"Kak" Removal Instructions

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)

Translated versions available: en Français, in het Nederlands and Deutsch

Anti-Virus Main Menu
Main Menu
Please carefully read all of the instructions below...

Written by: Nick FitzGerald
Computer Virus Consulting Ltd.
(posted with Nick's permission)

These instructions not only remove Kak but explain how to make your machine immune to re-infection from Kak, or infection from any future viruses or worms that depend on the same security hole to get into a machine.

Note: Kak spreads via Email. Since you were infected, you'll have been sending infected messages. You should check your Sent Items folder after applying all the fixes below and Email warnings (and an apology!) to everyone you've mailed since being infected.

Note^2: Too many descriptions of how to deal with Kak ignore the fact that infected users have mail folders full of infected messages which will hit them again next time they are read if the security hole Kak depends on is not closed. Thus, when cleaning up Kak you MUST follow my advice about Outlook Express security settings AND installing the MS security patch referred to at the end of this message.

Note^3: If your machine is currently presenting you with a dialog box at startup with a strange message (it may be "Kagou-Anti-Kro$oft says not today") just ignore it. Move the dialog box window out of your way and do the following -- clicking the "OK" button will shutdown your PC, but you can just ignore that window and do the following. Slightly braver souls may wish to hit Ctrl-Alt-Del then select the process named "Driver Memory Error" and click the "End Task" button.

In the prescribed order -- don't ask why, just do it:

First, stop using that machine for Email and News. In fact, close down all applications. In the instructions that follow, start any mentioned application only perform the stated configuration changes then exit the application.

Second, check the Restricted Sites security has all ActiveX support set to disabled (that prevents people choosing the wrong option when given the choice if "prompt" is set) and if it is not, set it that way. You do this on the Security tab of Tools/Internet Options in IE or the Security tab of the Internet Options control panel (they are both routes to the same controls). If you do not know how to check this, just select the Restricted Sites zone and click the "Default Level" button to reset the defaults for that zone -- they are near enough.

Third, set Outlook Express so Email is considered to be in the Restricted Sites zone. This is on the Security tab of the Tools/Options dialog.

Fourth, delete the Signature definition in Outlook Express for each afflicted user identity (if you do not know what that means, you probably only have a single identity so only need to do it once). These settings are on the Signatures tab of the Tools/Options dialog. In theory, it is now safe to use Outlook Express 5 for reading and sending Email -- but don't...

Fifth, delete the files kak.htm from the Windows folder and <name>.hta from the Windows system folder. <name> is an eight character string representing a hexadecimal number -- i.e. it consists of some combination of characters 0-9 and A-F. There could be more than one of these files -- they should be 4116 bytes in size -- delete them all. If there is more than one, then you should find out about Outlook Express user identities and tidy up the signature settings of all identities (that is more aesthetic than necessary, as deleting the kak.htm file effectively disables the signatures anyway). These files have the hidden file attribute set -- to see them you will have to change the default settings in Explorer. If you are unsure how to do this, select Help from the Start menu, click on the Index tab then, under Win95, enter "hidden files, viewing" or under Win98 enter "hidden attribute" and view the topic that is found.

Sixth, edit AUTOEXEC.BAT and delete the two lines involved in creating and deleting kak.hta in the Windows Startup folder. If AE.KAK exists in the root of C: and no changes have been made to AUTOEXEC.BAT since Kak infested the machine, you can delete (or rename) AUTOEXEC.BAT then rename AE.KAK to AUTOEXEC.BAT (it is a Kak install-time backup of AUTOEXEC.BAT). Check the Windows Startup folder and delete any file there named kak.hta.

Restart the machine and watch closely for a process called Driver Memory Error that only appears (and briefly) as a button on the taskbar. If that happens, you missed something or did it out of order. Start over.

Assuming that all has gone well, go to:

      http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

read it, download then run the offical MS patch that closes the security hole that Kak depends on. After doing that, you can reset your Email security to the Internet zone, although I certainly do not recommend that!

After all this, you will almost surely have one or more messages carrying the Kak code in your Email folders. Unless MS re-introduces the security hole Kak depends on in a future IE update, those message won't cause you any grief though forwarding them to others would be unwelcome. Note also, that any copies to self you've kept will also have active Kak code in them. Short of getting a virus scanner that can parse OE mail files, the only vaguely satisfactory workaround to the "problem" of possibly forwarding one of these "infected", saved messages is to configure all your user identities to send text-only Email rather than that HTML rubbish that is the OE default. Thus, setting text-only Email sending is a very good idea. Note that to set this configuration fully, you must not only set Tools/Options/Send to "Plain text" for the "Mail sending format", but also disable the "Reply to messages in the format in which they were sent" option (which is also on the Tools/Options/Send dialog).

Nick FitzGerald
Computer Virus Consulting Ltd.
(posted with Nick's permission)


Windows Millennium users please note:
If you can't clean or delete infected files from the _Restore\Temp or _Restore\Archive folders... read this.


- End Removal Instructions -


Some of you may now be wondering...

"How can I possibly keep my computer safe from further harm?"

Answer: Click Here for Some Tips!

© Claymania Creations 2001 - 2008. All rights reserved.