how to delete kak virus? 
Author Message
 how to delete kak virus?

I have a kak virus that pops up at windows start up or at reboot. It is in
C:\Windows\Start  Menu\Programs\Startup\KAK.HTA. I remember that such a
virus had been deleted by VirusScan many months ago. This kak came back
immediately after I reinstalled Win98 SE.

So scanned the computer. But Mcafee VirusScan Version 4.0.3 with the latest
update xdat 4135 could not detect and delete the virus. Then I tried scan in
dos mode as instructed by Mcafee support. Same result. I also unchecked
KAK.HTA in system tools/system configuration/startup and deleted it from the
startup menu. But the annoying popup kak window returns each time I start or
reboot the computer.

I have a suspicion that the virus had indeed been deleted previously, but
that the registry entries were only disabled, and somehow became activated
by reinstall of Windows. Can someone enlighten me as to how to solve the
problem.

Thanks.

Mike



Sat, 18 Oct 2003 00:36:05 GMT  
 how to delete kak virus?


Quote:
> I have a kak virus that pops up at windows start up or at reboot. It is in
> C:\Windows\Start  Menu\Programs\Startup\KAK.HTA. I remember that such a
> virus had been deleted by VirusScan many months ago. This kak came back
> immediately after I reinstalled Win98 SE.

KAK. Ok. Goto THIS >>>> http://www.claymania.com/kak-removal.html <<<<<
page.
Follow the instructions carefully. Word for word. Do not miss a single step
out just because it looks complicated or you think it may not apply.

--
--
Robert Moir, Microsoft MVP
To search the MS Knowledge base use the link below:
http://support.microsoft.com/support/search/c.asp?PSL=1
My Homepage - http://www.robertmoir.co.uk
** Emailed questions will not be answered **



Sat, 18 Oct 2003 01:35:10 GMT  
 how to delete kak virus?

Hi,

There must be something wron with your VirusScan properties, at least your
version is old, it may be 4.5.1 which is the latest one with a Service Pack
! Scan engine may be 4.1.40...

There are two main groups of KAK family :


http://vil.nai.com/vil/virusSummary.asp?virus_k=98855


http://vil.nai.com/vil/virusSummary.asp?virus_k=10509

You may Use specified engine and DAT files for detection and removal.
Removal of this Internet worm consists of several steps:
* close email client(s)
* install the MS patch mentioned above
* remove the .HTA and/or .HTML files associated with this threat
* turn off 'preview pane' (optional)
* delete the default email signature setting (Tools/Options/Signature)
* delete messages which are not needed which may contain the embedded script
Users may also benefit by removing Windows Scripting Host from their Windows
environment. To do this in Windows 9x, go to 'Control Panel' and choose
'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on
'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and
choose 'OK'. It may be necessary to reboot the system. For additional help
or support, visit Microsoft's Support Site.
Users may also want to disable 'Active Scripting' in the 'Restricted Sites'
zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:
-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click 'Custom Level'
-scroll down to 'Active Scripting' and set it to Disable or Prompt
-Click OK
-open Outlook
-choose the Tools menu
-choose Options
-click the Security Tab
-In the 'Security Zones' section, choose the 'Restricted Sites' zone

Good Luck !

Orhan


Quote:
> I have a kak virus that pops up at windows start up or at reboot. It is in
> C:\Windows\Start  Menu\Programs\Startup\KAK.HTA. I remember that such a
> virus had been deleted by VirusScan many months ago. This kak came back
> immediately after I reinstalled Win98 SE.

> So scanned the computer. But Mcafee VirusScan Version 4.0.3 with the
latest
> update xdat 4135 could not detect and delete the virus. Then I tried scan
in
> dos mode as instructed by Mcafee support. Same result. I also unchecked
> KAK.HTA in system tools/system configuration/startup and deleted it from
the
> startup menu. But the annoying popup kak window returns each time I start
or
> reboot the computer.

> I have a suspicion that the virus had indeed been deleted previously, but
> that the registry entries were only disabled, and somehow became activated
> by reinstall of Windows. Can someone enlighten me as to how to solve the
> problem.

> Thanks.

> Mike



Sat, 18 Oct 2003 17:00:55 GMT  
 how to delete kak virus?
I followed the advice of Robert and Orhan, but I still have this kak window
opening at startup. Then, I discovered a line in autoexec.bat (system tools\

off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta. Below it there is another
line reading: rem - By Windows Setup - del
C:\Windows\STARTM~1\Programs\StartUp\kak.hta.

I unchecked it, clicked Apply and OK. After reboot, kak window opened again.

What else should I do?

