cant shake the NYXEM worm

I have recently contracted this damn thing by the strangest of all possible circumstances.  Our company virus solutions expired on Jan 11 of this year, and the damn worm came out on the 16th.  So, needless to say, no protection for us.

I've scoured the web looking for some decent advice on how to scrub this thing off and can't seem to do it.  I have restored our subscription and manually updated some of the machines in the company (about 1/3).  the problem is that once I scrub a machine, it comes back.

I have tried the following things:

regedit- removed a few added keys
scheduled tasks - removed any additions and shut off service
deleted all the damn zips that were hiding all over
updated virus definitions

I have tried some other things too.  What I want, and I'll pay cash, is something that I can load, run, and not have to do all this manual crap.  Is it too late once this thing gets in the door?  Or is there anything in hell I can do to stomp this thing out?  
mwilkansAsked:
Who is Participating?
 
zephyr_hex (Megan)DeveloperCommented:
http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html

this worm is also known as w32.blackmal.e@mm
go to the section entitled Removal Instructions (about 3/4 of the way down).  there is a link to a removal tool.  please note that this worm targets your AV, so you may need to reinstall your AV after removal is complete

here is the direct link to the removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html
0
 
Rich RumbleSecurity SamuraiCommented:
If it's comming back on XP pro machines you need to turn off system restore, THEN clean it. McAfee's stinger detects it and removes it http://vil.nai.com/vil/stinger/, for free.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
http://www.xinn.org/annoyance_spy-ware.html#Sys-Restore
-rich
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

Go here for the 2 best spyware/adware removers. They work great!

Spybot S&D

http://www.spybot.info/en/download/index.html (download 1.4)

Adaware SE Personal

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5 

You can also download hijackthis

http://www.download.com/HijackThis/3000-8022_4-10379544.html
Post the results at www.hijackthis.de 

also another great program
 
Also go to command line and type "msconfig"

Go to the startup tab and disable any/all of the programs that you don't want running when windows starts.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
mwilkansAuthor Commented:
I am heading into work tomorrow to try these out.  Will let you know what I find.  As always, thank you very much.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
No problem. Give it a shot

:-)
0
 
mwilkansAuthor Commented:
I tried some of the above suggestions.  The symantec tool could not find it on a machine that I knew had it.  The problem now is that the thing spreads everywhere in any way that it can.  And, our network is such that it needs things that this bug thrives on.  I guess I have to come in over the weekend and unplug each machine from the network as I clean it.  Thanks for your help.
0
 
AstralmagickCommented:
Mwilkans,

Nyxem-E is also known as Nyxem-D, Blackworm, MyWife, Kama Sutra, Grew and CME-24 virus.  It deletes files on the 3rd of each month and is passed on by email appearing as a zip file icon perporting sexual content inclosed or what ever hooks you.

Use the link below move to the right of the screen to the yellow download button, then click launch and it will download the tool to remove it. Follow all directions using the complete scan. Windows Live safety center

http://safety.live.com/site/en-US/default.htm


Manual Recovery

To manually recover from infection by Win32/Mywife.E@mm, perform the following steps:
 
First, reboot your computer.  This will force the worm into a known configuration where it can be stopped.
 
Using task manager, look for any of the following process names and kill them if present:
  Update.exe
  Winzip.exe
  scanregw.exe
  WINZIP_TMP.exe
  "Winzip Quick Pick.exe"
 
Delete the following files if present on your system:
  C:\WINZIP_TMP.exe
  %windir%\WINZIP_TMP.exe
  %windir%\system32\Winzip.exe
  %windir%\system32\Update.exe
  %windir%\system32\scanregw.exe
  "C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"
 
Note that the files under %windir%\system32 will be marked read-only and hidden.  To delete these from the command prompt, use (for example):
  del /f /a:h %windir%\system32\Winzip.exe
 
 
Using regedit, delete the following registry value:
  'ScanRegistry' under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Contents will look like: scanregw.exe /scan)
 
Reboot your computer, and using Task Manager, verify that none of the processes mentioned above are running.

Astralmagick
0
 
mwilkansAuthor Commented:
I have finally eradicated this crap from my system.  I split the points evenly because I actually did use techniques posted by all the contributors and doubt I could have completed it without any of those pieces.  Thanks a million, you've all been great.  

Mwilkans
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.