Its being a long time since i have written anything.
Today i have come up with a solution to a new virus problem. This is called Kamsoft.exe :)
Most of the PCs may be infected by this new virus, and the channel for this virus is our all time favourite USB drive.
High Level Symptoms:
1. It creates
2. It disables regedit
3. You can't see hidden files and folders i.e it disables hidden files and folder options in Control Panel.
4. It may disable msconfig.
5. It makes your PC very slow.
6. Attacks all drives and modifies mount points key in registry so that when you double click on drives they open in new window instead of opening in same window
Action performed by the Virus:
1. This malware creates the following entry in the registry :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe
2. It creates or may create following files in Root and other drives. C:\, D:\ etc.
uuuq.exe whi.com 39lpji.com ktnquo.exe vxl.exe oq.cmd fe.bat kk3.bat rs.cmd autorun.inf
3. Following files may be found in System32 folder:
ckvo.exe ckvo0.exe ckvo1.exe kamsoft.exe
Vius Removal
1. Start the computer in safe mode by pressing F8 during booting
2. Open Registry Editor (if Registry Editor is disabled Goto step no. 3 else goto 4)
3.
- Hit Windows+R to bring up Run (Start>Run)
- Type in gpedit.msc and click OK
- For regedit : In the Group Policy window, browse to User Configuration>Administrative Templates>System, you will see a small entry named “Prevent access to registry editing tools“. Double click that entry. Check the Disabled option, and click OK. Your regedit.exe has just been enabled.
4. Search for (Ctrl+F) ckvo.exe, delete all entries (Repeat same for Kamsoft.exe, atuorun.inf)
5. Goto HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
delete all the keys starting with {........}
For Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}
In the above key delete {05ef6149-5e60-11dd-8a88-0003254ecf1b}
6. Open the command prompt go to C:\>
7. type attrib so you can see the hidden files in root drive
8. To clear the attributes of malware files type
attrib -s -h -r filename e.g. attrib -s -h -r autorun.inf
9. Delete the filename by typing
del filename e.g. del autorun.inf
10. repeat steps 8 and 9 for all files of malware.
(Note don't delete the system files)
ntdtect.com ntldr hiberfil.sys io.sys pagefile.sys autoexec.bat boot.ini config.sys msdos.sys etc.
11. look for the files of malware in all other partitions and delete them using steps 7-10.
12. go to c:\windows\system32>
13. type
attrib -s -h -r kamsoft.exe attrib -s -h -r ckvo.exe attrib -s -h -r ckvo.dll attrib -s -h -r ckvo0.dll attrib -s -h -r ckvo1.dll del kamsoft.exe del ckvo.exe del ckvo0.dll del ckvo1.dll del ckvo.dll
14. Some files in system32 may not delete then you should logoff once and logon to delete any files associated with this malware
15. Now open Registry editor go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Change the DWORD value of Checked Value from 0 to 1.
16. Now go to folder options and change the hidden file attributes and show system files options. You should be able to see all hidden files.
17. Turnoff the system restore and turn it on again so the previous restore points will be deleted
18. Delete all
37 comments:
Hey Surya, thanks for this informative post. If you remember I told you about my problems that I was not able to open hidden files. During that time I saw Kamsoft & ckvo in my task manager. So I suppose that I was affected with this same virus. I searched in msconfig and in my startup I found a blank entry. I disabled it and all my problems were solved! So add this thing in solutions too!
One more thing. In my command prompt, in C: drive, when I type autorun.inf, a text file opens. But when I type del autorun.inf,I get an error that the file could not be found! Does that mean that I am still affected with the virus?
Thanks & Regards,
vibrentkiller
@ vibrentkiller .. yes you are still infected with virus. because that autorun.inf will restart the virus. For the removal of the autorun.inf file you can follow this process
1. start in safe mode.
2. attrib -s -h -r autorun.inf
3. del autorun.inf
Apart from that find and delete all aurorun.inf entries from the regedit.
regards,
Surya
Surya, thanks a lot for the information; this was very, very helpful in removing the virus infection I had.
Now, on to installing an antivirus software...
dude..this is only temporary solution... this doesn't remove virus permanently. There are many things, which should also be changed in Registry files
@ Anonymous Please share your solution as this blog is to help people suffering from virus attacks.
