|
Virus Removal Techniques
Special Case: Removing Kinza virus
Initial Symptoms:
- The removable drive (pen drive) with the windows explorer icon
Source Files at the system
- %systemroot%\system32\boot.vbs
- %systemroot%\system32\imapd.exe and its variants
Removal
- Kill the process dxdlg, wscript, imapd from process explorer
- Remove the entry boot.vbs, wproxp, imapd from the logon tab of tool autoruns
- Remove the files
%systemroot%\system32\wproxp.exe
%systemroot%\system32\imapd.exe
%systemroot%\system32\imapdb.exe
%systemroot%\system32\imapde.dll
%systemroot%\system32\imapdd.dll
%systemroot%\system32\imapdc.dll
%systemroot%\system32\imapdb.dll
%systemroot%\system32\Kinza.exe
- Some variants of imapd are not deleted (giving the message access denied) but they can be renamed and delted afterwards
Alternatively
- You can run these scripts from the command line
- Make sure your system is Windows XP, otherwise these scripts will force you not to login the system once you run them and logout (esp. in Windows 2000 and 98)
cd\
taskkill /f /im wproxp.exe
taskkill /f /im isetup.exe
taskkill /f /im imapd.exe
taskkill /f /im dxdlg.exe
taskkill /f /im imapdb.exe
taskkill /f /im imapd.exe
taskkill /f /im imapdb.exe
taskkill /f /im scvvhsot.exe
taskkill /f /im wscript.exe
taskkill /f /im Kinza.exe
reg add
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /f /d "%windir%\system32\userinit.exe",
reg add
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f /d "explorer.exe"
reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /t Reg_Binary /v NoDriveAutoRun /f /d ffffff03
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /t Reg_dword /v NoDriveTypeAutoRun /f /d 36
reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /t Reg_dword /v NoFolderOptions /f /d 0
reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v DisbleRegistryTools /f /d 0
reg add
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v DisableTaskMgr /f /d 0
del /a /f /s boot.vbs
del /a /f /s wproxp.exe
del /a /f /s isetup.exe
del /a /f /s imapd.exe
del /a /f /s ActMon.ini
del /a /f /s dxdlg.exe
del /a /f /s imapde.dll
del /a /f /s imapdd.dll
del /a /f /s imapdc.dll
del /a /f /s imapdb.exe
del /a /f /s imapd.exe
del /a /f /s imapdb.dll
del /a /f /s imapdb.exe
del /a /f /s Kinza.exe
del /a /f /s autorun.ini
- Run notepad and copy-paste above scripts and save as kinza.bat
- Run the batch file by double clicking.
For kinza specific tool goto
Download
kinza-remover (Windows XP only)
isetup-remover (Windows XP only
|
