Home > Antivirus, Articles, Worms > Win32.kido worm Symptoms and Removal

Win32.kido worm Symptoms and Removal

July 5, 2009

Win32.kido worm also known as severel names like conficker,Downup and Downadup. it is a computer worm mainely effecting our operating system. if this worm affected on our machine it will spread through the local network and removable media. This worm is a windows programe dll file, so it mainly effecting the dll files in system32. This file is sytem hidden and no one has rights to remove or rename it. Even KAV only shows the skip option no delete no disinfect. This worm Also add a registry value which disallow user to show hidden files or folders. It also creates its SERVICE. When we attach any pen drive to the infected system pen drive automatically infected with that worm and this worm creates Autorun.inf and jwgkvsq.vmx file. self defense of this worm are reset System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.

Symptoms:–

. Account lockout policies being reset automatically.
. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service BITS),
Windows Defender and Windows Error Reporting disabled.
. Domain controllers responding slowly to client requests.
. Congestion on local area networks.
. Web sites related to antivirus software or the Windows Update service becoming inaccessible.
. User accounts locked out.

Removal:–

. Install all the patches by Microsoft
. install all the updates from from Microsoft.
. install proper antivirus and its definision.
. scan your pc as daily basis.
. Remove the Malious Software or use MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:

Delete the following system registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
“netsvcs”
Reboot the computer.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).

Delete copies of the worm:
%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp
is a random string of symbols.

Delete the files shown below from all removable storage media:
:\autorun.inf
:\RECYCLER\S—%d%>-%d%>-%d%>-%d%>-%d%>\.vmx,

Recommend you to use spyware remover to track Kido and automaticaly remove Kido processes, registries and files as well as other spyware threats.

Categories: Antivirus, Articles, Worms