[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cant shake the NYXEM worm

Posted on 2006-04-21
8
Medium Priority
?
285 Views
Last Modified: 2010-04-11
I have recently contracted this damn thing by the strangest of all possible circumstances.  Our company virus solutions expired on Jan 11 of this year, and the damn worm came out on the 16th.  So, needless to say, no protection for us.

I've scoured the web looking for some decent advice on how to scrub this thing off and can't seem to do it.  I have restored our subscription and manually updated some of the machines in the company (about 1/3).  the problem is that once I scrub a machine, it comes back.

I have tried the following things:

regedit- removed a few added keys
scheduled tasks - removed any additions and shut off service
deleted all the damn zips that were hiding all over
updated virus definitions

I have tried some other things too.  What I want, and I'll pay cash, is something that I can load, run, and not have to do all this manual crap.  Is it too late once this thing gets in the door?  Or is there anything in hell I can do to stomp this thing out?  
0
Comment
Question by:mwilkans
8 Comments
 
LVL 44

Accepted Solution

by:
zephyr_hex (Megan) earned 500 total points
ID: 16512050
http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html

this worm is also known as w32.blackmal.e@mm
go to the section entitled Removal Instructions (about 3/4 of the way down).  there is a link to a removal tool.  please note that this worm targets your AV, so you may need to reinstall your AV after removal is complete

here is the direct link to the removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 16512711
If it's comming back on XP pro machines you need to turn off system restore, THEN clean it. McAfee's stinger detects it and removes it http://vil.nai.com/vil/stinger/, for free.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
http://www.xinn.org/annoyance_spy-ware.html#Sys-Restore
-rich
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 16513479
Hello there,

Go here for the 2 best spyware/adware removers. They work great!

Spybot S&D

http://www.spybot.info/en/download/index.html (download 1.4)

Adaware SE Personal

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5 

You can also download hijackthis

http://www.download.com/HijackThis/3000-8022_4-10379544.html
Post the results at www.hijackthis.de 

also another great program
 
Also go to command line and type "msconfig"

Go to the startup tab and disable any/all of the programs that you don't want running when windows starts.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:mwilkans
ID: 16516228
I am heading into work tomorrow to try these out.  Will let you know what I find.  As always, thank you very much.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 16516354
No problem. Give it a shot

:-)
0
 

Author Comment

by:mwilkans
ID: 16534592
I tried some of the above suggestions.  The symantec tool could not find it on a machine that I knew had it.  The problem now is that the thing spreads everywhere in any way that it can.  And, our network is such that it needs things that this bug thrives on.  I guess I have to come in over the weekend and unplug each machine from the network as I clean it.  Thanks for your help.
0
 

Assisted Solution

by:Astralmagick
Astralmagick earned 500 total points
ID: 16568250
Mwilkans,

Nyxem-E is also known as Nyxem-D, Blackworm, MyWife, Kama Sutra, Grew and CME-24 virus.  It deletes files on the 3rd of each month and is passed on by email appearing as a zip file icon perporting sexual content inclosed or what ever hooks you.

Use the link below move to the right of the screen to the yellow download button, then click launch and it will download the tool to remove it. Follow all directions using the complete scan. Windows Live safety center

http://safety.live.com/site/en-US/default.htm


Manual Recovery

To manually recover from infection by Win32/Mywife.E@mm, perform the following steps:
 
First, reboot your computer.  This will force the worm into a known configuration where it can be stopped.
 
Using task manager, look for any of the following process names and kill them if present:
  Update.exe
  Winzip.exe
  scanregw.exe
  WINZIP_TMP.exe
  "Winzip Quick Pick.exe"
 
Delete the following files if present on your system:
  C:\WINZIP_TMP.exe
  %windir%\WINZIP_TMP.exe
  %windir%\system32\Winzip.exe
  %windir%\system32\Update.exe
  %windir%\system32\scanregw.exe
  "C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"
 
Note that the files under %windir%\system32 will be marked read-only and hidden.  To delete these from the command prompt, use (for example):
  del /f /a:h %windir%\system32\Winzip.exe
 
 
Using regedit, delete the following registry value:
  'ScanRegistry' under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Contents will look like: scanregw.exe /scan)
 
Reboot your computer, and using Task Manager, verify that none of the processes mentioned above are running.

Astralmagick
0
 

Author Comment

by:mwilkans
ID: 16591073
I have finally eradicated this crap from my system.  I split the points evenly because I actually did use techniques posted by all the contributors and doubt I could have completed it without any of those pieces.  Thanks a million, you've all been great.  

Mwilkans
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question