NIMBA virus on the family computer - Calling all digital exterminators

RyanM · May 6, 2003

Okay, so I'm sitting here 20 minutes ago, minding my own business, when my brother screams out "What the f*ck is going on?"

I walk over to the computer, and I see several files that at one point were MP3's now sported an outlook mail icon. That's right, it's the return of the ever-so-fun email worm virus.

I immidiately killed the power to the computer, putting it in a state of quarantine. Before I go on the eradication path, there are a few things I need to know.

Obviuosly, any good self-replicating virus is going to load itself at startup so it can continue wreaking havoc upon each and every reboot. Now, I know safe mode often skips all the stuff in the Run section of the registry - But will that be enough? Is it likely there's another place where the virus could put auto-loading code so it can execute itself even in safe mode?

Or will going into Safe mode and hunting the files down manually be an effective method of extermination?

The last time there was a virus scare, it was this same scenario, and I found out about it so late in the game that the only option was a full format c: format d:.

Any help is greatly appreciated. Peace!

gentobu · May 6, 2003

I think that virus' can infect the boot sector of the HDD, so whenever you boot it will be loaded into memory, regardless if you go to safe mode or not.

calpha · May 6, 2003

Take any other computers off the network and take your computer to panda activescan. It's the best online tool I've used, and should be able to fix your problems.

If it's not able---Panda Tech support is IMO the best there is in the virus business. If you were to buy Panda Platinum or Titanium and were unable to remove the virus their tech support (via phone) would be there 24/7 to help you remove it (at least they were last year when I called ).

GL, sorry about the virus.....

EagleKeeper · May 6, 2003

Boot from a known sterile floppy (write protected), not the hard drive that is contaminated.
Then try your local anit-virus program that is kept up to date.

RyanM · May 6, 2003

Here's the thing though - If I do boot with a floppy, obviously, I'm not going to be able to boot into Windows. Anyone know of any good command-prompt virus proggies?

kt · May 6, 2003

Just out of curiousity, are you sure you got yourself a virus there? I mean just because the icon changed on the MP3 files doesn't mean you got yourself a virus. Windows has a tendency to do that once in a while in which they load up the wrong icon for certain extensions. Dunno, maybe it's just a false alarm?

RyanM · May 6, 2003

Originally posted by: kt
Just out of curiousity, are you sure you got yourself a virus there? I mean just because the icon changed on the MP3 files doesn't mean you got yourself a virus. Windows has a tendency to do that once in a while in which they load up the wrong icon for certain extensions. Dunno, maybe it's just a false alarm?

The icons and extensions for several files changed, not just the icons. That, and the hard drive was thrashing like mad, as if something was going through and overwriting files. It's the exact same virus that computer got a year ago, I'll bet on it.

kt · May 6, 2003

Originally posted by: MachFive

Originally posted by: kt
Just out of curiousity, are you sure you got yourself a virus there? I mean just because the icon changed on the MP3 files doesn't mean you got yourself a virus. Windows has a tendency to do that once in a while in which they load up the wrong icon for certain extensions. Dunno, maybe it's just a false alarm?

Click to expand...

The icons and extensions for several files changed, not just the icons. That, and the hard drive was thrashing like mad, as if something was going through and overwriting files. It's the exact same virus that computer got a year ago, I'll bet on it.

In that case, better going with cleaning up the virus. Only once in my lifetime had I been defeated by a virus and that was because I procrastinated in cleaning it up. That was back in the DOS days though. So, the "reinstall" process is no biggie.

calpha · May 6, 2003

As for command line toosl for virus checkers.....there's a good bit of them. I'm about to leave----but i think one's called fprot or something.....I think Symantec and Mcaffe have versions too.

Either way----check out www.nu2.nu and look under corporate mod boot-----he'll have some links there for command line tools for virus scanning so you can scan from a booted dos disk.

RyanM · May 6, 2003

Originally posted by: calpha
As for command line toosl for virus checkers.....there's a good bit of them. I'm about to leave----but i think one's called fprot or something.....I think Symantec and Mcaffe have versions too.

Either way----check out www.nu2.nu and look under corporate mod boot-----he'll have some links there for command line tools for virus scanning so you can scan from a booted dos disk.

Thanks. I'd forgotten about F-prot...last time I even whispered its name I was running a 486 DX/2.

I love how easy it is for me to go 7 years without getting a virus, but my family manages to do it twice in 2 years as if they want viruses. Idiots.

RyanM · May 6, 2003

Running F-prot right now.

Along with the lovely JS.nimda.A@mm and W32.nimda.E@mm, there's also a few cute little trojans and backdoors.

I swear to f*cking god - I don't even want these morons using a computer at all at this point. I can't exactly sit over their shoulder and make sure they're not being retards and downloading crap they shouldn't be, and after this, the 2nd incident, I sure as hell don't trust or have any confidence that this won't happen in the future.

Now, as far as I remember from the last time, I'm gonna need to wipe the system regardless of whether I feel like deleting the infected files, since the infected files are not only data files, but system and program files, right?

