cant shake the NYXEM worm

Posted on 2006-04-21
Last Modified: 2010-04-11
I have recently contracted this damn thing by the strangest of all possible circumstances.  Our company virus solutions expired on Jan 11 of this year, and the damn worm came out on the 16th.  So, needless to say, no protection for us.

I've scoured the web looking for some decent advice on how to scrub this thing off and can't seem to do it.  I have restored our subscription and manually updated some of the machines in the company (about 1/3).  the problem is that once I scrub a machine, it comes back.

I have tried the following things:

regedit- removed a few added keys
scheduled tasks - removed any additions and shut off service
deleted all the damn zips that were hiding all over
updated virus definitions

I have tried some other things too.  What I want, and I'll pay cash, is something that I can load, run, and not have to do all this manual crap.  Is it too late once this thing gets in the door?  Or is there anything in hell I can do to stomp this thing out?  
Question by:mwilkans
    LVL 42

    Accepted Solution


    this worm is also known as w32.blackmal.e@mm
    go to the section entitled Removal Instructions (about 3/4 of the way down).  there is a link to a removal tool.  please note that this worm targets your AV, so you may need to reinstall your AV after removal is complete

    here is the direct link to the removal tool
    LVL 38

    Assisted Solution

    by:Rich Rumble
    If it's comming back on XP pro machines you need to turn off system restore, THEN clean it. McAfee's stinger detects it and removes it, for free.
    LVL 53

    Assisted Solution

    by:Will Szymkowski
    Hello there,

    Go here for the 2 best spyware/adware removers. They work great!

    Spybot S&D (download 1.4)

    Adaware SE Personal

    You can also download hijackthis
    Post the results at

    also another great program
    Also go to command line and type "msconfig"

    Go to the startup tab and disable any/all of the programs that you don't want running when windows starts.

    Author Comment

    I am heading into work tomorrow to try these out.  Will let you know what I find.  As always, thank you very much.
    LVL 53

    Expert Comment

    by:Will Szymkowski
    No problem. Give it a shot


    Author Comment

    I tried some of the above suggestions.  The symantec tool could not find it on a machine that I knew had it.  The problem now is that the thing spreads everywhere in any way that it can.  And, our network is such that it needs things that this bug thrives on.  I guess I have to come in over the weekend and unplug each machine from the network as I clean it.  Thanks for your help.

    Assisted Solution


    Nyxem-E is also known as Nyxem-D, Blackworm, MyWife, Kama Sutra, Grew and CME-24 virus.  It deletes files on the 3rd of each month and is passed on by email appearing as a zip file icon perporting sexual content inclosed or what ever hooks you.

    Use the link below move to the right of the screen to the yellow download button, then click launch and it will download the tool to remove it. Follow all directions using the complete scan. Windows Live safety center

    Manual Recovery

    To manually recover from infection by Win32/Mywife.E@mm, perform the following steps:
    First, reboot your computer.  This will force the worm into a known configuration where it can be stopped.
    Using task manager, look for any of the following process names and kill them if present:
      "Winzip Quick Pick.exe"
    Delete the following files if present on your system:
      "C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"
    Note that the files under %windir%\system32 will be marked read-only and hidden.  To delete these from the command prompt, use (for example):
      del /f /a:h %windir%\system32\Winzip.exe
    Using regedit, delete the following registry value:
      'ScanRegistry' under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Contents will look like: scanregw.exe /scan)
    Reboot your computer, and using Task Manager, verify that none of the processes mentioned above are running.


    Author Comment

    I have finally eradicated this crap from my system.  I split the points evenly because I actually did use techniques posted by all the contributors and doubt I could have completed it without any of those pieces.  Thanks a million, you've all been great.  


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now