Mike



Quote:

> Hi,

> There must be something wron with your VirusScan properties, at least your
> version is old, it may be 4.5.1 which is the latest one with a Service
Pack
> ! Scan engine may be 4.1.40...

> There are two main groups of KAK family :


> http://vil.nai.com/vil/virusSummary.asp?virus_k=98855


> http://vil.nai.com/vil/virusSummary.asp?virus_k=10509

> You may Use specified engine and DAT files for detection and removal.
> Removal of this Internet worm consists of several steps:
> * close email client(s)
> * install the MS patch mentioned above
> * remove the .HTA and/or .HTML files associated with this threat
> * turn off 'preview pane' (optional)
> * delete the default email signature setting (Tools/Options/Signature)
> * delete messages which are not needed which may contain the embedded
script
> Users may also benefit by removing Windows Scripting Host from their
Windows
> environment. To do this in Windows 9x, go to 'Control Panel' and choose
> 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click
on
> 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and
> choose 'OK'. It may be necessary to reboot the system. For additional help
> or support, visit Microsoft's Support Site.
> Users may also want to disable 'Active Scripting' in the 'Restricted
Sites'
> zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:
> -open Internet Explorer
> -choose the Tools menu
> -choose Internet Options
> -click the Security tab
> -click the Restricted Sites icon
> -click 'Custom Level'
> -scroll down to 'Active Scripting' and set it to Disable or Prompt
> -Click OK
> -open Outlook
> -choose the Tools menu
> -choose Options
> -click the Security Tab
> -In the 'Security Zones' section, choose the 'Restricted Sites' zone

> Good Luck !

> Orhan



> > I have a kak virus that pops up at windows start up or at reboot. It is
in
> > C:\Windows\Start  Menu\Programs\Startup\KAK.HTA. I remember that such a
> > virus had been deleted by VirusScan many months ago. This kak came back
> > immediately after I reinstalled Win98 SE.

> > So scanned the computer. But Mcafee VirusScan Version 4.0.3 with the
> latest
> > update xdat 4135 could not detect and delete the virus. Then I tried
scan
> in
> > dos mode as instructed by Mcafee support. Same result. I also unchecked
> > KAK.HTA in system tools/system configuration/startup and deleted it from
> the
> > startup menu. But the annoying popup kak window returns each time I
start
> or
> > reboot the computer.

> > I have a suspicion that the virus had indeed been deleted previously,
but
> > that the registry entries were only disabled, and somehow became
activated
> > by reinstall of Windows. Can someone enlighten me as to how to solve the
> > problem.

> > Thanks.

> > Mike



Sat, 18 Oct 2003 18:50:49 GMT  
 how to delete kak virus?
Have you also visited the links that I have mentioned ? There may be some
other tricks to do for the registry ! It has a register key also...


Quote:
> I followed the advice of Robert and Orhan, but I still have this kak
window
> opening at startup. Then, I discovered a line in autoexec.bat (system
tools\

> off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta. Below it there is
another
> line reading: rem - By Windows Setup - del
> C:\Windows\STARTM~1\Programs\StartUp\kak.hta.

> I unchecked it, clicked Apply and OK. After reboot, kak window opened
again.

> What else should I do?

> Mike



> > Hi,

> > There must be something wron with your VirusScan properties, at least
your
> > version is old, it may be 4.5.1 which is the latest one with a Service
> Pack
> > ! Scan engine may be 4.1.40...

> > There are two main groups of KAK family :


> > http://vil.nai.com/vil/virusSummary.asp?virus_k=98855


> > http://vil.nai.com/vil/virusSummary.asp?virus_k=10509

> > You may Use specified engine and DAT files for detection and removal.
> > Removal of this Internet worm consists of several steps:
> > * close email client(s)
> > * install the MS patch mentioned above
> > * remove the .HTA and/or .HTML files associated with this threat
> > * turn off 'preview pane' (optional)
> > * delete the default email signature setting (Tools/Options/Signature)
> > * delete messages which are not needed which may contain the embedded
> script
> > Users may also benefit by removing Windows Scripting Host from their
> Windows
> > environment. To do this in Windows 9x, go to 'Control Panel' and choose
> > 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click
> on
> > 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and
> > choose 'OK'. It may be necessary to reboot the system. For additional
help
> > or support, visit Microsoft's Support Site.
> > Users may also want to disable 'Active Scripting' in the 'Restricted
> Sites'
> > zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:
> > -open Internet Explorer
> > -choose the Tools menu
> > -choose Internet Options
> > -click the Security tab
> > -click the Restricted Sites icon
> > -click 'Custom Level'
> > -scroll down to 'Active Scripting' and set it to Disable or Prompt
> > -Click OK
> > -open Outlook
> > -choose the Tools menu
> > -choose Options
> > -click the Security Tab
> > -In the 'Security Zones' section, choose the 'Restricted Sites' zone

> > Good Luck !

> > Orhan



> > > I have a kak virus that pops up at windows start up or at reboot. It
is
> in
> > > C:\Windows\Start  Menu\Programs\Startup\KAK.HTA. I remember that such
a
> > > virus had been deleted by VirusScan many months ago. This kak came
back
> > > immediately after I reinstalled Win98 SE.

> > > So scanned the computer. But Mcafee VirusScan Version 4.0.3 with the
> > latest
> > > update xdat 4135 could not detect and delete the virus. Then I tried
> scan
> > in
> > > dos mode as instructed by Mcafee support. Same result. I also
unchecked
> > > KAK.HTA in system tools/system configuration/startup and deleted it
from
> > the
> > > startup menu. But the annoying popup kak window returns each time I
> start
> > or
> > > reboot the computer.

> > > I have a suspicion that the virus had indeed been deleted previously,
> but
> > > that the registry entries were only disabled, and somehow became
> activated
> > > by reinstall of Windows. Can someone enlighten me as to how to solve
the
> > > problem.

> > > Thanks.

> > > Mike



Sat, 18 Oct 2003 19:19:16 GMT  
 how to delete kak virus?
Do not forget that you may also install Microsoft patches mentioned at the
links I have forwarded to you !


Quote:
> I followed the advice of Robert and Orhan, but I still have this kak
window
> opening at startup. Then, I discovered a line in autoexec.bat (system
tools\

> off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta. Below it there is
another
> line reading: rem - By Windows Setup - del
> C:\Windows\STARTM~1\Programs\StartUp\kak.hta.

> I unchecked it, clicked Apply and OK. After reboot, kak window opened
again.

> What else should I do?

> Mike



> > Hi,

> > There must be something wron with your VirusScan properties, at least
your
> > version is old, it may be 4.5.1 which is the latest one with a Service
> Pack
> > ! Scan engine may be 4.1.40...

> > There are two main groups of KAK family :


> > http://vil.nai.com/vil/virusSummary.asp?virus_k=98855


> > http://vil.nai.com/vil/virusSummary.asp?virus_k=10509

> > You may Use specified engine and DAT files for detection and removal.
> > Removal of this Internet worm consists of several steps:
> > * close email client(s)
> > * install the MS patch mentioned above
> > * remove the .HTA and/or .HTML files associated with this threat
> > * turn off 'preview pane' (optional)
> > * delete the default email signature setting (Tools/Options/Signature)
> > * delete messages which are not needed which may contain the embedded
> script
> > Users may also benefit by removing Windows Scripting Host from their
> Windows
> > environment. To do this in Windows 9x, go to 'Control Panel' and choose
> > 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click
> on
> > 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and
> > choose 'OK'. It may be necessary to reboot the system. For additional
help
> > or support, visit Microsoft's Support Site.
> > Users may also want to disable 'Active Scripting' in the 'Restricted
> Sites'
> > zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:
> > -open Internet Explorer
> > -choose the Tools menu
> > -choose Internet Options
> > -click the Security tab
> > -click the Restricted Sites icon
> > -click 'Custom Level'
> > -scroll down to 'Active Scripting' and set it to Disable or Prompt
> > -Click OK
> > -open Outlook
> > -choose the Tools menu
> > -choose Options
> > -click the Security Tab
> > -In the 'Security Zones' section, choose the 'Restricted Sites' zone

> > Good Luck !

> > Orhan



> > > I have a kak virus that pops up at windows start up or at reboot. It
is
> in
> > > C:\Windows\Start  Menu\Programs\Startup\KAK.HTA. I remember that such
a
> > > virus had been deleted by VirusScan many months ago. This kak came
back
> > > immediately after I reinstalled Win98 SE.

> > > So scanned the computer. But Mcafee VirusScan Version 4.0.3 with the
> > latest
> > > update xdat 4135 could not detect and delete the virus. Then I tried
> scan
> > in
> > > dos mode as instructed by Mcafee support. Same result. I also
unchecked
> > > KAK.HTA in system tools/system configuration/startup and deleted it
from
> > the
> > > startup menu. But the annoying popup kak window returns each time I
> start
> > or
> > > reboot the computer.

> > > I have a suspicion that the virus had indeed been deleted previously,
> but
> > > that the registry entries were only disabled, and somehow became
> activated
> > > by reinstall of Windows. Can someone enlighten me as to how to solve
the
> > > problem.

