My Windows XP computer is currently affected with a Win32:Nimda [Drp]
It infected every html file, firefox executables and outlook express executables. I ran the avast virus cleaner and it detected nothing!
I really need this virus off my computer. Please help!!
The avast cleaner is a specific tool looking for specific Virus or Worm infections, the list includes Win32:Nimda [Wrm], so I would have though it would have dealt with the [Wrm] infection.
What was it that told you what the infection was ?
http://www.avast.com/eng/win32nimda.html
Do you have avast AV installed as that too should be able to detect Nimida ?
Hi zowki,
Try these cleaning tools:
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=60043
http://www.bitdefender.com/VIRUS-107-en--Win32.Nimda.A@mm.html
BitDefender Online is another possibility…
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (multiply scanners)
Thanks for all the replies but none of your suggestions worked! ???
By the way avast detected the virus but could not fix the files
The malware type is Dropper. I did not understand the avast page to get rid of the virus.
The online scanners only detected but could not remove the virus.
The cleaning tools did not detect the virus at all!
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
This is the Hijackthis logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:53 AM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\DOCUME~1\Shaun\LOCALS~1\Temp\RtkBtMnt.EXE
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Yahoo! Games\Monopoly 3\UNWISE.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Explorer] D:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184409948187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184409815671
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - D:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - D:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 4656 bytes
Now how do i get rid of my virus?
These two are nasty:
O4 - HKLM..\Run: [Explorer] D:\WINDOWS\iexplore.exe
O4 - HKLM..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe
Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis.
Post the results here.
Submit both files in a password-protected zip file to virus@avast.com if they are not detected.
Then run HijackThis! again, tick the box next to the eneties, close all other windows and click ‘fix’.
Reboot into safe mode and delete the files.
If other HTML files/executables are infected and avast! is not able to repair them, I’d suggest some online scans. (Disable avast! while scanning):
In addition to those posted by FwFrank I would get rid of the Download Acceleraor Plus as well. Uninstall it, then fix these lines if still present
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
There are other free download managers that don’t cause problems.
okay guys i am soo confused ???
can i have instructions on how to just fix all my files to get rid of this virus?
I’m nearly at the brink of reformatting my computer… :-[
Don’t reformat …
We’re going to put a couple file in the avast chest so they can be uploaded later on. Click Start>Control Panel>Folder Options (double click)>View Tab. Make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK, then close the Control Panel.
Open avast! by right clicking the a-icon in your system tray, then click Start avast! Antivirus. When its open click the chest icon and then navigate to and add the files FwFrank mentioned to the chest.
Now download OTMoveIt by OldTimer. Save it to your desktop but don’t run it just yet.
Next, open HJT and click to Do a System Scan Only. When complete place a check next to these lines
[b]O4 - HKLM..\Run: [Explorer] D:\WINDOWS\iexplore.exe
O4 - HKLM..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm[/b]
Then close all other windows, including your browser, and click Fix Checked
Now open OtMove it and copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):
D:\WINDOWS\iexplore.exe D:\WINDOWS\system32\runouce.exe
Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.