< antivirus.vt.edu

Removal Instructions for wscript.kakworm

    4Help provides these instructions to assist you in the removal of this computer virus.  If these instructions do not remove the virus from your system, then 4Help recommends that you contact your computer vendor.  The use of up-to-date anti-virus software will help prevent your computer from becoming infected with viruses.

 

What you need to complete these instructions:

  • Norton AntiVirus installed on the infected computer   

    If you don't have Norton AntiVirus installed, click the following link to download it:

                            http://antivirus.vt.edu/download/index.php 

Time to complete:     45 minutes

Virus removal:

Overview:

  • Remove the virus files
  • Repair the Windows registry
  • Patch your system to prevent future infections
  • Update your virus definitions

 

  1. You MUST print these instructions before you proceed with the virus removal. You will need the printed instructions because your computer may not boot into Windows during parts of the repair process.
    • Select 'Print...' from the 'File' menu.
  2. Restart the computer in Safe Mode:
    1. If the computer is on, click on the 'Start' button and choose 'Shutdown'. If the computer is off, turn it on.
    2. While the computer is starting, tap and release the 'F8' key until the 'Windows Startup Menu' appears.
    3. Select option 3 'Safe Mode' and hit 'ENTER' on the keyboard.
    4. Click 'OK' on the 'Windows is running in Safe Mode..." message.
    • Turn off the 'Outlook Express Preview' pane:
      1. Open Outlook Express.
      2. Click 'Hide' if you get an Outlook Express error message.
      3. Click on the 'Inbox'.
      4. Go to the 'View' menu and select 'Layout...'
      5. Uncheck 'Show Preview' pane.
      6. Click 'OK'.
      7. Close Outlook Express.
    • Make hidden and system files visible:
      1. Double click the 'My Computer' icon.
      2. Click the 'View' menu and select 'Folder Options...' or 'Options...'.
      3. Select the 'View' tab .
      4. In the 'Hidden Files' section, select 'Show All Files'.
      5. In the 'Hidden Files' section, uncheck 'Hide file extensions for known file types'.
      6. Click 'OK'.
    • Reset the 'Autoexec.bat' file:
      1. Click 'Start/Run'.
      2. In the 'Open' field type sysedit, and click the 'OK' button.
      3. The 'System Configuration Editor' will open with the autoexec.bat file in the front.
      4. Highlight and delete the following lines from the autoexec.bat file:
        '@echo off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta
        del C:\Windows\STARTM~1\Programs\StartUp\kak.hta'
      5. Select 'Save' from the 'File' menu.
      6. Select 'Exit' from the 'File' menu.
    • Delete files added by the virus:
      1. Go to 'Start/Find/Files or Folders...'.
      2. In the 'Look In:' field select the C: drive.
      3. In the 'Named:' field type kak.*.
      4. Click 'Find Now'.
      5. Delete any files that are found by right clicking on the filename and selecting 'Delete' from the pop-up menu.
      6. Clear the 'Named' field and type *.kak.
      7. Click 'Find Now'.
      8. Delete any files that are found.
      9. Clear the 'Named' field and type *.hta.
      10. Click 'Find Now'
      11. Delete any files that are found.
      12. Close the 'Find:All Files' window.
      13. Right-click on the 'Recycle Bin' and select 'Empty Recycle Bin'.
      14. Click 'Yes' on the 'Multiple File Delete' message.
    • Edit the registry:
      1. Click on the 'Start' button and choose 'Run'.
      2. Type regedit in the 'Run' window and click the 'OK' button.
      3. Go to the 'Registry' menu and choose 'Export Registry File...'
      4. Make sure there is a dot in front of 'All' in the 'Export Range' area.
      5. In the 'Filename' box type backupreg.reg .
      6. Click 'Save'.
      7. Click the + in front of 'HKEY_CURRENT_USER'.
      8. Click the + in front of 'Identities'.
      9. For each folder under 'Identities':
        1. Click the + in front of the identity folder (it's a long name with a bunch of numbers and letters).
        2. Click the + in front of 'Software'.
        3. Click the + in front of 'Microsoft'.
        4. Click the + in front of 'Outlook Express'.
        5. Click the + in front of '5.0'.
        6. Right click on the 'Signatures' folder and choose 'Delete'.
        7. Click 'Yes' on 'Are you sure you want to delete this key?'.
      10. Scroll back to the top of this window, and click - in front of 'HKEY_CURRENT_USER'.
      11. Click the + in front of 'HKEY_LOCAL_MACHINE'.
      12. Click the + in front of 'Software'.
      13. Click the + in front of 'Microsoft'.
      14. Click the + in front of 'Windows'.
      15. Click the + in front of 'CurrentVersion'.
      16. Click on the 'Run' folder. (Not on the +).
      17. On the right side of the screen look for 'cAgOu' in the 'Named' column.
      18. Right click on 'cAgOu'and choose 'Delete'.
      19. Click 'Yes' on 'Are you sure you want to delete this value?'.
      20. In addition to the 'Run' folder some users will have a 'Run-' folder. If you have a 'Run-'folder, click on it and remove the 'cAgOu' value.
      21. Close the Registry Editor.
    • Restart your computer.
    • In order to prevent future infection from the virus, download and apply a patch from Microsoft at http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
    • After you have applied the patch, you can re-enable the Preview Pane in Outlook Express:
      1. Open Outlook Express.
      2. Click 'Hide' if you get an Outlook Express error message.
      3. Click on the 'Inbox'.
      4. Select the 'View' menu and select 'Layout...'.
      5. Place a check in front of 'Show Preview Pane'.
      6. Click the 'OK' button.
      7. Close Outlook Express.
  3. Update your anti-virus software:
    • If you are using Norton Anti-Virus, run LiveUpdate.
    • If LiveUpdate doesn't work, download the updates from http://antivirus.vt.edu/download/definitions.php
    • If you don't use Norton and are unsure how to update your anti-virus software, consult the software's help documentation.
 

Known Issues:

  • If these instructions did not repair your system, then 4Help recommends you contact a computer vendor for further assistance.