Welcome to the DoItYourself Forums!

To post questions, help other DIYers and reduce advertising (like the one on your left), join our DIY community. It's free!

w32.nimda. Virus HELP?


tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-19-01, 10:22 AM   #1  
Hello,Everyone: I want everyone to know that this Virus on my Computer is in a Quarantined File (by norton AV)now! here is the problem>--------------------------------------------------------------------------------
I now have a virus called [email protected](dr) I ran norton and it said it was in C:\windows\system\load.exe and it was Quarantined in Folder C:\windows\system\riched 20.dll and I can access it by going to the start menu and launching NAV from there! When I first came on the PC I ran a Live update by itself and it ran smooth but when i tried to run live update on the FLOPPY RESCUE DISK (THATS WHEN IT SAID I HAD A VIRUS) But I did not have any FLOPPY Disks in the Computer at the time! IS THIS WHY THE NAV CANNOT DELETE THE INFECTED FILE? I am ALL CONFUSED AND NEED YOUR HELP. I know i have a lot of Questions here but if you would be so kind as to look these words over and if I did not explain it correctly, Please let me know, Thanks, TOM PS: Now when i try to scan an attachment I get>>Error (d):
Virus scanning is temporarily unavailable. This file has not been scanned.

[Edited by tomtom59 on 09-19-01 at 02:24]

 
Sponsored Links
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-20-01, 06:14 AM   #2  
Here is where i stand now!

Hi Everyone: Here is where i stand now! Norton AV has the Virus Quarantined in the log File and there are 2 items infected Here what they are>>FIRST c:\windows\system\load.exe SECOND C:\WINDOWS\SYSTEM\RICHED 20.DLL---AND IT IS DEFINITELY CONFINED TO THEM ONLY. I did all they said with the instructions but Norton AV said they could not REPAIR OR DELETE these two, and thats where my problem lies! Anyone have any Idea's on How to get rid of these two items? I feel like i got a disease and no one wants to email me, thats ok You can still leave a reply at this post and don't email me. I will stop back from time to time. TOM

 
mikejmerritt's Avatar
Visiting Guest

Posts: n/a

09-20-01, 08:54 AM   #3  
mikejmerritt
tomtom59, The info on w32.nimda.A doesn't look promising as to an easy fix. Look it over and let us know how you are doing. Looks like this is kinda scarce with only 1000 cases and this site may or may not know all there is on this but it is where I always start with good results.....Mike

 
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-20-01, 11:29 AM   #4  
Originally posted by mikejmerritt
tomtom59, The info on w32.nimda.A doesn't look promising as to an easy fix. Look it over and let us know how you are doing. Looks like this is kinda scarce with only 1000 cases and this site may or may not know all there is on this but it is where I always start with good results.....Mike
Mike,Thank You Very Much that site you gave me had a [email protected] Removal tool on it, and it Completely removed that Virus from my Computer. The only thing when it did that it must have taken away my>> Riched 20.dll and I need that in order to (for one thing) Get my Word Pad .exe back on my Computer! CAN ANY ONE TELL ME HOW TO GET THE DLL(pickle) BACK? TOM

 
mikejmerritt's Avatar
Visiting Guest

Posts: n/a

09-20-01, 02:00 PM   #5  
mikejmerritt
Well, you left a few things open here and you may not know what all is affected yet but the easiest thing to do if you have your OS CD handy is to un-install Wordpad and re-install it. You should be able to do this with a recovery CD also. If your the rambunctious type you could extract it from the cab files. More on that if needed but try the Add/Remove thing first. Take a look at MSKB DLL Help Database if any trouble. I have sites to download .dll's if needed but we have to make sure you end up with the correct one if going that route. I doubt this will be needed.....Mike

 
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-20-01, 02:26 PM   #6  
w32virusRemoved!

You are right Mike, There are some open things here! For one thing the Removal said it deleted 10 of my files and i have no Idea which ones! But I still have the 2 in the Norton AV LOG (the Quarantined one's) When I went back to the log after the Removal they were still there and I wonder if i should Delete them or see if i can Restore them? What do you think, these are the two>> c:\windows\system\load.exe and c:\windows\sytem\riched 20.dll Please let me know, Mike and meanwhile i will look into the MS site you sent me, Thank You TOM

