How to get rid of tavo.exe, kavo.exe trojan

Most frivolous Windows users would have had their antivirus shouting at some point of time with a message “Alert! A virus was found” and then popping windows that mention “kavo.exe”. kavo.exe is a smart trojan that installs and autorun.inf in your C:\ making sure it updates itself everytime you connect to the internet. The bad news is that this can be quite irritating and painful as most antivirus software fail to remove it. The good news is that a little bit of common sense can help!
So lets go ahead and get rid of the kavos and tavos on our own!

  • First and foremost check for an autorun.inf file in C:\. Open the file and check if has references to kavo or tavo. Delete such a file.
  • Delete all files in C:\ that have a “.com” extension.
  • Goto C:\Windows\system32\
  • Search for “kavo”, you would get results like kavo.exe, kavo.dll, kavo0.dll, kavo1.dll. Go ahead and delete kavo.dll and then kavo.exe. Then try to delete the other kavo dll files. If you get a message that the file are in use and cannot be deleted restart your computer and try deleting them again. In this manner delete all “kavo” files from system32.
  • Search for “tavo” and repeat the procedure explained for kavo.
  • Now all your bad files are gone and you just need to remove the registry entries.
  • Hit Windows+Run and type “regedit”. Browse to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete entries that have the name kava and tava. More easily download CCleaner and run the registry scan from it. This will show you all unwanted registry entries. kava and tava would also be listed as we have removed the exes related to them. Click on “Fix selected issues” and do not take a backup of the registry.
  • Now delete all weirdly named files from C:\. Typically they would belong to the list below:
  • Autorun.inf
  • o.exe
  • nxvhpc.exe
  • ff1q0gw.bat
  • i8.com
  • e6ieg.exe
  • 6qe.com
  • cfv90h.com
  • ab.cmd
  • k2.cmd
  • h2.com
  • u.exe
  • fufb6tq3.cmd
  • ekf6dbg0.com
  • h2.com
  • rtnlpipu.com
  • 1i.com
  • c18vk.exe
  • ntphyy.com

Your system is all clean now.

Advertisements
This entry was posted in tips n tricks, trivia, tutorials, Windows and tagged , , , . Bookmark the permalink.

10 Responses to How to get rid of tavo.exe, kavo.exe trojan

  1. Thank for post.It’s very interesting for me.

  2. divya says:

    And why is that so?

  3. very nice post. Few months ago my PC was attacked by this annoying virus. thanks for the info. pls keep posting about virus……

  4. divya says:

    Thanks! glad it helped you

  5. acap says:

    hello can u help me….i have kava…
    wat problem is….i cant see the file…because its hidden…i try show all…but cant….i really dont know wat to do…can u help me….

  6. divya says:

    You should be able to locate the files in system32.. They have to be there… Change your folder settings, maybe that’s the problem.

  7. acap says:

    when i try untick hide protecter file it dont do anything…..now problem is i cant see hidden protecter file…

  8. divya says:

    In that case, take a backup of your C drive and directly go to step 7 that I have mentioned and remove the registry entries… That might help…

  9. ray says:

    I seemed to have gotten this one as well. While it is active, it undoes any changes to the registry setting which controls your ability to see hidden files/folders. The version I have seems to be creating a fo.exe file on any drives connected to the computer and it creates a klif.dll file every time I open the C: drive so I am sure there is an unseen Autorun.inf file there as well. It also puts itself in several restore spots. I will be trying your steps as soon as the next scan is done. Thanks for your blog here, it is a great time saver.

  10. ray says:

    I should also note, that none of the above files were found during the scan, possibly deleted in a previous scan. In order to return the ability to view hidden files the registry setting is at \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL the CheckedValue and DefaultValue should be changed to 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s