Nimda

[Col Colt]

I ran a scan with ewido Security suite and they claim I have the Nimda Worm, which they put in quarantine. Is this a false positive? If not how do I get rid of it and why didn't avast pro find it?

[igor]

Where exactly is the virus detected? (what file)

[Col Colt]

It was in Program Files>Netmeeting>Filenetmeet.htm best I recall was what came up. Actually I went back and saw it in Notepad and here's a better description...

C:\Program Files\NetMeeting\netmeet.htm -> Worm.Nimda -> Cleaned with backup

[DavidR]

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

[Col Colt]

I tried several of those and all came up clean. Makes me wonder about some of these programs if it's not an attempt to get you to buy the full blown version of their product! Thanks for that link...bookmarked.

BTW, igor-ewido didn't specify any particular file and there must be 15 or so in Netmeeting. I just arbitrarily went through them iindividually and had a scan of each done. If it had been for real, looks like ewido would have been more precise about which file.

[DavidR]

Unfortunately False Positives are a fact of life but some companies will either deny it or ignore it. It even happens on occasion with avast, who if correct acknowledge it and correct it very quickly.

This is the major reason where you should never delete as a first action in an AV program but move to the chest, etc. In the case of programs that supposedly make a back-up which you can restore, this is not so critical.

Surely ewido did specify the file, 'C:\Program Files\NetMeeting\netmeet.htm' and not just the netmeeting folder?

[Col Colt]

Nope...that was it. Here's all I got from them...

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         12:55:20 PM, 6/11/2005
 + Report-Checksum:      AF48B91

 + Date of database:      6/11/2005
 + Version of scan engine:   v3.0

 + Duration:            26 min
 + Scanned Files:         39543
 + Speed:            25.08 Files/Second
 + Infected files:         2
 + Removed files:         2
 + Files put in quarantine:      2
 + Files that could not be opened:   0
 + Files that could not be cleaned:   0

 + Binder:      Yes
 + Crypter:      Yes
 + Archives:      No

 + Scanned items:
   C:\

 + Scan result:
   C:\Documents and Settings\my name\Cookies\my namer@bravenet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Program Files\NetMeeting\netmeet.htm -> Worm.Nimda -> Cleaned with backup


::Report End

[DavidR]

But it has specified the file in the report.

C:\Program Files\NetMeeting\netmeet.htm -> Worm.Nimda -> Cleaned with backup

This is stating that worm.nimda was found in netmeet.htm, a supposed web page file and that it was cleaned and backed up.

[Col Colt]

I see...that it meant one of the 12-15 files in the Netmeeting folder. Either way, glad it's gone. I just wish I knew where I picked it up and why it wasn't blocked. That worm must be four years old by now and current anti virus and other Microsoft Updates, etc. should have stopped it from getting into a webpage file I would think. I have a lot of bookmarked webpages and I suppose a recent one is where it was found that I bookmarked yesterday or earlier.

[igor]

Seems like you are not the only one having the same problem. It might simply be a false alarm from Ewido.

[Col Colt]

Oh-I thought I posted this, igor...got this from ewido....

Dear User,
 
thank you for your request.
 
 
Sorry, this was a false positive, please update your ewido security suite.
 
 
 
With best regards,
 
Your ewido networks Support-Team
 
--
 
viele gr e aus erlangen - best regards from erlangen / germany
ewido networks - we make IT secure -> http://www.ewido.net