cant shake the NYXEM worm

I have recently contracted this damn thing by the strangest of all possible circumstances.  Our company virus solutions expired on Jan 11 of this year, and the damn worm came out on the 16th.  So, needless to say, no protection for us.

I've scoured the web looking for some decent advice on how to scrub this thing off and can't seem to do it.  I have restored our subscription and manually updated some of the machines in the company (about 1/3).  the problem is that once I scrub a machine, it comes back.

I have tried the following things:

regedit- removed a few added keys
scheduled tasks - removed any additions and shut off service
deleted all the damn zips that were hiding all over
updated virus definitions

I have tried some other things too.  What I want, and I'll pay cash, is something that I can load, run, and not have to do all this manual crap.  Is it too late once this thing gets in the door?  Or is there anything in hell I can do to stomp this thing out?  
mwilkansAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zephyr_hex (Megan)DeveloperCommented:
http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html

this worm is also known as w32.blackmal.e@mm
go to the section entitled Removal Instructions (about 3/4 of the way down).  there is a link to a removal tool.  please note that this worm targets your AV, so you may need to reinstall your AV after removal is complete

here is the direct link to the removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
If it's comming back on XP pro machines you need to turn off system restore, THEN clean it. McAfee's stinger detects it and removes it http://vil.nai.com/vil/stinger/, for free.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
http://www.xinn.org/annoyance_spy-ware.html#Sys-Restore
-rich
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

Go here for the 2 best spyware/adware removers. They work great!

Spybot S&D

http://www.spybot.info/en/download/index.html (download 1.4)

Adaware SE Personal

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5 

You can also download hijackthis

http://www.download.com/HijackThis/3000-8022_4-10379544.html
Post the results at www.hijackthis.de 

also another great program
 
Also go to command line and type "msconfig"

Go to the startup tab and disable any/all of the programs that you don't want running when windows starts.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

mwilkansAuthor Commented:
I am heading into work tomorrow to try these out.  Will let you know what I find.  As always, thank you very much.
Will SzymkowskiSenior Solution ArchitectCommented:
No problem. Give it a shot

:-)
mwilkansAuthor Commented:
I tried some of the above suggestions.  The symantec tool could not find it on a machine that I knew had it.  The problem now is that the thing spreads everywhere in any way that it can.  And, our network is such that it needs things that this bug thrives on.  I guess I have to come in over the weekend and unplug each machine from the network as I clean it.  Thanks for your help.
AstralmagickCommented:
Mwilkans,

Nyxem-E is also known as Nyxem-D, Blackworm, MyWife, Kama Sutra, Grew and CME-24 virus.  It deletes files on the 3rd of each month and is passed on by email appearing as a zip file icon perporting sexual content inclosed or what ever hooks you.

Use the link below move to the right of the screen to the yellow download button, then click launch and it will download the tool to remove it. Follow all directions using the complete scan. Windows Live safety center

http://safety.live.com/site/en-US/default.htm


Manual Recovery

To manually recover from infection by Win32/Mywife.E@mm, perform the following steps:
 
First, reboot your computer.  This will force the worm into a known configuration where it can be stopped.
 
Using task manager, look for any of the following process names and kill them if present:
  Update.exe
  Winzip.exe
  scanregw.exe
  WINZIP_TMP.exe
  "Winzip Quick Pick.exe"
 
Delete the following files if present on your system:
  C:\WINZIP_TMP.exe
  %windir%\WINZIP_TMP.exe
  %windir%\system32\Winzip.exe
  %windir%\system32\Update.exe
  %windir%\system32\scanregw.exe
  "C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"
 
Note that the files under %windir%\system32 will be marked read-only and hidden.  To delete these from the command prompt, use (for example):
  del /f /a:h %windir%\system32\Winzip.exe
 
 
Using regedit, delete the following registry value:
  'ScanRegistry' under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Contents will look like: scanregw.exe /scan)
 
Reboot your computer, and using Task Manager, verify that none of the processes mentioned above are running.

Astralmagick
mwilkansAuthor Commented:
I have finally eradicated this crap from my system.  I split the points evenly because I actually did use techniques posted by all the contributors and doubt I could have completed it without any of those pieces.  Thanks a million, you've all been great.  

Mwilkans
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.