The virus is so deep in the system. The only solution for this virus is running the ComboFix.exe
It helped me after 4 days of searching.
Forgot to post the adress of the combofix...
Before running the file you best rename it. (e.g. blabla.exe) to prevent the virus disabeling it.
You can download the combofix at:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Alternatively you can view superhidden attributes with Nero Burning Bom, this virus is also put gasrety0.dll in system32 folder.
Follow my blog question about newly viruses.
Copy this links in ur browser address:
Fix Kamsoft.exe
hi ,
i have seen ur solutions for this virus removal. could you please tell me how to remove it completely. i have tried regedit and made the checkedvalue from 0 to 1. but it again came to 0. And my flash drive also affected with this virus. please advice me how to remove this virus from my pc and also from my flash drive. when i open my flash drive with auto run it is creating "ii.exe" , "iiii.exe" and "iiiii.exe" folders it sized around 5.03 mb.
Awaiting for your quick response... please help me out.. my friends system also affected with the same...
pls help me.. ganeshrk83@gmail.com
Regards,
Ganesh R K
HI I AM MAHARISHI & THANKS FOR UR HELP BUT ACTUALLY MANY KAMSOFT LIKE VRUSES ARE AFFECTING OUR COMPUTER THROUGH OUR USB DRIVES WHICH ARE INFECTED.I HAV BEEN TRIED OUT MANY ANTI VIRUSES,ANTISPYWARE& ANTI ADWARE SOFTWRE BUT THEY DONT WORK AT ALL.AND IT IS NOT POSSIBLE TO LOOK THE SYSTEM 32 FOLDER & OTHERS WHEN THE COMPUTER IS INFECTED & SOME VIRUSE (THE LATEST VERSION OF KAMSOFT.EXE WHICH CHANGES ITS NAME FREQUENLY)EVEN CANOT BE TRACE.SO AFTER DOING SOME EXPERIMENTS ON THIS VIRUSES I AM GIVING THE LAST SOLUTION OF THIS -----------------
PART-1
1 FIRST OF ALL DISABLE YOUR AUTORUN FEATURE IN UR PC 2 DONT PLUG IN MOBILES,PMP,IPOD LIKE OF THINGS IN UR INFECTED PC 3 BACK UP UR THINGS IN DVD OR CD (NOT IN USB DRIVES, HDD,OR EXTERNAL HDD)4 RE INSTALL UR OS (IF THE PC IS INFECTED)5 AND INSTALL COMODO SECURITY WHICH HAS A EXTRA FEATURE "DEFENCE" HIS WILL SAVE UR COMPUTER AGAINS THESE JUNKS (DONT INSTAL COMODO IF UR PC IS INFECTED)
I WILL COME BACK WITH PART 2 SOLUTION SOON......... BYE DA WAY HAPPY NEW YEAR TO ALL!!!!!!
dear Surya brother,
I simply want to say "thank you".
Your guidance helped me to get red off kamsof.exe virus and 2u.com virus from my pc. I used lot of anti-virus like mcafee, AVG and norton etc, but those failed to clean my pc. At last i started searching net and found your blog . I simply followed ur guidance and finally get rid of thise bustard virus. Last 15-days i could not use my pc for this virus.
Thank you once again. You are simply amazing.
Regards
Mohammad Abdul Wahed
hi. i`m hitesh zaveri. i`m too affected with the `ckvo.exe` virus. as i`m very new to computers please show me the easy to understand way to remove it. please.
Perfect!! Thanks!!
My problem is one step further . I am unable to delete the files using command prompt.Even I can't see the folder of program files n Windows , so no point of deleting files from system 32 & slowly my folders r turning into application folders !!
Anybody has ny gud solution 2 it !!
Hey Mr. Surya i would like you to help me for 2u.com type virus. I did all those things you said i.e. removing all those files from registry but the files are not getting deleted from the drives since it is present in all those drive and the moment I modify the registry to show the hidden file its not happening
Kindly Help
Vir
@ Viral hi. do the step 13 for all the drives. it should solve.