 
mikejmerritt's Avatar
Visiting Guest

Posts: n/a

09-20-01, 05:05 PM   #7  
mikejmerritt
tomtom59, We have worked through a few disasters havn't we. You are where I thought we would be after running the removal tool and that is missing files. According to Symantec two files may be missing but from my experience when only a 1000 cases are known, the damage may not be limited to what is known, varies from system to system and seems to fly around in many directions. That leads us to Symantecs blanket statement that a re-install may be needed except for those, as I see it, that are very persistant in tracking these down. The course from here will depend on whether you have a good backup or whether you have little to lose. First, delete the quarantined files and empty the R/B. Hope they stay there! Go to Start, Run, type "sfc" without the qoutes. Choose Scan for altered files. In this case it may turn up other corrupted files but not missing files as a rule. Keep in mind this may turn up bad files, whether known to you or not and not related to this virus, and this same box will let you restore any files that are known to be missing that you can type in. I really think at this point if you have many bad files and have little to lose a re-install is needed. If recovery is what you have a low level(preserving your data) format may be in order. LMK what you think because there are so many options including scanreg/restore, a good backup or a 3rd party restore program. Always, if you would, include OS and what version and any error or messages in detail.....Mike

 
bigmike's Avatar
Visiting Guest

Posts: n/a

09-20-01, 05:27 PM   #8  
bigmike
no cure

Norton has an update patch for this. Transport is "Readme.exe" and EML files are the replicator. And hides under a .dll. Places in the root, system, cabs and cannot be cleaned. It has to be deleted. This also only infects Outlook products. It edits the registry and system .ini in the shell=explorer.exe and changes the .exe to some very interesting .dll files. It even has it's own SMTP server built in so you don't see it transmit thru your server. Go into find and show me all *.eml files and delete them and also the f-prot in ur anti virus software should find it. Then find the 20.dll and delete them. But it replicates so fast this may not work. But with the patch from Norton U may get it off but even Norton has been locking up. But my guru say's this is a fight and u may lose. FYI you will lose all ur email, even stored email is infected. My advice is to format but my guru is building a program that is going to clean this. This is a very nasty worm and u people should be careful with attachments. As u may have noticed there are scumbags in this world that aren't happy until u are unhappy! So standby until 9/21 and we should have this celan up program built and I can send it to u. It will have to come as a zip file so u will have to have PK zip. If the rest of the forum wants to know how to stop this, buy Office XP and install it. XP will not alow a .exe to come thru for any reason!


 
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-20-01, 11:49 PM   #9  
Curing!

Thanks,Mike: We Sure have been thru alot lately,and Thanks to you and ALL the people in the Forum for their patience and willingness to help others! Just when you think, people don't give a darn about others,OTHER people like ALL of you come along and Sqwash that thought. Well,anyway i have alot to absorb here and I'll have to move slowly, I don't have my CDRW yet to back things up(hope to get it very soon)I may be away til Sunday! Will get back to you all soon, TOM

 
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-24-01, 01:10 AM   #10  
SFC (bad files found)!

Originally posted by mikejmerritt
tomtom59, We have worked through a few disasters havn't we. You are where I thought we would be after running the removal tool and that is missing files. According to Symantec two files may be missing but from my experience when only a 1000 cases are known, the damage may not be limited to what is known, varies from system to system and seems to fly around in many directions. That leads us to Symantecs blanket statement that a re-install may be needed except for those, as I see it, that are very persistant in tracking these down. The course from here will depend on whether you have a good backup or whether you have little to lose. First, delete the quarantined files and empty the R/B. Hope they stay there! Go to Start, Run, type "sfc" without the qoutes. Choose Scan for altered files. In this case it may turn up other corrupted files but not missing files as a rule. Keep in mind this may turn up bad files, whether known to you or not and not related to this virus, and this same box will let you restore any files that are known to be missing that you can type in. I really think at this point if you have many bad files and have little to lose a re-install is needed. If recovery is what you have a low level(preserving your data) format may be in order. LMK what you think because there are so many options including scanreg/restore, a good backup or a 3rd party restore program. Always, if you would, include OS and what version and any error or messages in detail.....Mike
Hello Mike, I ran the SFC as you instructed and It wants to restore these two Items>>First= User.exe and second=Setupx.dll Did not have time to finish, so i left it for today! Meanwhile, someone told me that I could have significant problems if i tried to restore the USER.EXE from SFC, I don't know what they mean but i don't want to pay for an unzip program if i don't have to. Do you think it is OK to go ahead with SFC Restore and see what happens? I did manage to get to the .Cab file at Win98_40.cab and see it there. If you think its ok to restore both from SFC, I will try it.(Don't know why MS has a restore there if it can give people problems in the first place! I'll wait to see say, MEANWHILE Maybe someone out there has had a good or bad experience with restoring from SFC and can let me know, Thank You TOM

 
's Avatar
Visiting Guest

Posts: n/a

09-24-01, 06:41 PM   #11  
Nimda "Here is the Fix!"

