dealing with JS/Kak@m virus

Just ran AVG on a friend's laptop, and it detected 5 occurrences of JS/Kak@m virus. All are located in Temporary Internet Files\Content.IE5\7VTBFLWW\wbk1**.tmp, where the two asterisks represent several combinations of two capital letters.
AVG couldn't heal them. I manually moved them to the vault, and I've found instructions online about how to manually remove the virus -- apparently there's no removal tool available. However, I'm wondering if I could just delete the 5 files and be done with it. Yes? No?
Thanks,
Rebecca

 

That's a real oldie that seems to be making a comeback.

You should certainly empty the temporary internet files.

Also take a look Here for additional removal instructions and a link to a Microsoft security patch that should be installed if it isn't already.

 

Thanks, Newt, that was the exact page I'd been looking at in the first place. I did download the patch, as recommended.
I'm not clear about whether the virus/worm has actually installed itself into the computer's registry or not. AVG only "caught" it in those 5 tmp files, but might it have missed it elsewhere? That antivirus online link you mentioned says that in English Windows, kak.hta is written to

C:\Windows\Start Menu\Programs\StartUp\
In the above list, "(name)" is a seemingly random 8 character name...​

On this computer, though (we're running a brand new parallel installation of WinXP), the StartUp folder says its empty (how is this possible? A whole bunch of things open up when the computer starts up!). Outlook Express hasn't been used on this installation yet, and IE was only used once: to download the aforementioned patch. So the virus must be left over from the previous installation of XP, correct?
When you say "empty the temporary internet files ", is there more to that than simply deleting those 5 particular files? Can I empty the entire folder while I'm at it (and if so, how?)?
The infected files show up in C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7VTBFLWW\
"Owner" was the Administrator (and only user) in the old installation, but we're still able to log on as this user, and have been doing so because all our old documents/pictures are still here. Is that a problem?

 

Temporary internet files - with your browser open, click on Tools, on Internet Options, then follow the picture below. This is a good idea to do at least once a week.

It doesn't sound like the PC was actually infected or else AVG would have found other problem files so I think you are fine. I would empty the AVG vault although nothing in there can do any harm since AVG has them isolated.

 

Hello

Just becouse the startup folder appears empty doesnt mean it is, they have ways to get around that, You should post a hijackthis log.
http://www.windowsbbs.com/showpost.php?p=159220&postcount=3

 

I'm not sure if this is where I should be posting this, but here's the Hijack This log:
Logfile of HijackThis v1.99.0
Scan saved at 8:04:26 AM, on 26/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\GWHotKey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://free.grisoft.com/register
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\OWNER~1.BOU\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{02039F5C-717A-456A-BE55-46C9C2C61A9C}: NameServer = 216.211.26.14 216.211.26.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{02039F5C-717A-456A-BE55-46C9C2C61A9C}: NameServer = 216.211.26.14 216.211.26.15
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

That Looks fine

Are you instaling/uninstalling something ?
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\OWNER~1.BOU\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

 

I'm not aware that I'm trying to uninstall or install anything. I reinstalled WinXP onto this laptop a couple of days ago, and have since installed AdAware, Spybot, Spywareblaster, AVG and Zone Alarm, but they all seem to be up and running, so I don't know what might still be stuck in semi-installation limbo.
I am, however, getting a "the computer has recovered from a serious error" message every time I reboot, though - that first appeared when I was installing drivers from the Gateway Driver CD.
Any way for me to find out what that stray registry entry might be related to? Thanks for the all-clear in terms of the virus!
Rebecca

 

Have Hijackthis fix this item
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\OWNER~1.BOU\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
============
Restart the PC
Set windows to show hidden file's, folder and extensions
>click here for instructions<.
Delete the contents of all your temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
Note: Some systems have temporary internet files, Application Data and History in that temp, if so leave them and delete all other folders and files inside that temp..
Delete the contents of the C:\windows\temp folder
C:\WINDOWS\Prefetch < delete the contents
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temp <delete the contents
Clear Internet Explorers's cache
1. In Control Panel, open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click Delete Files.
3. In the Delete Files dialog box, click to select the Delete all offline content check box.
4. wait for the hourglass to disapear
5. Click OK.

I assume you have ran a full system scan with AVG ?

 

Had Hijack This fix that one entry, and when I ran Hijack This again right after rebooting, the line appears to be gone.
Emptied all the folders you mentioned, including the corresponding entries for anything in C:\WINNT\, which is where the original installation of XP was on this computer. One file I was not able to delete: ZLT03959.TMP, located in C:\WINDOWS\temp folder. I keep getting the message that the file is being used, including immediately upon rebooting.
Got that "the system has recovered from a serious error" message again, and when I clicked on 'technical details about the error', this is what showed up:

"The following files will be included in this error report:
C:\WINDOWS\Minidump\Mini122604-02.dmp
C:\DOCUME~1\OWNER~1.BOU\LOCALS~1\Temp\WER1.tmp.dir00\sysdata.xml "​

Don't know if it could be related to virus/spyware or not.

Full AVG scan came up clean after I emptied the vault. AdAware and Spybot are both clean too.

 

Found a solution for the error at http://www.wetcanvas.com/forums/archive/index.php/t-160087
and sure enough, the computer restarted with no error message this time!
Incidentally, I just ran Spybot again, and it still shows 5 DSO exploits, but as I recall, those aren't critical - am I right?
Thanks for all your help!
Rebecca