Having recently done a complete re-install of XP on my neighbour's lap top, it seems that I am now the (nearly) on-site IT consultant.
He called me yesterday to report that the laptop had shut itself down on a couple of occasions and he suspected the fan wasn't working. As it happens there was nothing wrong in that department as after twenty five minutes of head scratching, he volunteered the information that he had been using the machine actually on his lap (there's a novelty) and wondered if the ventilation grille had been blocked thus causing it to overheat. As it showed no signs of shutting itself down whilst on the table, I thought that was a sensible conclusion.

Before we got to that stage, I ran msconfig to see what programs were selected on start up. At the bottom of the list was something called 'kgkadi' and shown as 'kgkadi.exe' in the associated entry.
I've done a number of searches and can't find any reference to this program and I'm wondering if it is a malign influence. My neighbour is something of a tinkerer and I suspect I haven't been told everything.
I've disabled it as a start up program but I really have no idea what it is.

Anyone care to have a go at what it might be?

Ta

N o t a

PS I'm tempted to employ the principle of 'working well, leave it alone', but I'm concerned that it might be a 'nasty' of some description.

I can only find reference to it on a couple of russian sites (can't do a translation). That alone would make me wary of it....

Questions:

1) Is the machine connected to the internet?
2) is it patched up to date withlatest MS updates?
3) Does it have an up to date antivirus software package installed? (By up to date I mean it has updated itself withn the last 2 days)
4) Have you run a full virus scan?
5) Have you run a full scan with MBAM Malwarebytes.org

It certainly looks like a suspoicious filename. In which directory is it located, and what does right click properties tell you about it?

Try a search on the computer, (show hidden and system files) find the executable. Right click on it and select properties. That may possibly reveal something about the author, what it's for, and when it was last modified.
Or it may reveal not much. Worth a shot though. Google reveals nothing. The two sites I have bookmarked concerning processes haven't heard of it. Nor is it listed at Asquared or Prevx.
That in itself is a little suss. Prevx lists all sorts of files, malware or not.

Thanks call100, stickyb and Tarq57. I'm grateful to you.

stickyb...........

(1) Yes, it's connected to the net.

(2) Yes, I made sure he downloaded the latest security updates while I was there on Saturday evening.

(3) & (4)
AVG free is installed and up to date. When the neighbour phoned on Saturday morning, the first thing I did was get him to run a scan.
The scan didn't turn up anything at all.

(5) Haven't done a scan with MBAM but will attempt to get that done today.

I'll come back to you with full directory details later.

Tarq57......

Yes, I did a search for the executable but couldn't find a thing having made hidden files and folders visible. Odd......... very odd.



Thanks again,

N o t a

Time for a rootkit scan, methinks. Andy Manchester's site maintains up to date info and links for all sorts of malware scanners, including antirootkit scanners. Results can need a bit of interpretation.
Reason I think that, is that you should be able to locate the .exe. And if not, maybe it's lurjking in the ADS.
Does it show up in services at all?

Thanks Tarq,

I spoke to the neighbour this morning and Emailed him the link for Malwarebytes.org so by the time I see him this evening he should have a scan under his belt and, as you suggest, a rootkit scan will be next.

We'll see what they both turn up and proceed from there. As you say, it really is a bit odd that I haven't been able to find the .exe, although I can't rule out operator error.

Thanks again,

I'll post findings later today or tomorrow AM,

N o t a

Light is beginning to dawn, Gentlemen.

The neighbour ran a malware scan (thanks, stickyb) which revealed twelve nasties, four of which relate to the problem under discussion.
The offending party is adware called 'NaviPromo' and the scan showed the following:

C:\Documents and Settings\User Name\Local Settings\Application Data\kgkadi.exe

C:\Documents and Settings\User Name\Local Settings\Application Data\kgkadi_navps.dat

C:\Documents and Settings\User Name\Local Settings\Application Data\kgkadi_nav.dat

C:\Documents and Settings\User Name\Local Settings\Application Data\kgkadi.dat

Everything has now been quarantined, although the 'kgkadi' entry is still listed as a start up program, albeit a deselected one. I can't find any trace of it in Windows Explorer or in 'Add/Remove programs'. A quick search reveals that there are ways and means of removing it but I've yet to pursue that course any further. It seems that P2P systems are frequently the conduit for such infections and said neighbour has one called 'Sopcast'. Probably bad form to point fingers, but in this instance I'm willing to do so.

Thanks, Gentlemen,

N o t a

You may be interested to know that one of the Malware help forums will not give assistance to anyone who has P2P software on their P.C.'s, unless they are willing to remove it first.....

I'll break the news to him very gently!

Seriously, I did try to convince him that P2P software had the potential to compromise his machine (wasn't I diplomatic?) but I suspect he won't take any notice.

What's that expression about having made one's bed?

N o t a

P2P can actually be used safely, but its use places an added burden on the user to more comprehensively analyze what is downloaded prior to running it, and/or putting mitigating procedures in place (such as limited rights, a VM, imaging etc).
It's not for a clueless user. I'm maybe a step above clueless, and have managed to avoid infection, so it's not that difficult.
Now with a live streaming app., I would think a sandbox (VM) environment would be just the ticket.

Re the original threat: MBAM is an extremely capable AS, I would also recommend an antirootkit scan, and/or an additional AS scan with, say, Superantispyware.
This thing installs using rootkit technology, according to F-Secure.

I'ts the P2P thing that stopped me using the BBC IPlayer and C4's version as well both fron the security problem and the bandwidth usage. After all the reason for using it is that it's cheaper in hardware terms and our woefully inadequate bandwith speeds.

Well, the neighbour has seen the light and disposed of his P2P software.

The NaviPromo adware was quarantined and subsequently deleted but the .exe still shows as a start up program although disabled.

Running msconfig shows the Command as: C:\Documents and Settings\User Name\Local Settings\Application Data\kgkadi.exe"kgkadi, and the Location as SOFTWARE\Microsoft\Windows|CurrentVersion\Run.

I don't know if I can reasonably assume that it is now no longer doing any harm. Sorry to trouble you further, but does anyone have any additional thoughts on the subject?

Thanks,

N o t a

The root cause of the infection is probable some other file which you haven't found yet which reinstalls itself under a new, different, random, name each time you have a go at removing it.

It's the failure to find "randomstringofcharacters.exe" in a Google search that usually tells you you're looking for this sort of thing - nobody else's infection has the same filename as yours.

NOTA, have you looked in regedit to attempt to locate that key?
And (of course) in the docs and settings folder for that file?

Thanks GtW and T57

No, I haven't done that as yet. I'd like to get the machine home with me so I can wrap a wet towel around my head and concentrate. The neighbour is a benign sort, but I don't need him peering over my shoulder when I am trying to work my magic
What you suggest hadn't occurred to me so I'll give it a go.

As mentioned in the opening post, it's not five minutes since I did a complete re-install and I don't know what else lurks within, since his capacity to bugga it up knows no bounds. Perhaps, I should have charged him £85.
I suspect that would have concentrated his mind wonderfully and he would have been more careful thereafter.

Anyway, onward ever upward

N o t a

When you peer out of the wet towel, consider using hijackthis and try deleting any suspicious reg entries there?

I saw the neighbour this morning and, largely due to all the other malign influences that have manifested themselves, we've (Correction: 'I've') decided to go for the nuclear option and the pleasures of a re-install await.

I will collect the laptop on my way back from a temporary assignment looking after nine horses on a small stud. At least I get paid for picking up all the, er..... well, you know. The same, of course, cannot be said for the electronic variety.

I should be able to get through a couple of chapters of 'War and Peace' whilst the operation takes place.
Every cloud has a silver lining

Thanks again, one and all

N o t a

The kgkadi key would normally have been removed by MBAM but since you disabled it in the startup it will not be in the usual place in the registry. (Probably because it is not running due to you disabling it)

If you use msconfig to re-enable it, now that you've used MBAM to clear the infection, and then run MBAM again it should clear it.

As I said before