Unsolved
This post is more than 5 years old
32 Posts
0
1137
June 18th, 2008 07:00
Nimda question -- what to do next?
I'm having difficulty diagnosing my problem, let alone fixing it. Here are the symptoms:
Every time I reboot, a new Administrator account called 'Nimda' is added to User Accounts, and a WAN miniport appears that is connected to an IP address in the Ukraine.
At the same time this started, Symantec Anti-Virus suddenly detected about 20 copies of three viruses: Downloader, Trojan Horse and W32.SillyP2P, but NOT the Nimda virus. It did a 'Partial' on all of them.
Also at the same time, Symantec anti-virus starting scanning hundreds or maybe thousands of outgoing email messages, so obviously something was missed.
Finally, at the same time, my copy of IE 6 was infected with several kinds of malware, including USA-Topsites, Dealtime, and Searchmeup.
I got rid of the malware with ExterminateIt and stopped the mass mailing by installing ZoneAlarm and re-booting. With the help of ZoneAlarm I also identified and 'isolated' a malevolent copy of services.exe that Symantec hadn't noticed.
Following all this, I did full system scans with Symantec, ExterminateIt, and ZoneAlarm, and then ran the Symantec Nimda-A removal tool, which said I didn't have the Nimda virus. I know however that something is still wrong, because every time I re-boot, something is still creating a 'Nimda' administrator account and a WAN miniport to the Ukraine.
Should I pursue the nimda virus any further, or should I look elsewhere? Any recommendations on a tool that will perform better than Symantec and ExterminateIt? Thanks!
late_nights
32 Posts
0
June 18th, 2008 07:00
After writing the first post, I realized that I should have put this in another Forum (Virus/Spyware). Sorry!
I also discovered the HijackThis tool and downloaded and ran it. HijackThis turned up a program called wsnpoema.exe which has had nothing but bad things written about it. Tomorrow (it's late even for 'late_nights' right now) I will try booting up in Safe mode and removing this.
I should also add that I am aware that I can fix the problem by re-installing the operating system, but I would really like to plug the holes in my security software (are you listening, Symantec?), because whether I got this from a website or an email, it is likely to come right back again if I don't have the tools to keep it out.
Bugbatter
4 Apprentice
•
20.5K Posts
0
June 18th, 2008 12:00
Rather than trying to fix that on your own, and possibly masking any observable details that would be needed for a more complete removal, you might consider posting your log on the HJT board.
1. Just click the New Message button in the HijackThis forum here: http://www.dellcommunity.com/supportforums/board?board.id=si_hijack
to start your own thread requesting assistance.
2. In the Message Body window that opens, simply Right-Click and select Paste.
3. Please add text to describe your symptoms.
4. Include in the message subject line a description of your problem. For example, "Popups warning of infection".
5. Make certain you post the entire log by clicking the Preview Post link at the bottom of the window and comparing it to the log from your scan before you click Submit Post
** Note: "The box next to Automatically convert carriage returns to HTML line breaks" should be checked if that appears at the bottom of your Message Body when composing your post.
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or required.
late_nights
32 Posts
0
June 18th, 2008 17:00
Thanks, I will take your advice.
From the page you sent me, I am certain that the ExterminateIt I downloaded is the same one mentioned in the URL. It worked, however; the malware is gone now.
I already tried 'Fix' on Hijack, but it didn't work because wmpoema was already a running process.
Moving to the other Forum now...
Bugbatter
4 Apprentice
•
20.5K Posts
0
June 18th, 2008 22:00
Your initial and most serious problem still exists. We can continue on the HJT board. By the way, I suggest that you remove ExterminateIt. We will find you something that has a better reputation.