Nimda Virus

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

survivethedrive

Thread Starter
Joined
Jan 24, 2001
Messages
3
I'm having trouble getting rid of the Nimda virus. I think it's the A strain. I've tried everything and have read many of the posts here. Every time I think I get rid of it, it keeps coming back. Couple basics first - running W98 and Office 2000 on a shared peer to peer network with five computers. Here's what I've done to try to rid myself of this. I've run NAV after having downloaded the latest updates. I've downloaded the Nimbda virus removal tool from Symantec's site. (It says it finds the virus and removes it after running it.) I've replaced the Riched20.dll file from the original start-up disks. Plus, I've run the repair function of Office 2000. I've done this on each of the PCs individually (while the others are powered down). I'm trying to avoid completely reinstalling windows. I'm running out of options. Any suggestions. Thanks.

Also, I keep finding these wierd .exe files in my start-up programs. I do a find for them, but they're not there.

BTW - Everyone that runs this forum is great. The posts have saved me several times. Thanks.
 
Joined
Dec 9, 2000
Messages
45,855
The weird exe's are usually created by trojans. Not all are detected by routine antivirus scans. Can you give us a look at the startuplog of one of the systems that has them?

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

Also, see if the Tauscan program will detect anything...(30-day) trial...

http://www.agnitum.com/products/tauscan/

I know there are issues with keeping nimda out of networked systems, but not what the answer is.

You should probably disable WSH (Windows Scripting Host) on all systems. And make sure all critical security updates are installed from MS.

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814683,00.html?chkpt=zdnncmrttu

Updates:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-038.asp

http://www.microsoft.com/technet/tr...hnet/security/bulletin/fq00-056.asp?fram=true

http://office.microsoft.com/downloads/2000/Of9data.aspx


Full MS coverage and issues concerning IE6 which you can review here:

http://www.microsoft.com/technet/security/topics/moretopics.asp?frame=true
 

survivethedrive

Thread Starter
Joined
Jan 24, 2001
Messages
3
Here's a portion of the start-up log with the weird file. If you want more of the log, let me know.

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run= QXWALH.EXE

load=

Also - ran Tauscan and it came up with nothing
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,484
Hiya

Its best if you post the whole log. Don't worry about the length.

Now, I'm gonna go for broke here, Rollin' prompt me if I'm wrong, but you can remove that from you run=

Just remember what it was called just in case. Jot it down somewhere.

Regards

eddie
 
Joined
Dec 9, 2000
Messages
45,855
Yes you should remove that from run=

But unless you were getting "file missing" messages on startup, the trojan file remains on the hard drive.

And there may be more to the infection depending on what type and version of trojan it is. The startuplog often reveals more than even the most up-to-date scanners can catch, which is why we need to see all of it.

Also, I can't find any web hits for that name, which means it is almost certainly illegitimate.

When you do a Find for them make sure "show all files" is checked in Folder Options>View, in case it is "hidden"

Also try from a DOS prompt

dir QXWALH /s
 

survivethedrive

Thread Starter
Joined
Jan 24, 2001
Messages
3
Here's the whole start-up log. Also the QXWALH file isn't there. The name of the strange file keeps changing. After I think I cleared the system. A new strange file name comes up. On start-up is says that QXWALH is missing.

Here's the log:

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 11-07-2001 10:45:19.67p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.53) - Release Date 8/19/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiCwd32"="Aticwd32.exe"
"AtiKey"="Atitask.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Adaptec DirectCD"="C:\\Program Files\\DirectCD\\DIRECTCD.EXE"
"USBMMKBD"="usbmmkbd.exe"
"Keyboard Manager"="C:\\Program Files\\Netropa\\One-touch Multimedia Keyboard\\MMKeybd.exe"
"TCASUTIEXE"="TCAUDIAG.EXE -off"
"HPScanPatch"="C:\\WINDOWS\\SYSTEM\\HPScanFix.exe"
"QBCD Autorun"="M:\\autorun.exe restart QB_ONLY next"
"RegShave"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"NAV DefAlert"="C:\\PROGRA~1\\NORTON~4\\DEFALERT.EXE"
"Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~4\\NAVAPW32.EXE /LOADQUIET"
"Norton eMail Protect"="C:\\Program Files\\Norton AntiVirus\\POPROXY.EXE"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"McAfeeWebScanX"="C:\\PROGRAM FILES\\NETWORK ASSOCIATES\\MCAFEE VIRUSSCAN\\WebScanX.Exe"
"Tau Monitor"="C:\\PROGRAM FILES\\AGNITUM\\TAUSCAN 1.6\\TAUMON.EXE"
"Norton CrashGuard Monitor"="\"C:\\PROGRAM FILES\\NORTON CRASHGUARD\\CGMENU.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Display Controls"="RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Encompass_ENCMONTR"="C:\\Program Files\\Easy Internet\\ENCMONTR.EXE"
"Hidserv"="Hidserv.exe run"
"SchedulingAgent"="mstask.exe"
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"McAfeeWebScanX"="C:\\PROGRAM FILES\\NETWORK ASSOCIATES\\MCAFEE VIRUSSCAN\\WebScanX.Exe /RUNSERVICES"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run= QXWALH.EXE

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

@ECHO OFF
SET SBPCI=C:\SBPCI
C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
@IF ERRORLEVEL 1 PAUSE
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
path C:\WINDOWS;C:\WINDOWS\COMMAND
rem sPower will initialize the USB Keyboard in DOS.
call c:\dosboot\sPower
SET BLASTER=A220 I7 D1 H7 P330 T6
REM .c.
call c:\dosboot\drivers.bat
rem - By Windows Setup - mscdex.exe /d:IDECD000 /L:M

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe
C:\WINDOWS\Start Menu\Programs\StartUp\QuickBooks Delivery Agent.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Exif Launcher.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\Microsoft Outlook.lnk

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-====================-
StubPaths - Registry (Partial Listing)
-====================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="c:\\windows\\SYSTEM\\ie4uinit.exe"
"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@echo off
REM To make a DOS Boot Diskette, see the file C:\DosBoot\DosBoot.txt.

set path=c:\windows\command

mscdex.exe /d:IDECD000 /L:M

SET PROMPT=$p$g
SET TEMP=C:\windows\TEMP
SET TMP=C:\windows\TEMP

set DosOnly=1
call c:\dosboot\mousie.bat

c:\windows\smartdrv /q
c:
cd \windows

REM to enable ZIP support in DOS:
REM 1) cd C:\IOMEGA
REM 2) run IOMEGA.EXE
REM 3) then uncomment the following line
REM C:\IOMEGA\GUEST.EXE

REM for DOS Networking including most networked games,
REM read the file IPX.BAT and then uncomment the following
REM CALL C:\DOSBOOT\IPX.BAT
C:\SBPCI\SBINIT


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=c:\windows\TEMP
TEMP=C:\windows\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
SBPCI=C:\SBPCI
PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND;C:\WINDOWS;C:\WINDOWS\COMMAND
windir=C:\WINDOWS

File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -
 
Joined
Dec 9, 2000
Messages
45,855
I don't see anything else suspicious there. And if you are getting file missing messages, then it is just the entry in win.ini that needs to be removed.

You have two antivirus programs running. All advice says this is not such a good idea as they can interfere with each others ability to quarantine a malicious file at a critical time.

My suspicion is that these trojans are getting detected and cleaned automatically, but you are not getting notification. Perhaps the logs of the antivirus programs would reveal something.

When trojans are detected and cleaned, the programs sometimes leave behind the entry in win.ini or system.ini which needs to be manually deleted. That may be the case here.

I'd stick with one antivirus program (Norton, in my opinion) and install a firewall to go with it.

You can uncheck (in msconfig>startup) or uninstall Tauscan if you don't want it running. You do have a lot there.
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top