Hi there,
I’m using Avast home edition. Recently I got warning msg from Avast program about the Kido Virus. About 2 to 3 times a day. Those msg appear nearly everyday. One strange thing is that the infected file are random .JPG files.
How can I completely remove that Virus?
Thanks.
(I use Firefox to browse the web, never use IE)

Belows is the detail log:

20/02/09 8:07:01 AM	SYSTEM	572	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\WINNT\system32\dcporq.dll" file.  
20/02/09 8:08:13 AM	Thanh Toan	1032	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OD85ORYT\xtibmp[1].jpg" file.  
24/02/09 4:03:37 PM	SYSTEM	572	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GNAZSJQ1\acbj[1].jpg" file.  
24/02/09 4:03:59 PM	SYSTEM	572	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ITCBMLK5\mjubow[1].jpg" file.  
25/02/09 8:29:19 AM	SYSTEM	576	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ITCBMLK5\zerryorf[1].jpg" file.  
26/02/09 8:15:16 AM	SYSTEM	580	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ITCBMLK5\aktqnxqv[1].jpg" file.  
26/02/09 8:15:23 AM	SYSTEM	580	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GNAZSJQ1\aktqnxqv[1].jpg" file.  
27/02/09 8:24:43 AM	SYSTEM	580	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GNAZSJQ1\arjr[1].jpg" file.  
27/02/09 8:24:47 AM	SYSTEM	580	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ITCBMLK5\zdqzq[1].jpg" file.  
03/03/09 2:35:47 PM	SYSTEM	584	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GNAZSJQ1\jbpgf[1].jpg" file.  
05/03/09 8:10:04 AM	SYSTEM	584	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GNAZSJQ1\tgnmmkrp[1].jpg" file.  
05/03/09 8:10:15 AM	SYSTEM	584	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ITCBMLK5\tgnmmkrp[1].jpg" file.  
06/03/09 8:18:40 AM	SYSTEM	576	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ITCBMLK5\kqbjobc[1].jpg" file.  
09/03/09 10:43:45 AM	SYSTEM	580	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OD85ORYT\jyvkcwdg[1].jpg" file.  
11/03/09 9:56:09 AM	SYSTEM	576	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ITCBMLK5\ijpzoxey[1].jpg" file.  
11/03/09 9:56:15 AM	SYSTEM	576	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\UJM1EPMP\ijpzoxey[1].jpg" file.  
12/03/09 8:04:32 AM	SYSTEM	576	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A58RG7YV\ezwtq[1].jpg" file.  
16/03/09 8:26:29 AM	SYSTEM	576	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\P9AQH2P2\hbxe[1].jpg" file.  
16/03/09 8:26:40 AM	SYSTEM	576	Sign of "Win32:Kido-D [Wrm]" has been found in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A58RG7YV\rvrjfi[1].jpg" file.  

The Kido virus is a polymorpic worm, according to reports I’ve seen. This makes it difficult to remove, because of the constantly changing files and variants.
I don’t know if Avast can remove all variants or not. What it can detect, I would think it can remove.
First step is to clear the browser cache, and any temporary files. (Use the browser options/disk cleanup and/or Ccleaner/ATF cleaner for that job.)
Then try a boot scan, and quarantine (send to chest) anything found.

There is a tool that claims to remove all versions of the conficker worm (an alias) posted about by Polonius here: http://forum.avast.com/index.php?topic=43344.msg362512#msg362512, I have no experience with this tool. Might be worth a try, I would. (PS it’s by BitDefender, = reputable.)

Is your version of Windows fully updated? Make it so, this thing spreads through an unpatched vulnerability, so I’ve read. This is the vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
A little more info here: http://www.viruslist.com/en/alerts?alertid=203996089
PPS Welcome to the forum.

Hi target_locked,

Read here: http://antifraudintl.org/showthread.php?p=51897
Of course the tool mentioned also by Tarq57 is recommendable, but a specific description and the download for a special Kaspersky Kido cleansing tool, kidokiller, can be found through here,
re: http://support.kaspersky.com/faq/?qid=208279973
For a manual check on files, consider this manual removal information:
Kido manual removal instructions