OK! Here is what you guys need!
This is the cleaner that will redo the registry and the system.ini file....
It fixes the .dll and .eml files and gets rid of the readme.exe

It fixes the whole thing! Just grab the file below and follow my directions listed below.



http://download.nai.com/products/mca...t/NimdaScn.zip



NOTES:
This is a command line tool for Win9x/ME/NT/2000. It is designed to
remove an active W32/[email protected] infection from the local system. To
prevent reinfection, update your DAT files, and perform the steps outlined here.

Prior to scanning the following Microsoft patches should be applied.

*** All end users and administrators running Microsoft Internet
Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch
for the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability"
- http://www.microsoft.com/technet/tre...n/MS01-020.asp

*** All IIS administrators (and Win2K users who may not know they are running IIS),
who haven't already done so, should also install the "August 15, 2001 Cumulative Patch for IIS".
- http://www.microsoft.com/technet/tre...n/MS01-044.asp

W32/[email protected] can also infect via a backdoor opened by the W32/CodeRed.c worm.
To ensure that this hole is enabling W32/[email protected], use this Microsoft tool to
"eliminate the obvious effects of the Code Red II worm"
- http://www.microsoft.com/technet/tre...ols/redfix.asp

*** AVERT also recommends that you disconnect from the network and terminate
all other applications prior to cleaning.


WHAT IT DOES:
=============

1) Terminates all W32/[email protected] viral processes from memory
2) Scans the specified directory and all subdirectories for
infected files
NOTE: The root directory of each local drive should always be targeted
for the most effective repair
3) Repairs all W32/[email protected] files found
4) Removes all hidden open shares
5) Removes registry keys created by the worm:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\C-Z$"
6) Removes the GUEST user account from the ADMINISTRATORS group in WinNT/2K
7) Removes the "LOAD.EXE -dontrunold" command from the SYSTEM.INI files under Win9x/ME

NOTE: After scanning it will be necessary to replace the RICHED20.DLL
and/or the MMC.EXE files if they were overwriten by the virus and removed by the scaner.

INSTRUCTIONS:
=============
USAGE: NimdaScn <ScanPath> [/silent|/verbose]

<ScanPath> - Directory to scan
/silent - no output
/verbose - maximum output

EXAMPLE:
nimdascn c:\*.*

To generate a log file, use the following syntax:
NIMDASCN <ScanPath> /verbose > <file>

EXAMPLE:
nimdascn c:\*.* /verbose > c:\report.txt

REQUIRED FILES PROVIDED IN THIS PACKAGE:
========================================
NIMDASCN.EXE
CLEAN.DAT
NAMES.DAT
SCAN.DAT
MCSCAN32.DLL
RWABS16.DLL
RWABS32.DLL

VERSION HISTORY:
========================================
v1.0f:
- All W32/[email protected] viral processes are terminated from memory prior to scanning
NOTE: This removes the need for a second scan and removes the virus in a multidisk environment

v1.0e:
- Updated DAT files to clean certain infected executable files
- A second scan takes place to confirm that all files are repaired properly

v1.0d:
- Initial Release

CONTACT INFORMATION:
========================================
Please direct any comments, or questions regarding Nimdascn to [email protected],
and use the subject line StandAlone.

 
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-24-01, 11:59 PM   #12  
Re: Nimda

Originally posted by TwiGGy
OK! Here is what you guys need!
This is the cleaner that will redo the registry and the system.ini file....
It fixes the .dll and .eml files and gets rid of the readme.exe

It fixes the whole thing! Just grab the file below and follow my directions listed below.



http://download.nai.com/products/mca...t/NimdaScn.zip



NOTES:
This is a command line tool for Win9x/ME/NT/2000. It is designed to
remove an active W32/[email protected] infection from the local system. To
prevent reinfection, update your DAT files, and perform the steps outlined here.

Prior to scanning the following Microsoft patches should be applied.

