Kinza creates the following files in the system32 folder of the windows directory.
kinza.exe, fiber.exe, boot.vbs, actmon.ini. The following variation may also be there
imapde.dll
imapdc.vxd
imapd.exe
imapdb.dll
imapdb.exe
imapdc.dll
imapdd.dll
imapde.dll
rbwinx1.dll
Kill the following processes with your username from task manager
wscript.exe, cmd.exe, netsh.exe
First of all the taskmanager, registry editor & folder options may be disabled
Re-Enable Task manager & Registry Tools if the virus has disable that one
Run the following commands from Start->Run to first unlock them.
1. Unlock Task Manager
REG add HKCU\Software\Microsoft\Windows\CurrentVersion
\Policies\System /v DisableTaskMgr /t REG_DWORD
/d 0 /f
2. Unlock Registry Editor
REG add HKCU\Software\Microsoft\Windows\CurrentVersion
\Policies\System /v DisableRegistryTools /t REG_DWORD
/d 0 /f
3.Remove Internet Explorer Title :
Using Registry Editor, delete the following value in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
\Main\Window Title
Change the following registry values
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT
\CurrentVersion\Winlogon
On the Right Side find the entry named Userinit
It will have data as
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS
\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
Change it to C:\WINDOWS\system32\userinit.exe
Now delete the following files located at C:\windows\system32\
kinza.exe
fiber.exe
actmon.ini
imapde.dll
imapdc.vxd
imapd.exe
imapdb.dll
imapdb.exe
imapdc.dll
imapdd.dll
imapde.dll
rbwinx1.dll
The virus disables windows firewall which you have to activate by going to control panel, clicking on security center, and then on windows firewall. It will say that the service has been stopped, do you want to start it. Click yes to start the firewall again.
Delete the following registry values to complete the removal of unnecessary registry keys
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Shellnoroam\MUICache
On the right side locate and delete value c:\windows\system32\fiber.exe
