-PATCH-1.9.2D[1].EXE
    * 3 :%CACHE%\CONTENT.IE5\??\KADAJ-CLIENT-PATCH-1[1].9.2D.EXE
    * 4 :%CACHE%\CONTENT.IE5\??\PATCHHACK(KAJAD)[1].EXE
    * 5 :%DESKTOP%\NUEVA CARPETA (6)\HYD.192.PATCH.EXE
    * 6 :%profiles%\mlithium\confi...\rar$ex02.188\1.10 hax\KADAJ.1.9.X.EXE
    * 7 :%PROGRAMFILES%\WORLD OF WARCRAFT\HYD.192.PATCH.EXE
    * 8 :%programfiles%\world of warcraft\iconewow\1.EXE
    * 9 :%TEMP%\HYD[1].192.PATCH.EXE
    * 10:%TEMP%\RAR$EX00.156\PATCH_1.10_HACK.EXE
    * 11:%TEMP%\RAR$EX00.547\PATCH_1.10_HACK.EXE
    * 12:?:\A00000000
    * 13:?:\achi d1 lama\master software\software lagi\PATCHWOW-AMPM.EXE
    * 14:?:\downloads\1.10 hax\KADAJ.1.9.X.EXE
    * 15:?:\HACK CLIENT.EXE
    * File Name Structure: Highly Irregular
    * File and Path Structure: Suspicious, code execution from unusual location

2. RELATIONSHIP ANALYSIS OF: PATCHHACK(KAJAD)[1].EXE

    * No relationship details available for this object

3. ACTIVITY ANALYSIS OF: PATCHHACK(KAJAD)[1].EXE

    * The following behaviors have been observed for this object:
    * Installs programs.
    * Deletes programs.
    * Runs temporary programs.
    * Runs other programs.
    * Hijacks running processes.

4. PROPAGATION ANALYSIS OF: PATCHHACK(KAJAD)[1].EXE

    * Object Propagation Rate: Very Low (minimal spread)
    * Copyright Prevx Limited 2005, 2006

  polonus