Manual Removal of WScript/Kak.worm (KOGOU)
Summary: This document explains how
to manually remove the KAK (or KOGOU) worm from your computer.
Manual Removal of WScript/Kak.worm
(KOGOU)
Boot into Safe Mode
- Shut the computer down so the power is off.
- Wait 20 seconds or so.
- Turn the computer on and immediately begin
pressing the F8 key on the keyboard once every second repeatedly. Do this
until the Windows Startup Menu appears. If you get a keyboard error, press
F1 to resume and then continue pressing the F8 key once every second.
- Select option #3 (Safe Mode) from the Windows
Startup Menu, then press the Enter key on the keyboard.
Windows will then boot into Safe Mode. NOTE:
This may take longer than a normal boot.
At the end of the boot process a dialog box will
appear informing you that Windows is in Safe Mode. Click OK on this dialog
box.
Windows is now in Safe Mode.
Backup the Registry
IMPORTANT:
Before beginning to manually remove KAK from your computer make sure to backup
the Registry. This will safeguard your Windows installation. You can recover
your Windows configuration by restoring the backup if an error occurs during the
removal process.
- Click on the Start button.
- Click on Run.
- Type REGEDIT in the Open field.
- Click the OK button. The Registry Editor
window will appear.
- Click on the Registry pull-down menu.
- Click on Export Registry File.
- In the File Name field type "backup"
(without the quotation marks).
- In the Save In field be sure that the desktop
is selected (if it is not, click on the pull down menu and select
"Desktop").
- Select "All" in the Export Range
group box.
- Click on the Save button. The registry will
then be saved.
- Click the X in the top right corner to close
the Registry Editor.
NOTE:
You now have a backup of your Registry saved as "backup" on your
desktop. If you need to restore the Registry you can double-click on the
"backup" file located on the desktop. Once these instructions are
complete and everything is running properly be sure to delete this backup file
by right-clicking on it then left-clicking on Delete from the pop-up menu that
appears. This will ensure that the old registry is not accidentally restored
once KAK has been removed.
Edit the Registry
- Click on the Start button.
- Click on Run.
- Type in REGEDIT then click the OK button. The
Registry Editor will then appear.
- Double-click on the HKEY_LOCAL_MACHINE folder
on the left side of the screen.
- Double-click on Software.
- Double-click on Microsoft.
- Double-click on Windows.
- Double-click on Current Version.
- Single-click on the Run folder so it is
highlighted.
On the right side of the screen, under the Name
column, locate cAgOu and single-click on it so it is highlighted.
Press the Delete key on the keyboard to remove
this entry.
Close the Registry Editor by clicking the X in
the top right corner.
Edit the AUTOEXEC.BAT File
- Click on the Start button.
- Click on Run.
- Type in SYSEDIT then click the OK button.
- The System Configuration Editor window will
appear. The front window will be labeled C:\AUTOEXEC.BAT.
- Delete the following lines, which are near the
top of the C:\AUTOEXEC.BAT window, by highlighting the line and then
pressing the Delete key on the keyboard:
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\KAK.HTA
DEL C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\KAK.HTA
- Close all open windows until you are back on
the desktop. You will be asked if you wish to save changes. Answer Yes.
Remove the StartUp Folder Reference
- Click on the Start button.
- Highlight Settings.
- Click on Taskbar & Start Menu. The Taskbar
Properties dialog box will then appear.
- Click on the Start Menu Programs tab.
- Click on the Remove button. You will then see a list of
folders and shortcuts.
- Locate the StartUp folder and click on the plus sign
(+) next to it.
- Look for anything with KAK in the name. If you find
something with KAK, single-click on it so it is highlighted then click the
Remove button to delete it.
- Click the Close button followed by the OK button.
Change the Folder View Options
(This is necessary to find the files in the 'Delete the KAK Related Files'
section)
- Double-click on the My Computer icon on the
desktop.
- Double-click on the C: drive.
- Click on the View pull-down menu then click on
Options (or Folder Options). The Folder Options dialog box will then appear.
- Click on the View tab.
- Select the 'Show all files' option.
- Uncheck 'Hide file extensions for known file
types'.
- Click the Apply button followed by the OK
button.
- Close the remaining open windows until you are
back on the desktop.
Delete the KAK Related Files
- Click on the Start button.
- Highlighted Find then click on Files or
Folders. The Find Files dialog box will then appear.
- Make sure the (C:) drive is selected in the
Look In field so the entire C: drive will be searched.
- Type in KAK.HTM in the Named field then click
the Find Now button.
- The computer will then search the hard drive
for the file. When the file is found it will be displayed towards the bottom
of the dialog box.
- Once the file is found right-click on the icon
located to the left of the file's name. A pop-up menu will appear.
- Left-click on Delete. Answer Yes to any
prompts asking if you are sure you would like to delete the file.
- Now type in *.HTA in the Named field then
click the Find Now button. The computer will then search the hard drive for
all files that end with .HTA. Each file will be listed towards the bottom of
the dialog box.
- When the computer has finished searching
delete each of the listed files by right-clicking on the icon to the left of
the file's name, and then left-clicking on Delete from the pop-up menu that
appears. Do this with each listed file until no files remain.
- Once the files have been deleted click the X
in the top right corner to close the Find Files dialog box.
- Right-click on the Recycle Bin on the desktop.
A pop-up menu will appear.
- Left-click on Empty Recycle Bin. Answer Yes to
any prompts asking if you are sure.
- Restart the computer. It will automatically
boot back into normal Windows.
You are now clean from the KAK worm.
Prevent Future Infections of the KAK Worm
The KAK worm works by exploiting vulnerabilities in
ActiveX controls. The vulnerabilities exploited by this worm have been
addressed by Microsoft with a security patch. Installing this security patch
will prevent the execution of this worm under default security settings.
McAfee recommends applying this patch for all computers running Internet
Explorer. Download this patch by going to http://www.microsoft.com/technet/security/bulletin/ms99-032.asp.
Keywords:
KAK, kak.hta, worm, virus, remove, infect,
infected, clean, get rid, off, disinfect, trojan, hta, .hta, kak.htm, kak.worm,
wscript, cac, cak, kac, virus, virus, virus,virus,