How do i remove Win32 Kido?

The same old question…
How do i F*****G remove a virus that keeps popping on?
I found that i am infected with KIDO and it is a real pain!
I can make my antivirus update and explorer/mozilla can connect to A.V. sites by closing a svchost.exe from local service!
This will eventually turn himself on so you better move quickly!
Avast DOSE NOT FIND IT!
So my only hope was avast and spyware doctor or dr. web!
Since all failed i mite ask for professional help in stead!
Please answer ASAP!
I am currently making a file recovery from a badly broken hard drive that gave me around 300 surprises and keep counting… (malware trojans and bad sectors from it i mean)
Bad sectors were around 5.000 in 20. gb of data in the C:\ drive and 200/300 in the D:\ in 130 gb. of data!
Hard drive is western digital 160 gb.
The worst is not over!
VIRUT32 was on too but i managed him fast with dr. web live cd in 4 days!
still in sistem volume information is hidden here a part of virut and cannot be deleted >:(!
P.S. cannot make hidden files visible AT ALL! mabie is another virus there!
Please tell me a solution to my problem!

Oh forgot about this error!:
Entry Point Not Found
The procedure entry point_except_handler4_common could not be located in the dynamic link library msvcrt.dll

This OS is brand new installed and it gave me a real pain doing it 6 times in 1 day!
Thanks, DarK-Wisper

Net-Worm.Win32.Kido Remover 3.4.7
http://www.softpedia.com/get/Antivirus/Net-Worm-Win32-Kido-Remover.shtml

conficker (kido) repair tools
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/RepairTools

VIRUT32 was on too but i managed him fast with dr. web live cd in 4 days!
If you have virut, then it is very bad news

W32:Vitro (Virut) virus removal
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=314

Dealing with the dispicable Vitro / Virut (Win32.Virut) polymorphic virus
http://technosopher.wordpress.com/2009/04/21/vitro-virut-win32/

Virut and other File infectors - Throwing in the Towel?
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Thankyou i will try all of theese methods but for virut i strongly recommand Dr. Web live Cd!
It is a isolinux scanner and a verry strong one ;D!
Have a nice day!
Regards, DarK-Wisper.
P.S. i am going to let you know if it done some help!

may you use kaspersky methods:

http://support.kaspersky.com/faq/?qid=208279973.

Nothing you gave me worked :cry:
Nothing was found!
My comp. works slow and my internet is really slow!
I usually download from my utorrent tracker with minimum 2 mb/sec and 5 normally 7 is with many seeders and max was 36mb/sec !
So my internet provider is a good one!
My computer freezes sometimes and it really pisses me off! I have to restart the computer from the button or else it takes ages to recover!
HELP!!
Another thing!
I mite have KIDO.IT not the regular KIDO!
I am not sure!!! ???

START HERE:repost here"in your topic please"
http://forum.avast.com/index.php?topic=55588.0

I allmost fell asleep while reading that post…
I use AVAST and Spyware doctor!
In some cases i use Dr Web CureIt or/and Dr Web Live CD (as a last resort)

I allmost fell asleep while reading that post..
It is not my case if you dont like what we wrote "the information is good and yes,have some advanced things" in general may i include some girls photos so you will not sleep,putting some flash will be good,and the 1000000 user message will be good too. but you dont tell me,are you starting generating reports or not?

Hi dark-wisper,

If the read from spyhacker is too technical, go to the nitty gritty and try this manual cleansing:
Make a copy of the registry first to return to in case of an error!

