Other Way:
Kamsoft CKVO.exe malware manual removal instructions
Description: Troj/Gamania-BW
Name: Kamsoft
Command: C:\windows\system32\ckvo.exe
This malware creates following entries in registry so that it executes whenever windows starts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe
Attacks all drives and modifies mount points key in registry so that when you double click on drives they open in new window instead of opening in same window
Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}\shell\Autoplay\DropTarget
Resets the hidden files attributes.
Files associated with this malware that are hidden as system files in all partitions including C:\
39lpji.com
ktnquo.exe
vxl.exe
oq.cmd
fe.bat
kk3.bat
rs.cmd
autorun.inf
Files found in C:\windows\system32
ckvo.exe
ckvo0.dll
ckvo1.dll
Removal instructions:
Start the computer in safe mode by pressing F8 during booting
Open Registry Editor
Delete the value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
delete all the keys starting with {........}
Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}
In the above key delete {05ef6149-5e60-11dd-8a88-0003254ecf1b}
Open the command prompt
go to C:\>
type attrib so you can see the hidden files in root drive
To clear the attributes of malware files type
attrib -s -h -r filename
Example: C:\>attrib -s -h -r autorun.inf
D:\>attrib -s -h -r autorun.inf
repeat the above command for all files of malware
To delete the virus files type
del filename
Example: C:\> del autorun.inf
D:\> del autorun.inf
repeat the above command for all files of malware
look for the files of malware in all other partitions and delete them.
go to c:\windows\system32>
type attrib -s -h -r ckvo.exe
attrib -s -h -r ckvo.dll
attrib -s -h -r ckvo0.dll
attrib -s -h -r ckvo1.dll
del ckvo.exe
del ckvo0.dll
del ckvo1.dll
Some files in system32 may not delete then you should logoff once and logon to delete any files associated with this malware
Now open Registry editor go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Change the DWORD value of Checked Value from 0 to 1.
Now go to folder options and change the hidden file attributes and show system files options. You should be able to see all hidden files.
Finally turnoff the system restore and turn it on again so the previous restore points will be deleted