Block Kido sites:
hgetmyip.org
getmyip.co.uk
checkip.dyndns.org
whatsmyipaddress.com
ahayw.info
ajcminmqpeu.com
anosb.biz
aqgcurmt.net
bdfbobhuls.com
bjmqxoxbmyq.org
bszeu.info
cfcpreiwtgx.net
cpfgbuwqv.biz
cukpubgb.net
dconkp.com
dpxzsrjhsn.org
dtyqryfi.biz
dviwvh.net
dwmpveim.info
dxnlypjjxp.biz
eaguzulxdr.org
ekrohmqa.info
eoblibwqaig.info
epvzvuah.info
ethogxkt.net
euwqeixq.biz
exxcpxm.net
eyjayqmwxxo.org
ezhvnjlvuk.org
fdzwsak.net
gatkcy.org
gceqy.info
ggcnqnr.info
gkmdbporqmp.biz
gmtgpb.org
guiahproe.info
gxepchol.net
gztql.net
haqrcz.com
hkqrhqev.com
hndrijmu.org
hvxmlcc.org
idahdfyojhz.com
ipbdwihw.info
iquvtfhm.net
irhtphctgn.com
ivouyvxaf.net
jfvyipo.info
jhhwydtk.com
jjbuafs.info
jptplynb.org
jutsyu.com
kagvjo.com
kfzksydrct.org
khvdkdjnrhr.biz
ktivtbse.net
lbori.com
ltxbrwfosrg.net
mhjhb.com
mtqcpiwod.biz
nsjmewgdb.com
ntshnjyxfh.net
nxphotp.com
ocykqj.biz
oenjrcaly.net
oororgpkbp.com
ozlqvnkiq.net
palrw.org
pmotqmf.com
pvuxb.info
qffszcfgyzn.org
qfoilcqp.com
qjafgfp.net
rfduzjbztg.biz
riuvunis.info
rlbidexd.org
rntbogfz.biz
rtkrhxsp.biz
ruolomicarp.org
rxytvgkapvw.biz
safxg.net
sdxkcnzcvhd.org
shbyxebiec.biz
srsoeggve.org
tbkmloh.net
tezjm.net
tilazlfn.com
tqlxquy.org
trxho.org
uiiwmmgr.com
upyuqxpmlxt.net
vdunf.net
vtewiyny.info
vuahzmvf.biz
vweoof.org
wkjhjr.com
xehlydgan.net
xmmzcsqm.biz
xtjejduc.org
xxwoteojg.biz
xytbvkrqhu.info
ybhufq.net
yenhbrt.biz
yfczve.info
ylfamhcgn.net
ylzbgyorfy.org
ysxbkquj.info
ythekdrar.net
yudxsol.org
yzbvrteij.biz
yzpjvpkdtq.biz
zjxuw.org
zpqhr.biz
zuuroktw.biz
zzkjecmf.com

Locate and delete Kido registry entries:
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services{random}\Parameters\”ServiceDll” = “Path to worm”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
“TcpNumConnections” = dword:0×00FFFFFE
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost, netsvcs = %Previous data% and %Random%
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHO WALLCheckedValue = dword:00000000
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices{random}”ImagePath” = %SystemRoot%system32svchost.exe -k netsvcs
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices{random}Parameters”ServiceDll” = “[PATH OF WORM]”

Detect and delete other Kido files:
%All Users Application Data%[RANDOM FILE NAME].dll
%Program Files%Movie Maker[RANDOM FILE NAME].dll
%Program Files%Internet Explorer[RANDOM FILE NAME].dll
%Temp%[RANDOM FILE NAME].dll
vhoinp.dll
%System%[RANDOM FILE NAME].dll
%System%[Random].dll
%Program Files%\Internet Explorer[Random].dll
%Program Files%\Movie Maker[Random].dll
%All Users Application Data%[Random].dll
%Temp%[Random].dll
%System%[Random].tmp
%Temp%[Random].tmp

%Temp%[Random].tmp
%System%[Random].tmp
%All Users Application Data%[RANDOM FILE NAME].dll
%Program Files%Movie Maker[RANDOM FILE NAME].dll
%Program Files%Internet Explorer[RANDOM FILE NAME].dll
%Temp%[RANDOM FILE NAME].dll
vhoinp.dll
%System%[RANDOM FILE NAME].dll

polonus

you must fully update your OS as the first step… it is necessary to stop the reappearing of the virus…

Thank you all for the advices.
I have just run the MS KB Microsoft Security Bulletin MS08-067 – Critical (KB958644)
Then run a full system start-up scan by Avast, it detected a Kido in a DLL file in system folder, some in .JPG files.
Since then I never see Avast warnings about Kido.

Hope that solved my problem.

Sounds good.
You might want to run that Bitdefender tool, just to be sure. And turn Windows update on, at least to notify when new updates are available. This happens to a schedule, normally, 2nd Tuesday of every month. (Wednesday on our side of the date line.)
I also recommend to have a look at www.secunia.org who provide online PC scans for out of date software, and provide (free) an application called PSI, which will scan everything on the PC and notify of known vulnerabilities.

hello all,

Recently i were also affected by this bloody virus. As Mr.Polonus said i checked all the registry entries in vain. None of the registry entries were found, and avast was continuously notifying me of this virus. But i found another registry entry 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist' which doesn’t correspond to any softwares i have installed. When i browsed into the registry entry, i found many of the sub-entries where filled with network path i were connected to, and this confirmed me its the entries of the virus, as many of the network ip addresses were present but the path weren’t present. I deleted the registry entry (and i didnt mind deleting it as it is HKEY_CURRENT_USER entry), and until now avast didn’t notify me of the virus. No updates, no installation… Hope this helps somebody.

try using norton power eraser.download link:http://security.symantec.com/nbrt/npe.aspx?lcid=1033

tell it to include rootkit scan if it asks u and if finds anything proceed with the removal by clicking next.

do tell me whether this was helpfull or not…

regards,
com155.

There aren’t such AV’s that can remove such a powerful worm.
Follow the instructions here:
http://support.kaspersky.com/kis2009/error?qid=208279973

Kidokiller is an awesome tool.