Figure 1: Running Task Manager
Turn off WScript.exe & Explorer.exe if these two programs are running
Figure 2: Close wscript.exe
Figure 3: Close explorer.exe
2. Remove the Autorun.inf files
The feature of this Kavo is to generate Autorun files located in the root directory of hard drives. These files make the virus active when the victim double clicks the hard drive. To avoid re-activating the virus, one of the first things you have to do is remove the Autorun files in the root directory of the drives (on my machine are C, D, E drives).
In the Task Manager window, select File > New Task (Run .)
Figure 4: Opening the run dialog to execute a program
The screen will display the Run command, type cmd to open the console screen, execute DOS commands
Figure 5: Running CMD command
In the console, in turn, execute the following commands:
Figure 6: Consonle screen to execute the command line
DEL c: autorun. * / F / a / s / q
DEL d: autorun. * / F / a / s / q
DEL e: autorun. * / F / a / s / q
3. Remove the virus
In the console window, type the following commands:
CD c: windowssystem32
DIR / a avp *. *
You will see the files avpo.exe or avpo0.dll
Keep typing
ATTRIB -r -s -h avpo.exe
DEL avpo.exe
or
ATTRIB -r -s -h avpo0.dll
DEL avp0.dll
Keep typing
DIR / a kavo *. *
If appears 1 or the files kavo.exe and kavo0.dll or kavo1.dll
Perform deletion commands
ATTRIB -r -s -h kavo.exe
DEL kavo.exeATTRIB -r -s -h kavo.dll
DEL kavo.dllATTRIB -r -s -h kavo1.dll
DEL kavo1.dll
Continue typing in the console
CD
ATTRIB -r -s -h ntde1ect.com
DEL ntde1ect.com
4. Edit Regedit
In the Task Manager window, select File > New Task (Run .) (Figure 4)
Display the Run box, type regedit
Figure 7: Executing the program Regedit
Figure 8: Window regedit
Figure 9: Delete avpo.exe
Go to HKEY_CURRENT_USER> SOFTWARE> Microsoft> Windows> CurrentVersion> Run
In the left pane of Regedit window, if there is a stream of avpo.exe , right-click and delete the text.
At the end of the process, restart the computer.
Go back to windows, if you don't see any hidden files (due to viruses) you can download the following Windows Registry file and run it https://quantrimang.com/data/fixHiddenFiles.reg
Go to Statup by going to Run > type msconfig
Figure 10: Run MsConfig
Figure 11: Uncheck Kavo, or Avpo
Restart your computer again.