OS: Windows XP Sp2
Problem: Kasper 7.0 unable to delete WormWin32 Kido.ih. I am working
in an organization and my one of the LAB infected with that worm. I have
also tried KLWL, and kkiller utilites but they even did not detect this
version of KIDO.IH.
Symptoms: Kido.ih drops a dll file in system32 which has a different
name in each of my network PC. This file is sytem hidden and no one has
rights to remove or rename it. Even KAV 7.0 only shows the skip option
no delete no disinfect. This worm Also add a registry value which
disallow user to show hidden files or folders. It also creates its
SERVICE. When we attach any pen drive to the infected system pen drive
automatically infected with that worm and this worm creates Autorun.inf
and jwgkvsq.vmx file.
What I have tried: I tried every steps and able to remove that dll file
in Safe mode. But its automatically creates again because the whole LAN
is infected with that worm.
kido.ih sample which i found in my pen drive
Sample of Autorun.inf and jwgkvsq.vmx :
http://rapidshare.com/files/213226372/Win_32_Worm_kido.ih_Sample.rar.html
Password for Win_32_Worm_kido.ih_Sample.rar " kido " without
Quito
Please help
--
itsallaobutgame
------------------------------------------------------------------------
itsallaobutgame's Profile: http://forums.techarena.in/members/83696.htm
View this thread: http://forums.techarena.in/virus-spyware/1148204.htm
Please try the "Removal instructions" here:
<http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790>
Follow with a scan with the free version of:
<http://www.malwarebytes.org/mbam-download.php>
Please make absolute sure that you have installed this patch:
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
You definitely should flatten and rebuild every infected system.
Additionally you should find out, how this thing was spread.
You should not try to remove - this will not work in a secure way.
Yours,
VB.
--
Bitte beachten Sie auch die Rückseite dieses Schreibens!
Better don't do this. Such "removal instructions" are a make-believe.
> Please make absolute sure that you have installed this patch:
> <http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>
Better read this text:
<http://technet.microsoft.com/en-us/library/cc512587.aspx>