Hi, This is Sridhar. I'm using a windows server 2003 and the OS is infected with one of these files. The antivirus stopped responding or not opening. Please give suggestions on how to bring the server back to its normal position as it would be difficult to format and install the server OS again.
Thanks.
Hi I am very familiar about this as my pc got infected with this 2u.com
I used AVG,avast,kaspersky etc.. But no use.Avast got damaged.I am not able to uninstall it or reinstall it or use it.when I am writing files to cd with nero I noticed this 2u.com virus in Add files for writing.As I mentioned previously that Avast was damaged or corrupted but AswUpdat was running in the Process.when i click on any of the drives my system reboots.I found this file in every drive.Now I am going to repartition my entire hard disk.
hi my name is hosein
i just wanted to thank you for your help it realy helped me. your article saved me from real danger.
thank you thank you alot.
here is my id i'll be happy if you send me mail whene you update your page.
meghdadnazary@yahoo.com
and winer_winer_20@yahoo.com
thank you again.
This method is already there on http://infosecurityhub.blogspot.com/2008/09/kamsoft-ckvoexe-malware-manual-removal.html its just a copy
Thanks a ton Boss!
Though I wasn't able to run my OS in Safe mode, but still was able to remove the virus successfully from my computer..
An interesting point.. The virus didn't let me install avg, avast, Norton or other anvirus progs. So I thought installing a fresh OS will hep ( I didn't read your blog at that time) But to my shock even after I renistalled my OS after formatting the partition, it still was in here. So I went by the method you posted, and successfuly removed it. Trying to install avg as I am writing this comment.
Thanks again for the useful post!!
Can anyone recommend the robust Patch Management tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central MSP tool
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!
Hi!!! spgarg.blogspot.com is one of the most excellent innovative websites of its kind. I take advantage of reading it every day. spgarg.blogspot.com rocks!
The author of spgarg.blogspot.com has written an excellent article. You have made your point and there is not much to argue about. It is like the following universal truth that you can not argue with: Murphy was an optimist. Thanks for the info.
[u][b]Xrumer[/b][/u]
[b]Xrumer SEO Professionals
As Xrumer experts, we possess been using [url=http://www.xrumer-seo.com]Xrumer[/url] for the benefit of a large fix things being what they are and know how to harness the enormous power of Xrumer and build it into a Banknotes machine.
We also provide the cheapest prices on the market. Many competitors will order 2x or consistent 3x and a end of the time 5x what we responsibility you. But we feel in providing gigantic mending at a small affordable rate. The large direct attention to of purchasing Xrumer blasts is because it is a cheaper alternative to buying Xrumer. So we focusing to abide by that thought in recollection and outfit you with the cheapest censure possible.
Not just do we have the best prices but our turnaround time after your Xrumer posting is wonderful fast. We intention have your posting done to come you know it.
We also produce you with a ample log of well-heeled posts on contrasting forums. So that you can get the idea seeking yourself the power of Xrumer and how we hold harnessed it to help your site.[/b]
[b]Search Engine Optimization
Using Xrumer you can expect to distinguish thousands upon thousands of backlinks exchange for your site. Scads of the forums that your Install you settle upon be posted on bear exalted PageRank. Having your tie-in on these sites can truly expropriate build up some top dignity recoil from links and genuinely aid your Alexa Rating and Google PageRank rating utterly the roof.
This is making your site more and more popular. And with this increase in reputation as superbly as PageRank you can envisage to witness your site definitely filthy high in those Search Engine Results.
Transport
The amount of transportation that can be obtained before harnessing the power of Xrumer is enormous. You are publishing your plat to tens of thousands of forums. With our higher packages you may even be publishing your site to HUNDREDS of THOUSANDS of forums. Imagine 1 mail on a popular forum last will and testament almost always cotton on to a leave 1000 or so views, with signify 100 of those people visiting your site. Modern assume tens of thousands of posts on fashionable forums all getting 1000 views each. Your see trade liking function because of the roof.
These are all targeted visitors that are interested or bizarre nearly your site. Imagine how divers sales or leads you can succeed in with this colossal number of targeted visitors. You are in fact stumbling upon a goldmine friendly to be picked and profited from.
Keep in mind, Traffic is Money.
[/b]
TRAVERSE B RECOVER YOUR CHEAP BURST TODAY:
http://www.xrumer-seo.com
My friend and I were recently talking about how technology has become so integrated in our day to day lives. Reading this post makes me think back to that discussion we had, and just how inseparable from electronics we have all become.
I don't mean this in a bad way, of course! Ethical concerns aside... I just hope that as technology further develops, the possibility of downloading our memories onto a digital medium becomes a true reality. It's a fantasy that I daydream about almost every day.
(Posted on Nintendo DS running [url=http://quizilla.teennick.com/stories/16129580/does-the-r4-or-r4i-work-with-the-new-ds]R4i[/url] DS BB)
Infatuation casinos? clinch this environmental [url=http://www.realcazinoz.com]casino[/url] captain and stand home up online casino games like slots, blackjack, roulette, baccarat and more at www.realcazinoz.com .
you can also dig into our untrained [url=http://freecasinogames2010.webs.com]casino[/url] orientate at http://freecasinogames2010.webs.com and return in loyal folding shin-plasters !
another unsurpassed [url=http://www.ttittancasino.com]casino spiele[/url] spot is www.ttittancasino.com , during german gamblers, carry down on whilom disentangle online casino bonus.
Someone deleted several links from x7.to and vip-file servers.
From now, we will use www.tinyurlalternative.com as our default [url=http://www.tinyurlalternative.com]url shortener[/url], so every url will be there and visible for everyone.
You can choose from many great [url=http://kfc.ms]short url[/url] address like:
kfc.ms easysharelink.info jumpme.info megauploadlink.info megavideolink.info mygamelink.info myrapidsharelink.info mytorrentlink.info myurlshortener.com mywarezlink.info urlredirect.info urlshrinker.info weblinkshortener.com youtubelink.info and many others.
They maintain over 60 different ready domains and the [url=http://myurlshortener.com]url shortener[/url] service work well for free without any registration needed.
So we think it is good notion and propose you to use [url=http://urlredirect.info]url redirect[/url] service too!
Thank you.
Amiable brief and this mail helped me alot in my college assignement. Thanks you seeking your information.
i recently i encountered problems in my laptop regarding the Chinese Pop ups. When it started showing, another 3 “application” shows up everytime i insert my USB to its hub..the ii.exe, iiii.exe, iiiiii.exe..
i appreciate those who could help me get rid of the malware/adware/spyware/virus
men that women have met on online dating sites [url=http://loveepicentre.com/]married asian personals[/url] zelda dating sim http://loveepicentre.com/ desperate cheating wives sex personals
dating profiles for sale [url=http://loveepicentre.com/]christian online dating[/url] how risky is dating by the internet http://loveepicentre.com/ dating malaysia
Laptop AC Adapter [url=http://www.hqlaptopbatteries.com/-5600awlmi-laptopbatterymodel1465.html]laptop batteries reviews[/url] compare prices laptop batteries http://www.hqlaptopbatteries.com/battery-4104wlmi-batterytype1.html laptop brands
Axiotron Laptop [url=http://www.hqlaptopbatteries.com/-k16-laptopbatterymodel1928.html]compare prices laptop batteries[/url] toshiba laptop batteries http://www.hqlaptopbatteries.com/-i1171-laptopbatterymodel451.html notebook batteries
Fujitsu Laptop [url=http://www.hqlaptopbatteries.com/-a105-s2101-laptopbatterymodel1760.html]dell laptop[/url] laptop batteries for notebook computers http://www.hqlaptopbatteries.com/dq-kd186-12-high-quality92.html hp laptop
You could easily be making money online in the underground world of [URL=http://www.www.blackhatmoneymaker.com]blackhat internet marketing[/URL], Don’t feel silly if you haven’t heard of it before. Blackhat marketing uses not-so-popular or misunderstood methods to build an income online.
This has been a very significant blog indeed. I’ve acquired a lot of helpful information from your article. Thank you for sharing such relevant topic with us. I really love all the great stuff you provide. Thanks again and keep it coming
Thanks for sharing these & very well explain post. Some thing new to learn from this helpful post.
Post a Comment