Contact me

Do comment in the comment section on how useful were the removal methods.

This will encourage me to post more removal methods.

Thursday, June 12, 2008

Remove Kinza.exe

The following files are created in the system32 folder
kinza.exe
fiber.exe
boot.vbs
actmon.ini
The following variation may also be there
imapde.dll
imapdc.vxd
imapd.exe
imapdb.dll
imapdb.exe
imapdc.dll
imapdd.dll
imapde.dll
rbwinx1.dll

Kill the following processes with your username from task manager
wscript.exe
cmd.exe
netsh.exe

First of all the taskmanager, registry editor & folder options may be disabled
To enable it use the free tool RRT (To Download click here)
On How to use it click here

Change the following registry values
(Be careful before you edit registry. Improper editing could lead to system crash)
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
On the Right Side find the entry named Userinit
It will have data as
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs

Change it to
C:\WINDOWS\system32\userinit.exe

Now delete the following files located at C:\windows\system32\
kinza.exe
fiber.exe
actmon.ini
imapde.dll
imapdc.vxd
imapd.exe
imapdb.dll
imapdb.exe
imapdc.dll
imapdd.dll
imapde.dll
rbwinx1.dll

The virus disables windows firewall which you have to activate by going to control panel, clicking on security center, and then on windows firewall. It will say that the service has been stopped, do you want to start it. Click yes to start the firewall again.

Delete the following registry values to complete the removal of unnecessary registry keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shellnoroam\MUICache
On the right side locate and delete value c:\windows\system32\fiber.exe

3 comments:

THE ONE said...

Hello.
I have moderated the comment section. You can post your comments but they will appear only after they have been approved by me. I will login daily more than once to approve them.

Well go ahead and ask about any virus/trojans related problems you are having and I will be happy to answer you. Do check the contact me section.
Mudit

Atul Gupta said...

hi mudit,
thx 4 great help in removing sandeep sharma virus,
need one more help in the same great steps pls "to remove tr/crypt.cfi.gen" and w32.fujacks.ini
can u pls help in removing these two.

Regards,
Atul

THE ONE said...

You are welcome Atul.
I would love to post the removals of these virus but for that I would need samples of them. Can you zip the samples and send me on my mail id muditgoyal1131@yahoo.co.in (which I think wont work) or upload it to sites like rapidshare.
If thats not possible I can remove it personally by remotely accessing your pc. I you want that, contact me on my mail id.