Step 1 : Use Registry Editor to Remove Kido Registry Values

To open the Registry Editor, go to Start > Run > type regedit and then press the “OK” button.
Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
To delete “Kido” value, right-click on it and select the “Delete” option.
Locate and delete “Kido” registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services{random}"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services{random}\Parameters"ServiceDll" = “[PATH OF WORM]”
Step 2 : Use Windows Command Prompt to Unregister Kido DLL Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the Kido DLL file is located and press the “Enter” button on your keyboard. If you don’t know where Kido DLL file is located, use the “dir” command to display the directory’s contents.
To unregister “Kido” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u Kido.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file.
Search and unregister “Kido” DLL files:
%All Users Application Data%[RANDOM FILE NAME].dll
%Program Files%\Movie Maker[RANDOM FILE NAME].dll
%Program Files%\Internet Explorer[RANDOM FILE NAME].dll
%Temp%[RANDOM FILE NAME].dll
%System%[RANDOM FILE NAME].dll
Step 3 : Detect and Delete Other Kido Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.
Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
To change directory, type in “cd name_of_the_folder”.
Once you have the file you’re looking for type in “del name_of_the_file”.
To delete a file in folder, type in “del name_of_the_file”.
To delete the entire folder, type in “rmdir /S name_of_the_folder”.
Select the “Kido” process and click on the “End Process” button to kill it.
Remove the “Kido” processes files:
%Temp%[Random].tmp
%System%[Random].tmp
%All Users Application Data%[RANDOM FILE NAME].dll
%Program Files%\Movie Maker[RANDOM FILE NAME].dll
%Program Files%\Internet Explorer[RANDOM FILE NAME].dll
%Temp%[RANDOM FILE NAME].dll
%System%[RANDOM FILE NAME].dll

polonus

spyhacker
??? ??? ??? ??? may i will change my name to "MAK",or "MVP"
may i will change my name to "MAK",or "MVP"
I wouldn't go with "[url=http://mvp.support.microsoft.com/]MVP[/url]". Unless you are certified as such. Might cause confusion. How about "Antihacker"?

Being MVP is good but i dont think they will give it to a syrian guy"i really suffer in source forge now coz of the american rules thet prevent us from some projects,but at the end they lose not me"

How about "Antihacker"?
i wont be traitor for the white hackers community ;),but thank you

How about WhiteHacker, then?
Or is that a bit passe in your world? :wink:

Superhacker sorry to insult your work but it was 3 AM. when i was reading that… u make the connections why i almost fell asleep.
That was really useful! i read 25% and when i scrooled down i saw it was too huge data to understand at that time…
and what did u mean about

but you dont tell me,are you starting generating reports or not?
Didn't catch that... sorry! I am not a pro in virus removing! 1 more thing guys is it really possible that i might not have KIDO at all? My internet connection is perfect 42 mb/second at my last test without this "net worm" and now more than 6 mb/second max it gives me the results! My utorrent works slowly, my browser moves slowly, my pc freezes sometimes... Any program out there to make a diagnostic?

POLONUS

In

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%

Here is what i have there!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
3 things:
Default
AuthenticationCapabilities
CoInitializeSecurityParam

In

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000

here is what i have:
NOHIDDEN -folder
SHOWALL -folder

These are folders that have almost the same things inside!

I searched in regedit for servicedll
and found
%SystemRoot%\System32\6to4svc.dll
in it!
What is it?
And for imagepath i searched and found this in it:
system32\DRIVERS\ACPI.sys

No random files were found in the computer!
Other explinations whi my computer works like s*!t ?
thanks in advance!

DarK-Wisper

did you see this…conficker (kido) repair tools
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/RepairTools

Have you tried

Malwarebytes Antimalware 1.44 http://filehippo.com/download_malwarebytes_anti_malware/
after install UPDATE and run quick scan. Click the “REMOVE SELECTED” button to quarantine anthing found and restart

come back and post the scan log here

If nothing works, follow this guide from essexboy and post the logs
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

Sorry dark-wisper,me too i was tired and angry a little
and i mean to use the tools that i name under the Overall system analyzer like eset sysinspector ,auto runs,…
if you can give them we will be really able to help you.

Dude malwarebytes has found 80 infected files that are fake positive!
Rogue.foxie is the tool i use to clean my pc from junk files and scan for registry viruses!
It can’t be a virus!
Trend micro system cleaner i am using to scan for Worm_download to see if i am infected with this one!
cya tomorrow… it’s 2 am here and it’s really LATE! And i am tired :-\

Edit:

Malwarebytes' Anti-Malware 1.44 Database version: 3743 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180

16.02.2010 02:20:00
mbam-log-2010-02-16 (02-19-55).txt

Scan type: Quick Scan
Objects scanned: 105354
Time elapsed: 20 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL log here guys!

Hi dependant on whether this removes the driver or not depends on which tool I will use next

Run OTL.exe

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Services
meeypeqgp

:Commands
[purity]
[emptytemp]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )