[Last Call] Learn how to a build a cloud-first strategyRegister Now


cant shake the NYXEM worm

Posted on 2006-04-21
Medium Priority
Last Modified: 2010-04-11
I have recently contracted this damn thing by the strangest of all possible circumstances.  Our company virus solutions expired on Jan 11 of this year, and the damn worm came out on the 16th.  So, needless to say, no protection for us.

I've scoured the web looking for some decent advice on how to scrub this thing off and can't seem to do it.  I have restored our subscription and manually updated some of the machines in the company (about 1/3).  the problem is that once I scrub a machine, it comes back.

I have tried the following things:

regedit- removed a few added keys
scheduled tasks - removed any additions and shut off service
deleted all the damn zips that were hiding all over
updated virus definitions

I have tried some other things too.  What I want, and I'll pay cash, is something that I can load, run, and not have to do all this manual crap.  Is it too late once this thing gets in the door?  Or is there anything in hell I can do to stomp this thing out?  
Question by:mwilkans
LVL 44

Accepted Solution

zephyr_hex (Megan) earned 500 total points
ID: 16512050

this worm is also known as w32.blackmal.e@mm
go to the section entitled Removal Instructions (about 3/4 of the way down).  there is a link to a removal tool.  please note that this worm targets your AV, so you may need to reinstall your AV after removal is complete

here is the direct link to the removal tool
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 16512711
If it's comming back on XP pro machines you need to turn off system restore, THEN clean it. McAfee's stinger detects it and removes it http://vil.nai.com/vil/stinger/, for free.
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 16513479
Hello there,

Go here for the 2 best spyware/adware removers. They work great!

Spybot S&D

http://www.spybot.info/en/download/index.html (download 1.4)

Adaware SE Personal


You can also download hijackthis

Post the results at www.hijackthis.de 

also another great program
Also go to command line and type "msconfig"

Go to the startup tab and disable any/all of the programs that you don't want running when windows starts.
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 16516228
I am heading into work tomorrow to try these out.  Will let you know what I find.  As always, thank you very much.
LVL 53

Expert Comment

by:Will Szymkowski
ID: 16516354
No problem. Give it a shot


Author Comment

ID: 16534592
I tried some of the above suggestions.  The symantec tool could not find it on a machine that I knew had it.  The problem now is that the thing spreads everywhere in any way that it can.  And, our network is such that it needs things that this bug thrives on.  I guess I have to come in over the weekend and unplug each machine from the network as I clean it.  Thanks for your help.

Assisted Solution

Astralmagick earned 500 total points
ID: 16568250

Nyxem-E is also known as Nyxem-D, Blackworm, MyWife, Kama Sutra, Grew and CME-24 virus.  It deletes files on the 3rd of each month and is passed on by email appearing as a zip file icon perporting sexual content inclosed or what ever hooks you.

Use the link below move to the right of the screen to the yellow download button, then click launch and it will download the tool to remove it. Follow all directions using the complete scan. Windows Live safety center


Manual Recovery

To manually recover from infection by Win32/Mywife.E@mm, perform the following steps:
First, reboot your computer.  This will force the worm into a known configuration where it can be stopped.
Using task manager, look for any of the following process names and kill them if present:
  "Winzip Quick Pick.exe"
Delete the following files if present on your system:
  "C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"
Note that the files under %windir%\system32 will be marked read-only and hidden.  To delete these from the command prompt, use (for example):
  del /f /a:h %windir%\system32\Winzip.exe
Using regedit, delete the following registry value:
  'ScanRegistry' under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Contents will look like: scanregw.exe /scan)
Reboot your computer, and using Task Manager, verify that none of the processes mentioned above are running.


Author Comment

ID: 16591073
I have finally eradicated this crap from my system.  I split the points evenly because I actually did use techniques posted by all the contributors and doubt I could have completed it without any of those pieces.  Thanks a million, you've all been great.  


Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question