Description: Troj/Gamania-BW
Name: Kamsoft
Command: C:\windows\system32\ckvo.exe
This malware creates following entries in registry so that it executes whenever windows starts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe
Attacks all drives and modifies mount points key in registry so that when you double click on drives they open in new window instead of opening in same window
Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}\shell\Autoplay\DropTarget
Resets the hidden files attributes.
Files associated with this malware that are hidden as system files in all partitions including C:\
39lpji.com
ktnquo.exe
vxl.exe
oq.cmd
fe.bat
kk3.bat
rs.cmd
autorun.inf
Files found in C:\windows\system32
ckvo.exe
ckvo0.dll
ckvo1.dll
Removal instructions:
Start the computer in safe mode by pressing F8 during booting
Open Registry Editor
Delete the value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
delete all the keys starting with {........}
Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}
In the above key delete {05ef6149-5e60-11dd-8a88-0003254ecf1b}
Open the command prompt
go to C:\>
type attrib so you can see the hidden files in root drive
To clear the attributes of malware files type
attrib -s -h -r filename
Example: C:\>attrib -s -h -r autorun.inf
D:\>attrib -s -h -r autorun.inf
repeat the above command for all files of malware
To delete the virus files type
del filename
Example: C:\> del autorun.inf
D:\> del autorun.inf
repeat the above command for all files of malware
look for the files of malware in all other partitions and delete them.
go to c:\windows\system32>
type attrib -s -h -r ckvo.exe
attrib -s -h -r ckvo.dll
attrib -s -h -r ckvo0.dll
attrib -s -h -r ckvo1.dll
del ckvo.exe
del ckvo0.dll
del ckvo1.dll
Some files in system32 may not delete then you should logoff once and logon to delete any files associated with this malware
Now open Registry editor go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Change the DWORD value of Checked Value from 0 to 1.
Now go to folder options and change the hidden file attributes and show system files options. You should be able to see all hidden files.
Finally turnoff the system restore and turn it on again so the previous restore points will be deleted
Kamsoft CKVO.exe malware manual removal instructions
Subscribe to:
Post Comments (Atom)
8 comments:
thanks for the help man.....this ckvo virus has been troubling me the whole week.....u did me a favour...thanks
I even used malwarebytes.....it worked out pretty well too.....Great software....
Thank you vary much. it's help me lot. ( but i couldn't find the file ckvo.exe , may be now it's different name.)
really nice topic... it helped me a lot to recover my system.
BitDefender detected them
39lpji.com
ktnquo.exe
vxl.exe
oq.cmd
fe.bat
kk3.bat
rs.cmd
These specified names are not common as you said .. ;)) These are auto generated names as per the virus is written .. U guys want a common removal instruction??? :P
This is just a batch program and you guys are really struggling to get this out =))
Thanks
--
Creator of this small virus ..
Thanks guy for the instructions, 1 hour of work but destroyed at all!
I found also xih9.cmd with the autorun.inf in all drives. It's better try to find also "Kamsoft" "ckvo" "xih9" in all registry with regedit-find and delete or rename all the keys with that name (i found xih9 in prefetch...).
Me also can't find ckvo.exe may be it can work the same without it...
Thanks any other suggestions regarding this virus removal post are welcome
Post a Comment