Kamsoft CKVO.exe malware manual removal instructions

View previous topic View next topic Go down

Kamsoft CKVO.exe malware manual removal instructions

Post  AnishR on Sat Nov 01, 2008 5:50 pm

Description: Troj/Gamania-BW
Name: Kamsoft
Command: C:\windows\system32\ckvo.exe

1. This malware creates following entries in registry so that it executes whenever windows starts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe

2. Attacks all drives and modifies mount points key in registry so that when you double click on drives they open in new window instead of opening in same window
Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}\shell\Autoplay\DropTarget

3. Resets the hidden files attributes.

4. Files associated with this malware that are hidden as system files in all partitions including C:\
39lpji.com
ktnquo.exe
vxl.exe
oq.cmd
fe.bat
kk3.bat
rs.cmd
autorun.inf

5. Files found in C:\windows\system32
ckvo.exe
ckvo0.dll
ckvo1.dll

Removal instructions:

1. Start the computer in safe mode by pressing F8 during booting

2. Open Registry Editor
Find entries for ckvo and kamsoft and delete all the entries.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
delete all the keys starting with {........}
Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}
In the above key delete {05ef6149-5e60-11dd-8a88-0003254ecf1b}

3. Open the command prompt
Clear attributes from the virus files
go to C:\>
type attrib so you can see the hidden files in root drive
To clear the attributes of malware files type (I have already mentioned the list of files)
attrib -s -h -r filename
Example: C:\>attrib -s -h -r autorun.inf
D:\>attrib -s -h -r autorun.inf
repeat the above command for all files of malware

Delete the virus files type
del filename
Example: C:\> del autorun.inf
D:\> del autorun.inf
repeat the above command for all files of malware
look for the files of malware in all other partitions and delete them.

go to c:\windows\system32>

type attrib -s -h -r ckvo.exe
attrib -s -h -r ckvo.dll
attrib -s -h -r ckvo0.dll
attrib -s -h -r ckvo1.dll
del ckvo.exe
del ckvo0.dll
del ckvo1.dll

Note: Some files in system32 may not delete then you should logoff once and logon to delete any files associated with this malware

4. Now open Registry editor
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Change the DWORD value of Checked Value from 0 to 1.
Now go to folder options and change the hidden file attributes and show system files options. You should be able to see all hidden files.

5. Finally turnoff the system restore and turn it on again so the previous restore points will be deleted

AnishR
Admin

Posts : 18
Points : 32
Join date : 2008-09-18
Location : India

View user profile http://anishr.unlimitedforum.com

Back to top Go down

This solution works

Post  Roshan on Tue Nov 11, 2008 1:55 pm

Hey Anish,

I was experiencing the same problem of unable to see the hidden files and followed the steps mentioned by you which has sucessfully corrected the prob.

Thanks a ton

Roshan

Roshan
Guest


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum