22
Apr
08

Remove PSW.OnlineGames.AZ, WORM_NSPM.JS and Kavo (unable to reveal hidden files)

Actually I am not sure if my pc was infected by which of these virus (PSW.OnlineGames.AZ, WORM_NSPM.JS and Kavo) but they all seems the same with the symptom below:

  1. Unable to reveal hidden files (the radio box on “folder option” doesn’t work at all).
    System registry key
    (“HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>explorer>Advanced>Folder>Hidden>SHOWALL”) for revealing hidden files keep on changed after modified.
  2. Found Kavo in the system startup registry
    (“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”)

Verify the virus

  1. On command prompt, at location “c:\windows\system32”, type:
    c:\Windows\system32\> attrib kavo.exe -h -r -s
    c:\Windows\system32\> attrib kavo0.dll -h -r -s
    You will see these files existed (but you won’t see them in windows explore, coz they are hidden!)
  2. On system registry
    (“HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Explorer”), there is a key NoDriveTypeAutoRun = “91”.

Unfortunately, trendmirco housecall web based virus scanner and avast free edition aren’t able to pick up the virus. Thus AVG free edition is recommended to remove the file.

Generally, a few files will be removed:
c:\vt6e.cmd
c:\autorun.inf
c:\bqk.bat
c:\h8i.com
c:\windows\system32\kavo.exe
c:\windows\system32\kavo0.dll

To perfectly cure the virus, a few manual job has to be done:

  1. To enable reveal hidden files:
    On system registry
    (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    \Folder\Hidden\SHOWALL”)

    • Delete the key “CheckedValue“.
    • Recreate the key “CheckedValue”, type “REG_DWORD“.
    • Modify the value of “CheckedValue” to “1“.
  2. On system registry
    (“HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Explorer”)

    • delete the key (NoDriveTypeAutoRun = “91”)
  3. On system registry
    (“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”)

    • delete the key for Kavo entry.

After all, some drive (eg. c:\) may not be accessible properly. A windows will pop up to ask for application to execute these drive. It can be solved by:

  • Donwload Flash Disinfector.exe
  • Plug in a thumb drive
  • Double click the exe file. Follow instruction and finally click “Done!”
  • Reboot

Everything should be alright and do remember: Google is our best friend.

Reference website:

  1. Trend Micro: WORM_NSPM.JS
  2. LowYat.net: May be Kavo virus
  3. beepingcomputer.com: Flash disinfector.exe
Advertisements

1 Response to “Remove PSW.OnlineGames.AZ, WORM_NSPM.JS and Kavo (unable to reveal hidden files)”


  1. 1 thankful peter
    June 9, 2008 at 1:02 am

    There were a lot of posts on this issue related to PSW.onlinegames, but theses solutions were easiest to follow, and by all acounts – worked!!! THANKS!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: