Nimda, Avast! and a XP system going mad.

Avast Free Antivirus / Premium Security
1

Hello everybody

I’m having some kind of situation here with the Nimda Dropper.

Yesterday I rebooted my system and as I was loging into Windows, I received both a standard error dialog complaining about a missing file (c:\windows\system32\wincfgs.exe) which wasn’t missing, and a handful of Avast! warnings (approximatively one per running processes plus a few ones for local files, all directly and indirectly involved with the running processes).

All the Avast! warnings were complaining about a Nimda [Drp] infection.

I tried to repair the files: they can’t be processed.
I tried to to remove the virus completely, but Avast Cleaner didn’t detect the virus on any of my disk… kind of strange as Avast Home was detecting it everywhere…

I also reveived a warning from windows’s resident file protection, complaining some system files had been replaced with unrecognized version and asked for the XP SP2 disk to be inserted for recovery. (I will have access to this CD in a few hours I hope).

I rebooted after setting up a Boottime scan and disabling System Restore.
During reboot, the scanner found occurences of the virus all over the place.
Repairing failed again, so I asked the boottime scanner to send everything to the chest…
it got so many of them that after a while the scanner told me there wasn’t enough space anymore, so I opted for ‘no action’ as I didn’t want to delete permanently the infected files without further investigation.

When the system booted I received my warnings again (missing file dialog + avast! complaining about all the running processes & al.).
I tried Avast cleaner again, without any more luck than before: it found nothing.

But something had definitely changed… I couldn’t launch IE anymore, and a lot of my other applications can’t be started anymore.
some actions trigger strange behaviors from different applicaitons (copying files in the windows’ file explorer triggers an error dialog from my ATI Control Center saying the script engine is obsolete), and I once in a while receive the same warning from windows complaining about the system files’ being unrecognized.

I tried a few other virus removal tools I found on the net designed specially for Nimda, some of them found a few things, some didn’t, but after reboot everything was still sending alerts.

I went to Safe Mode after another reboot and tried different removal tools. Avast wouldn’t launch itself, nor would the avast cleaner.
I tried the removal procedures under my different administrator accounds.
Some of the removal tools I had wouldn’t even work or were apparently being killed during execution.

After reboot and back to standard mode in XP, I had no access anymore to Avast (it doesn’t displayu any error dialogs… it just doesn’t start. I can try to launch whatever binary comes with Avast, cursor changes into the ‘waiting’-one for a few secs and then nothing. No avast-related process in task manager, absolutely nothing), other applications still can’t start either.

Does anyone have any idea here ?

I thought that maybe moving all the files to the chest weren’t the most clever thing to do but didn’t really have a choice. the funny thing now is that I don’t have access to the chest as Avast won’t launch itself.

So far the only removal tool I tried that had some kind of effect was Coling McKenzie’s Anti-Nimda Virus Killer, which removed a lit of Nimda-related files (which apparently confirms that I’ve been infected by Nimda, and that it wasn’t a false positive, in case I would have any remaining doubts …) but wouldn’t clean everything.
(strange thing also: on one of my partition, which has only a few files and directories, McKenzie’s tool keeps finding files and directories it skips, and nothing else… it looks like it’s looping indefinitely and can find an infinite amount of files/directories where I have almost none)

I’m really lost and confused here, I really need your help so that you could help me get my applications working back to normal and get rid of that damn Nimda Dropper thingy.

I tried going through the ‘repair’ process with windows’ ‘add & remove software’ tool, but it didn’t change a thing for my avast problem.

Thanks in advance, I’m miserable here.

My system is a Windows XP SP2, fully updated with Microsoft/Windows Update
on P4 3.8GHZ, 2GB RAM
My firewall is Windows’ XP standard firewall

and I suspect the infection came from a friend’s FTP server on my university’s LAN as it happened after I downloaded photos from his server and rebooted. (didn’t view the photos or anything… except one I wanted to look at remotely using windows’ file explorer and that the FTP shell opened in explorer… could it be his ftp server is infected by Nimda and I was infected through the javascript flaw by viewing this picture ? seems unlilely to me, picture wasn’t even in a webpage, just a plain picture).

thanks.

2

Hi shune,

Try this first now:
http://www.symantec.com/security_response/writeup.jsp?docid=2001-091923-0344-99

polonus

3

thanks, but this application doesn’t work for me.

I should have mentioned it, but it’s already one of the removal tools I tried.
I tried Norton’s, McAfee’s, McKenzie’s and another one I don’t remember where I got it from actually. And of course Avast! Cleaner

McKenzie’s does something but doesn’t clean the system.
Norton’s removal tools just crash, or get killed somehow, wether I am in safe mode or not.
The unknown one also crashed or got killed everytime
McAfee’s Stinger is the one who worked the best so far by repairing something like 17,000 files but didn’t clean the running process which where detected by McKenzie’s tool as being infected. After a complete scan with stinger, which repaired a lot of things, and a reboot, when I tried to launch stinger again it warned me it had been infected too and couldn’t start… yeeepppeeeee ! :slight_smile:

Also I have a strange process rouce.exe, I don’t remember seing this one before, any idea what that is ?
I’ll google that right now to have a look.
It seems to get started everytime I launch an app, I don’t have it in safe mode but if I start explorer.exe it seems to get launched automatically.

thanks for you help and for trying :slight_smile: but apparently the fight’s not over yet… unfortunately…

4

Hi shone,

Try this one: http://www.pspl.com/download/cleannd.htm in safe mode, then return to normal mode.
Did you by the way had kazaa on that machine what version? We could do an uninstall routine there. The root of all evil should be killed with killbox. Rouce.exe is a counter strike file, you played a game of this kind: Faiyree? Combine the above tool with this one from here: ftp://ftp.f-secure.com/anti-virus/tools/antisirc.exe (it is to be combined in the nimda dropper cleansing routine, not easy but good).

polonus

5

hi again

thanks for the quick answer, I’ll give your new solution a shot and get back to you (might take a while)

Nope I didn’t have kazaa, I lost my faith in that not-so-beloved tool many years ago already, a soon as it started to integrate nasty things under useless media players and stuffs.
That’s a shame though because it was a nice software when it first went out. ah the good old times… :slight_smile:

see you in a few hours I guess… at least I hope so :wink:

6

Also condider this info and analysis:
http://www.gfi.com/press/nimdaworm.htm

polonus

7

Hi

Yeah I know, sometimes you’ve got to do what it takes…
I did it last night after cleaning as many files as possible to other tools, then I used your tool.
It worked almost perfectly, and then I could restart Windows and apparently I didn’t have Nimda running naywhere anymore. I still found some infected files after running a boot-scan when I reinstalled Avast! but they were all stalled or “sleeping” files in temp or cache directories.

On the other hand all my disks, except the C:\Windows directory, didn’t have any SINGLE .exe file :slight_smile:
So I’ve been pretty much reinstalling everything again, or, when the installation processes are well done for the applications, repairing everything with installers too.
Lot of fun, as you might imagine :slight_smile:

The sad thing is that I was preparing a DVD to be burnt with all those installers but Nimda got me forst and with your tool, my 4GB installers’ backup directory got severely cut to 576 MB… but hey, at least I’m clean now, on the bright side I will be able to fetch new versions of each installer before burning them to a DVD.

Well, thanks for your help and time, it worked well and it seems I’m OK.
The strange thing though it still didn’t look exactly like any pf the variants of Nimda. It seemed to be doing things Nimda shouldn’t, and didn’t some of the things Nimda should…
I wonder if that was some kind of strange version of the virus I got myself in touch with.

See you, and thanks again 8)