*** All end users and administrators running Microsoft Internet
Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch
for the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability"
- http://www.microsoft.com/technet/tre...n/MS01-020.asp

*** All IIS administrators (and Win2K users who may not know they are running IIS),
who haven't already done so, should also install the "August 15, 2001 Cumulative Patch for IIS".
- http://www.microsoft.com/technet/tre...n/MS01-044.asp

W32/[email protected] can also infect via a backdoor opened by the W32/CodeRed.c worm.
To ensure that this hole is enabling W32/[email protected], use this Microsoft tool to
"eliminate the obvious effects of the Code Red II worm"
- http://www.microsoft.com/technet/tre...ols/redfix.asp

*** AVERT also recommends that you disconnect from the network and terminate
all other applications prior to cleaning.


WHAT IT DOES:
=============

1) Terminates all W32/[email protected] viral processes from memory
2) Scans the specified directory and all subdirectories for
infected files
NOTE: The root directory of each local drive should always be targeted
for the most effective repair
3) Repairs all W32/[email protected] files found
4) Removes all hidden open shares
5) Removes registry keys created by the worm:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\C-Z$"
6) Removes the GUEST user account from the ADMINISTRATORS group in WinNT/2K
7) Removes the "LOAD.EXE -dontrunold" command from the SYSTEM.INI files under Win9x/ME

NOTE: After scanning it will be necessary to replace the RICHED20.DLL
and/or the MMC.EXE files if they were overwriten by the virus and removed by the scaner.

INSTRUCTIONS:
=============
USAGE: NimdaScn <ScanPath> [/silent|/verbose]

<ScanPath> - Directory to scan
/silent - no output
/verbose - maximum output

EXAMPLE:
nimdascn c:\*.*

To generate a log file, use the following syntax:
NIMDASCN <ScanPath> /verbose > <file>

EXAMPLE:
nimdascn c:\*.* /verbose > c:\report.txt

REQUIRED FILES PROVIDED IN THIS PACKAGE:
========================================
NIMDASCN.EXE
CLEAN.DAT
NAMES.DAT
SCAN.DAT
MCSCAN32.DLL
RWABS16.DLL
RWABS32.DLL

VERSION HISTORY:
========================================
v1.0f:
- All W32/[email protected] viral processes are terminated from memory prior to scanning
NOTE: This removes the need for a second scan and removes the virus in a multidisk environment

v1.0e:
- Updated DAT files to clean certain infected executable files
- A second scan takes place to confirm that all files are repaired properly

v1.0d:
- Initial Release

CONTACT INFORMATION:
========================================
Please direct any comments, or questions regarding Nimdascn to [email protected],
and use the subject line StandAlone.
Thank You Twiggy: I will have to get back to these instructions you gave here! Because, here is the latest with me.>>= I went and tried WINZIP (big mistake) Their instructions were really hard to understand, but i finally got Wordpad back! Here's my problem now= When i extracted the Riched 20.dll it gave me back WordPad but it also put ALL MY DLL'S on the DESKTOP and I don't know what i did wrong or HOW TO GET RID OF THE DLL'S? Also I have Winzip on my drop down MENU of Netzero and other Menu's! IF you or anyone know's what happened and how to correct it, Please let me know TOM

 
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-27-01, 06:58 AM   #13  
Re: Re: Nimda

Originally posted by tomtom59
Originally posted by TwiGGy
OK! Here is what you guys need!
This is the cleaner that will redo the registry and the system.ini file....
It fixes the .dll and .eml files and gets rid of the readme.exe

It fixes the whole thing! Just grab the file below and follow my directions listed below.



http://download.nai.com/products/mca...t/NimdaScn.zip



NOTES:
This is a command line tool for Win9x/ME/NT/2000. It is designed to
remove an active W32/[email protected] infection from the local system. To
prevent reinfection, update your DAT files, and perform the steps outlined here.

Prior to scanning the following Microsoft patches should be applied.

*** All end users and administrators running Microsoft Internet
Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch
for the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability"
- http://www.microsoft.com/technet/tre...n/MS01-020.asp

*** All IIS administrators (and Win2K users who may not know they are running IIS),
who haven't already done so, should also install the "August 15, 2001 Cumulative Patch for IIS".
- http://www.microsoft.com/technet/tre...n/MS01-044.asp

W32/[email protected] can also infect via a backdoor opened by the W32/CodeRed.c worm.
To ensure that this hole is enabling W32/[email protected], use this Microsoft tool to
"eliminate the obvious effects of the Code Red II worm"
- http://www.microsoft.com/technet/tre...ols/redfix.asp

*** AVERT also recommends that you disconnect from the network and terminate
all other applications prior to cleaning.


WHAT IT DOES:
=============

1) Terminates all W32/[email protected] viral processes from memory
2) Scans the specified directory and all subdirectories for
infected files
NOTE: The root directory of each local drive should always be targeted
for the most effective repair
3) Repairs all W32/[email protected] files found
4) Removes all hidden open shares
5) Removes registry keys created by the worm:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\C-Z$"
6) Removes the GUEST user account from the ADMINISTRATORS group in WinNT/2K
7) Removes the "LOAD.EXE -dontrunold" command from the SYSTEM.INI files under Win9x/ME

NOTE: After scanning it will be necessary to replace the RICHED20.DLL
and/or the MMC.EXE files if they were overwriten by the virus and removed by the scaner.

