Author Topic: Infected with Win32:Nimda [Drp]  (Read 10254 times)

0 Members and 1 Guest are viewing this topic.

zowki

  • Guest
Infected with Win32:Nimda [Drp]
« on: August 16, 2007, 05:45:24 PM »
My Windows XP computer is currently affected with a Win32:Nimda [Drp]
It infected every html file, firefox executables and outlook express executables. I ran the avast virus cleaner and it detected nothing!
I really need this virus off my computer. Please help!!

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89349
  • No support PMs thanks
Re: Infected with Win32:Nimda [Drp]
« Reply #1 on: August 16, 2007, 06:35:39 PM »
The avast cleaner is a specific tool looking for specific Virus or Worm infections, the list includes Win32:Nimda [Wrm], so I would have though it would have dealt with the [Wrm] infection.

What was it that told you what the infection was ?

http://www.avast.com/eng/win32nimda.html
Do you have avast AV installed as that too should be able to detect Nimida ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Infected with Win32:Nimda [Drp]
« Reply #3 on: August 17, 2007, 01:11:39 AM »
BitDefender Online is another possibility...

Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (multiply scanners)
The best things in life are free.

zowki

  • Guest
Re: Infected with Win32:Nimda [Drp]
« Reply #4 on: August 17, 2007, 03:45:41 AM »
Thanks for all the replies but none of your suggestions worked! ???
By the way avast detected the virus but could not fix the files
The malware type is Dropper. I did not understand the avast page to get rid of the virus.
The online scanners only detected but could not remove the virus.
The cleaning tools did not detect the virus at all!

mauserme

  • Guest
Re: Infected with Win32:Nimda [Drp]
« Reply #5 on: August 17, 2007, 05:53:41 AM »
Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

zowki

  • Guest
Re: Infected with Win32:Nimda [Drp]
« Reply #6 on: August 18, 2007, 07:02:38 AM »
This is the Hijackthis logfile:

Code: [Select]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:53 AM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\DOCUME~1\Shaun\LOCALS~1\Temp\RtkBtMnt.EXE
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Yahoo! Games\Monopoly 3\UNWISE.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Explorer] D:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184409948187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184409815671
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - D:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - D:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 4656 bytes

Now how do i get rid of my virus?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Infected with Win32:Nimda [Drp]
« Reply #7 on: August 18, 2007, 08:36:43 AM »
These two are nasty:

O4 - HKLM\..\Run: [Explorer] D:\WINDOWS\iexplore.exe

O4 - HKLM\..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis.

Post the results here.

Submit both files in a password-protected zip file to virus@avast.com if they are not detected.

Then run HijackThis! again, tick the box next to the eneties, close all other windows and click 'fix'.

Reboot into safe mode and delete the files.

If other HTML files/executables are infected and avast! is not able to repair them, I'd suggest some online scans. (Disable avast! while scanning):

F-Secure
BitDefender
Panda
Trend Micro Housecall
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

mauserme

  • Guest
Re: Infected with Win32:Nimda [Drp]
« Reply #8 on: August 18, 2007, 03:16:45 PM »
In addition to those posted by FwFrank I would get rid of the Download Acceleraor Plus as well.  Uninstall it, then fix these lines if still present

O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm

There are other free download managers that don't cause problems.

zowki

  • Guest
Re: Infected with Win32:Nimda [Drp]
« Reply #9 on: August 18, 2007, 03:39:39 PM »
okay guys i am soo confused ???
can i have instructions on how to just fix all my files to get rid of this virus?
I'm nearly at the brink of reformatting my computer... :-[

mauserme

  • Guest
Re: Infected with Win32:Nimda [Drp]
« Reply #10 on: August 18, 2007, 04:02:57 PM »
Don't reformat  ..

We're going to put a couple file in the avast chest so they can be uploaded later on.  Click Start>Control Panel>Folder Options (double click)>View Tab.  Make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked.  Click OK, then close the Control Panel.

Open avast! by right clicking the a-icon in your system tray, then click Start avast! Antivirus.  When its open click the chest icon and then navigate to and add the files FwFrank mentioned to the chest.

Now download OTMoveIt  by OldTimer.  Save it to your desktop but don't run it just yet.


Next, open HJT and click to Do a System Scan Only.  When complete place a check next to these lines

O4 - HKLM\..\Run: [Explorer] D:\WINDOWS\iexplore.exe

O4 - HKLM\..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe

O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm


Then close all other windows, including your browser, and click Fix Checked


Now open OtMove it and copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Quote

D:\WINDOWS\iexplore.exe
D:\WINDOWS\system32\runouce.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.