Remove Kavo.exe

Well kavo.exe is a worm very similar to amvo.exe but very cumbersome to remove. Well here I will explain how to remove it manually & completely.

If your drves on double click are opening in new folder & you are not bing able to view your hidden folders & files (even after selecting show hidden flies from tools->folder options...), then you may be infected with this virus.

Well to be sure that you are infected with this virus do the following steps
1. click on start menu 2. click on RUN 3. type in there 'msconfig' without commas 4. go to the last tab named 'startup' 5. under the 'startup item' check if there is any item named 'KAVA'. Well if its there you got this virus.

The virus usually spreads through external drives like flash drives, pen drives etc.
It copies itself to all the drives on being run thus ensuring that the virus is activated as every time any drive is opened.

First of all as the virus hides the hidden files you need a software RRT to unhide them. To download the software click here.
Follow these easy steps to remove the virus

1. Open all the drives in new window (Just like here)



2. In an another window go to C:\windows\system32 folder (if your windows is in drive other than C use another drive letter)
3. Open registry editor by going to start->run->regedit (Registry editing could be dangerous if not done properly so be careful)
4. Now run the RRT utility and click on auto remove. Dont close the utility.
5. The utility helps in keeping hidden files unhidden but the virus keeps hiding the system files every few seconds. So you will have to perform this function every few seconds
Find the Tools option at the top of the window -> folder optiond ->view tab -> untick hide protected operating system(recommended) -> click yes on the warning and click apply





6. Now in the C:\windows\system32 folder trace these files and try deleting them using shift + Delete (You may have to redo 5th step to unhide them)
kavo.exe
kavo0.dll
kavo1.dll
kavo2.dll
kavo3.dll
You may be able to delete all of them except one. Dont worry we will treat with it later.
7. As I have told you earlier that virus copies it self to all the drives we need to proceed to the drives now. You will have to repeat step 5 on each drive atleast once. Its assumed that you have all the drives already opened in new different windows.
8. The virus makes a common file with an extension of .bat(example 1.bat) in each drive. Find out the common .bat file in each folder and delete them along with the autorun.inf file. To enable exensions do the following
Find the Tools option at the top of the window -> folder optiond ->view tab -> untick hide extensions for known file types -> click apply
9. Well now we need to do some registry editing to open registry editor go to
start-> run-> type regedit & enter
10. Go the following key & delete value named 'kava'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Now search thw whole of registry with the name 'kava' and delete all instances where you find it in use with word 'kavo'(Use ctrl + F to search & F3 to find next).
11. Now you are almost done. Just log off and log in again into windows (start->log off) and delete the file from the sixth step which you couldn't. You should be able to do it now.

Well now you are free from the Kavo.exe virus.

Remove Sandeep Verma virus i.e. snake.exe.vbs

The virus also known as snake.exe.vbs is in form a vbs script which copies itself in the system32 folder and adds itself to the startup items so that it starts as soon as windows boots. The most common feature of this virus is that it sets the homepage of your internet explorer to http://sandeep-verma.blogspot.com

The virus creates the following files in system32 folder
snake.exe.vbs

To remove the virus you need to first of all kill the following process
wscript.exe

Next delete the virus i.e. the following files from the removable media if the virus came from there.
snake.exe.vbs
autorun.inf

Next go to C:\WINDOWS\system32 folder and find the following file and delete it
snake.exe.vbs
(It may be hidden. You may need RRT a free tool to show hidden files)

Now you need to do some editing with the registry.
(Be careful before you edit registry. Improper edition could lead to system crash)

Go to the following key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{0d0717e0-2102-11dd-b5a9-00c026a310b1}\Shell\AutoRun\command
On the right hand side there will be value of default with data of wscript.exe snake.exe.vbs
Click on default and delete the value data and click ok.

Repeat the above procedure for the following key also
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{0d0717e0-2102-11dd-b5a9-00c026a310b1}\Shell\open\Command

Now go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
And find the value userinit with data value C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\snake.exe.vbs
Change it to C:\WINDOWS\system32\userinit.exe

Now to correct the internet explorer settings go to
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Find the Value Start Page. It will be having data as http://sandeep-verma.blogspot.com/
Change the data value to about:blank

Next below it you will find a value named Window Title with data as Sandeep Verma
Click the Name and delete the data.

Congrats! Now you are free from Sandeep Verma Virus

Remove Kinza.exe

The following files are created in the system32 folder
kinza.exe
fiber.exe
boot.vbs
actmon.ini
The following variation may also be there
imapde.dll
imapdc.vxd
imapd.exe
imapdb.dll
imapdb.exe
imapdc.dll
imapdd.dll
imapde.dll
rbwinx1.dll

Kill the following processes with your username from task manager
wscript.exe
cmd.exe
netsh.exe

First of all the taskmanager, registry editor & folder options may be disabled
To enable it use the free tool RRT (To Download click here)
On How to use it click here

Change the following registry values
(Be careful before you edit registry. Improper editing could lead to system crash)
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
On the Right Side find the entry named Userinit
It will have data as
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs

Change it to
C:\WINDOWS\system32\userinit.exe

Now delete the following files located at C:\windows\system32\
kinza.exe
fiber.exe
actmon.ini
imapde.dll
imapdc.vxd
imapd.exe
imapdb.dll
imapdb.exe
imapdc.dll
imapdd.dll
imapde.dll
rbwinx1.dll

The virus disables windows firewall which you have to activate by going to control panel, clicking on security center, and then on windows firewall. It will say that the service has been stopped, do you want to start it. Click yes to start the firewall again.

Delete the following registry values to complete the removal of unnecessary registry keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shellnoroam\MUICache
On the right side locate and delete value c:\windows\system32\fiber.exe

Contact me

Please feel free to contact me at my email muditgoyal1131@yahoo.co.in
Also you can post in the comments section.
I will try my best to solve your virus related problems asap.

Also if you want me to personally remove virus from your pc, I would be available for minimal charges. Just shoot me a mail and we can set up time which is suitable to both of us. I would be cleaning the virus by remote controlling your pc using a specialized software in which you would also have a full control over your pc.

As for now
Happy Virus Hacking