> > > Thanks.

> > > Mike



Sat, 18 Oct 2003 19:41:48 GMT  
 how to delete kak virus?

You are welcome !

I am glad you solve it :)))


Quote:
> Thanks Orhan. I've learned a lot about the virus now, but still reading on
> with the deluge of material I printed out.
> The roguevalley kakcleaner cleaned it out for me while the panda antikak
did
> not. I would have loved to deal with it through manually manipulating the
> registry after backing it up. But I'm happy your program did it because
I'm
> not thoroughly familiar with registry settings; I might have caused a
> disaster on my computer.

> Does it worth to be tried? Yes. Because I've set up all the precautions
like
> plain text, disable scripting, ms patch, etc, etc.

> Thanks again.

> Mike



> > does it worth to be tried ?

> > http://www.ih2000.net/antikak.exe

> > http://www.pandasoftware.com/antikak.exe

> > http://www.roguevalley.com/downloads/kakcleaner.exe

> > http://www.getvirushelp.com/kak/KakCleaner.exe

> > http://www.sun.ac.za/gerga/downloads/kakcleaner.zip

> > AND some more, such as what Nick says :

> > Note:  Kak spreads via Email.  Since you were infected,
> > you'll have been sending infected messages.  You should
> > check your Sent Items folder **after** applying **all**
> > the fixes below and Email warnings (and an apology!) to
> > everyone you've mailed since being infected.

> > Note^2:  Too many descriptions of how to deal with Kak
> > ignore the fact that infected users have mail folders
> > full of infected messages which will hit them again next
> > time they are read **if the security hole Kak depends on
> > is not closed**.  Thus, when cleaning up Kak you
> > **MUST** follow my advice about Outlook Express security
> > settings **AND** installing the MS security patch
> > referred to at the end of this message.

> > In the prescribed order -- don't ask why, just do it:

> > First, stop using that machine for Email and News.  In
> > fact, close down all applications.  In the instructions
> > that follow, start any mentioned application **only**
> > perform the stated configuration changes then exit the
> > application.

> > Second, check the Restricted Sites security has *all*
> > ActiveX support set to *disabled* (that prevents people
> > choosing the wrong option when given the choice if
> > "prompt" is set) and if it is not, set it that way.
> > You do this on the Security tab of Tools/Internet
> > Options in IE or the Security tab of the Internet
> > Options control panel (they are both routes to the same
> > controls).  If you do not know how to check this, just
> > select the Restricted Sites zone and click the "Default
> > Level" button to reset the defaults for that zone --
> > they are near enough.

> > Third, set Outlook Express so Email is considered to be
> > in the Restricted Sites zone.  This is on the Security
> > tab of the Tools/Options dialog.

> > Fourth, delete the Signature definition in Outlook
> > Express for each afflicted user identity (if you do not
> > know what that means, you *probably* only have a single
> > identity so only need to do it once).  These settings
> > are on the Signatures tab of the Tools/Options dialog.
> > In theory, it is now safe to use Outlook Express 5 for
> > reading and sending Email -- but don't...

> > Fifth, delete the files kak.htm from the Windows folder
> > and .hta from the Windows system folder.
> > is an eight character string representing a hexadecimal
> > number -- i.e. it consists of some combination of
> > characters 0-9 and A-F.  There could be more than one
> > of these files -- they should be 4116 bytes in size --
> > delete them all.  If there is more than one, then you
> > should find out about Outlook Express user idetities and
> > tidy up the siganture settings of all identities (that
> > is more aesthetic than necessary, as deleting the
> > kak.htm file effectively disables the signatures anyway).
> > These files have the hidden file attribute set -- to see
> > them you will have to change the default settings in
> > Explorer.  If you are unsure how to do this, select Help
> > from the Start menu, click on the Index tab then, under
> > Win95, enter "hidden files, viewing" or under Win98 enter
> > "hidden attribute", and view the topic that is found.

> > Sixth, edit AUTOEXEC.BAT and delete the two lines
> > involved in creating and deleting kak.hta in the Windows
> > Startup folder.  If AE.KAK exists in the root of C: and no
> > changes have been made to AUTOEXEC.BAT since Kak infested
> > the machine, you can delete (or rename) AUTOEXEC.BAT then
> > rename AE.KAK to AUTOEXEC.BAT (it is a Kak install-time
> > backup of AUTOEXEC.BAT).  Check the Windows Startup
> > folder and delete any file there named kak.hta.

> > Restart the machine and watch closely for a process called
> > Drive Memory Error that **only** appears (and briefly) as
> > a button on the taskbar.  If that happens, you missed
> > something or did it out of order.  Start over.  If you get
> > here a second time and still have this process starting,
> > please Email me for further assistance.