INSTRUCTIONS:
=============
USAGE: NimdaScn <ScanPath> [/silent|/verbose]

<ScanPath> - Directory to scan
/silent - no output
/verbose - maximum output

EXAMPLE:
nimdascn c:\*.*

To generate a log file, use the following syntax:
NIMDASCN <ScanPath> /verbose > <file>

EXAMPLE:
nimdascn c:\*.* /verbose > c:\report.txt

REQUIRED FILES PROVIDED IN THIS PACKAGE:
========================================
NIMDASCN.EXE
CLEAN.DAT
NAMES.DAT
SCAN.DAT
MCSCAN32.DLL
RWABS16.DLL
RWABS32.DLL

VERSION HISTORY:
========================================
v1.0f:
- All W32/[email protected] viral processes are terminated from memory prior to scanning
NOTE: This removes the need for a second scan and removes the virus in a multidisk environment

v1.0e:
- Updated DAT files to clean certain infected executable files
- A second scan takes place to confirm that all files are repaired properly

v1.0d:
- Initial Release

CONTACT INFORMATION:
========================================
Please direct any comments, or questions regarding Nimdascn to [email protected],
and use the subject line StandAlone.
Thank You Twiggy: I will have to get back to these instructions you gave here! Because, here is the latest with me.>>= I went and tried WINZIP (big mistake) Their instructions were really hard to understand, but i finally got Wordpad back! Here's my problem now= When i extracted the Riched 20.dll it gave me back WordPad but it also put ALL MY DLL'S on the DESKTOP and I don't know what i did wrong or HOW TO GET RID OF THE DLL'S? Also I have Winzip on my drop down MENU of Netzero and other Menu's! IF you or anyone know's what happened and how to correct it, Please let me know TOM
Here is what happened and how i corrected it! The reason the Dll's all came up on my desktop is because when I used Winzip I was suppose to specify (in the Extract to box) that the riched20.dll was to be extracted to the C:\windows\system and NOT the Windows\Desktop! So i went back and put it in window\system and when i did that it took all the DLL's off the desktop and gave my back my Wordpad. Now my riched20.dll is restored completely. I still don't like the way Winzip gets into ALL MY DROP DOWN MENU'S. I will uninstall it soon as i get a replacement. I want to Thank ALL of you for your help, TOM

 
mikejmerritt's Avatar
Visiting Guest

Posts: n/a

09-28-01, 06:30 AM   #14  
mikejmerritt
Give Power Archiver a try. I have used it for a while and its about the best archiver I have used free or not. The download site states sharware but I did it and have not heard from them and the utility continues to work. I'm a little confused about that. Here is what I have on user.exe:If you are using SFC to restore corrupt files and that program tells you that USER.EXE is corrupt, DO NOT RESTORE IT. Instead, choose Update. SFC has a bug in it that will take the first file it can find on the cd that is the same size as User.exe and will replace it with that after renaming it to user.exe and you won't be able to boot your computer up again......Mike

 
tomtom59's Avatar
Member

Join Date: Apr 2001
Posts: 468
PA

09-29-01, 12:19 AM   #15  
using AV rescue disk to restore user.exe?

Originally posted by mikejmerritt
Give Power Archiver a try. I have used it for a while and its about the best archiver I have used free or not. The download site states sharware but I did it and have not heard from them and the utility continues to work. I'm a little confused about that. Here is what I have on user.exe:If you are using SFC to restore corrupt files and that program tells you that USER.EXE is corrupt, DO NOT RESTORE IT. Instead, choose Update. SFC has a bug in it that will take the first file it can find on the cd that is the same size as User.exe and will replace it with that after renaming it to user.exe and you won't be able to boot your computer up again......Mike
Hi MIke, I put up to date Norton AV rescue disk in pc to see if they were installed correctly and on the first basic boot disk it said, that it would repair damaged or corrupt files. So i aborted the rescue to ask you, IF I LET NORTON REPAIR THE USER.EXE WOULD IT BE THE SAME AS IF I LET SFC DO IT?? Please let me know, TOM

 
Search this Thread