> > Assuming that all has gone well, go to:

> >   http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

> > read it and download the offical MS patch that closes the
> > security hole that Kak depends on.  After doing that, you
> > can reset your Email security to the Internet zone,
> > although I certainly do not recommend that!

> > After all this, you will almost surely have one or more
> > messages carrying the Kak code in your Email folders.
> > Unless MS re-introduces the security hole Kak depends on
> > in a future IE update, those message won't cause you any
> > grief though forwarding them to others would be unwelcome.
> > Note also, that any copies to self you've kept will also
> > have active Kak code in them.  Short of getting a virus
> > scanner that can parse OE mail files, the only vaguely
> > satisfactory workaround to the "problem" of possibly
> > forwarding one of these "infected", saved messages is to
> > configure all your user identities to send text-only Email
> > rather than that HTML rubbish that is the OE default.
> > Thus, setting text-only Email sending is a *very good
> > idea*.  Note that to set this configuration fully, you
> > must not only set Tools/Options/Send to "Plain text" for
> > the "Mail sending format", but also disable the "Reply to
> > messages in the format in which they were sent" option
> > (which is also on the Tools/Options/Send dialog).
> > --



> > > I followed the advice of Robert and Orhan, but I still have this kak
> > window
> > > opening at startup. Then, I discovered a line in autoexec.bat (system
> > tools\

> > > off>C:\Windows\STARTM~1\Programs\StartUp\kak.hta. Below it there is
> > another
> > > line reading: rem - By Windows Setup - del
> > > C:\Windows\STARTM~1\Programs\StartUp\kak.hta.

> > > I unchecked it, clicked Apply and OK. After reboot, kak window opened
> > again.

> > > What else should I do?

> > > Mike



> > > > Hi,

> > > > There must be something wron with your VirusScan properties, at
least
> > your
> > > > version is old, it may be 4.5.1 which is the latest one with a
Service
> > > Pack
> > > > ! Scan engine may be 4.1.40...

> > > > There are two main groups of KAK family :


> > > > http://vil.nai.com/vil/virusSummary.asp?virus_k=98855


> > > > http://vil.nai.com/vil/virusSummary.asp?virus_k=10509

> > > > You may Use specified engine and DAT files for detection and
removal.
> > > > Removal of this Internet worm consists of several steps:
> > > > * close email client(s)
> > > > * install the MS patch mentioned above
> > > > * remove the .HTA and/or .HTML files associated with this threat
> > > > * turn off 'preview pane' (optional)
> > > > * delete the default email signature setting

(Tools/Options/Signature)

- Show quoted text -

Quote:
> > > > * delete messages which are not needed which may contain the
embedded
> > > script
> > > > Users may also benefit by removing Windows Scripting Host from their
> > > Windows
> > > > environment. To do this in Windows 9x, go to 'Control Panel' and
> choose
> > > > 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double
> click
> > > on
> > > > 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it
and
> > > > choose 'OK'. It may be necessary to reboot the system. For
additional
> > help
> > > > or support, visit Microsoft's Support Site.
> > > > Users may also want to disable 'Active Scripting' in the 'Restricted
> > > Sites'
> > > > zone and set E-Mail to run in the 'Restricted Sites' zone. To do
this:
> > > > -open Internet Explorer
> > > > -choose the Tools menu
> > > > -choose Internet Options
> > > > -click the Security tab
> > > > -click the Restricted Sites icon
> > > > -click 'Custom Level'
> > > > -scroll down to 'Active Scripting' and set it to Disable or Prompt
> > > > -Click OK
> > > > -open Outlook
> > > > -choose the Tools menu
> > > > -choose Options
> > > > -click the Security Tab
> > > > -In the 'Security Zones' section, choose the 'Restricted Sites' zone

> > > > Good Luck !

> > > > Orhan



> > > > > I have a kak virus that pops up at windows start up or at reboot.
It
> > is
> > > in
> > > > > C:\Windows\Start

...

read more »



Sat, 18 Oct 2003 21:14:24 GMT  
 
 [ 9 post ] 

 Relevant Pages 

1. Kak virus

2. Kak Virus

3. KAK @M virus

4. OT: filter to delete SWEN-virus emails from server

5. i have a virus which wont delete repair or quarantine

6. klez virus. Can't delete it

7. evil virus deleted?

8. Norton-deleting virus

9. Virus will not delete

10. deleted what I thought was a virus

11. help to delete w32/bugbear and trjan virus

12. virus is deleting shortcuts, closing programs

 

 
Powered by phpBB® Forum Software