RyanM · May 7, 2003

Here's the results. Lovely, aren't they?

Virus scanning report - 1 January 2000 @ 0:16

F-PROT ANTIVIRUS
Program version: 3.12d
Engine version: 3.12.8

VIRUS SIGNATURE FILES
SIGN.DEF created 6 May 2003
SIGN2.DEF created 6 May 2003
MACRO.DEF created 5 May 2003

Search: Local hard disks
Action: Report only
Files: Attempt to identify files
Switches: /ARCHIVE
No viruses found in memory.
No viruses were found in MBRs or hard disk boot sectors.

Scanning C:
C:\WINDOWS\GCIMRU~1.EXE is a security risk named W32/Subseven.215.A
C:\WINDOWS\SYSTEM32\MSPAINT.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\POWERT~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\DVLDR32.EXE is a security risk or a "backdoor" program
C:\WINDOWS\SYSTEM32\DLLCAC~1.EXE->TCPSVS32.EXE is a destructive program
C:\WINDOWS\SYSTEM32\DLLCAC~1.EXE->abc.exe is a security risk or a "backdoor" program
C:\WINDOWS\SYSTEM32\DLLCAC~1.EXE->abcd.jpg Infection: IRC/Cloner.A
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\THUMBS.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\SCREEN~1.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_DMSG00.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S10RN1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S10MT1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S0HIC1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S10M~1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S10R~1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PROGRA~1.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\RICHED20.DLL Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\CUBANM~1.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\EPSONS~1\E_DMSG00.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\EPSONS~1\E_S0HIC1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\EPSONS~1\E_S10MT1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\EPSONS~1\E_S10RN1.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\EPSONS~1\THECOL~1.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\EPSONS~1\RICHED20.DLL Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\COLOR\DESKTOP.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\DLLCACHE\DLLCAC~1\TCPSVS32.EXE is a destructive program
C:\WINDOWS\SYSTEM32\DLLCACHE\DLLCAC~1\ABC.EXE is a security risk or a "backdoor" program
C:\WINDOWS\SYSTEM32\DLLCACHE\DLLCAC~1\ABCD.JPG Infection: IRC/Cloner.A
C:\WINDOWS\SYSTEM32\DLLCACHE\DLLCAC~1\DLLCAC~1.EXE->TCPSVS32.EXE is a destructive program
C:\WINDOWS\SYSTEM32\DLLCACHE\DLLCAC~1\DLLCAC~1.EXE->abc.exe is a security risk or a "backdoor" program
C:\WINDOWS\SYSTEM32\DLLCACHE\DLLCAC~1\DLLCAC~1.EXE->abcd.jpg Infection: IRC/Cloner.A
C:\WINDOWS\SYSTEM32\OOBE\DTSGNUP.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\ACT_PLCY.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\BADEULA.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\BADPKEY.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\COMPNAME.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\DRDYISP.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\DRDYMIG.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\DRDYOEM.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\DTIWAIT.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\FINI.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\HNWPRMPT.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\ICONN.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\ICS.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\IDENT1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\ISPWAIT.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\JNDOMAIN.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\JNDOM_A.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\KEYBD.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\KEYBDCMT.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\MIGDIAL.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\MIGLIST.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\NEWEULA2.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\OEMPRIV.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\PRODKEY.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\REFDIAL.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\REG1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\REG3.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\REGDIAL.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\SECURITY.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\USERNAME.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\SETUP\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\OOBE\ACTSETUP\ACTIVSVC.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ACTSETUP\ACTCONN.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ACTSETUP\ACTIVERR.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ACTSETUP\AREG1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ACTSETUP\AUSRINFO.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ACTSETUP\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\OOBE\ERROR\NOANSWER.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ERROR\PBERR.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ERROR\PULSE.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ERROR\TOOBUSY.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ERROR\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\OOBE\REGERROR\RHNDSHK.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\REGERROR\RNOANSW.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\REGERROR\RNOMDM.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\REGERROR\RPBERR.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\REGERROR\RPULSE.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\REGERROR\RTOOBUSY.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\REGERROR\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\OOBE\ICSERROR\ICSDC.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ICSERROR\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\OOBE\ISPERROR\ISPDTONE.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ISPERROR\ISPHDSHK.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ISPERROR\ISPINS.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ISPERROR\ISPNOANW.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\SYSTEM32\OOBE\ISPERROR\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\SYSTEM32\USMT\MIGWIZ.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\HELP\CIADMIN.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\CIQUERY.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\MIGWIZ2.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\BEST_R~2.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\BEST_S~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\CONNEC~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\CONNEC~2.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\CONNEC~4.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\DEFAULT.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\SAFE_B~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\SAFE_E~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\SAFE_F~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\SAFE_FR.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\START_~4.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\START_FR.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\ST990C~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\STA019~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\ST3FBA~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\STD9D3~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\UNLOCK~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\UNLOCK~2.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\UNLOCK~3.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\HELP\TOURS\HTMLTOUR\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\WEB\PRINTERS\IPP_0003.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\IPP_0007.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\IPP_0010.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\IPP_0012.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\IPP_0015.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\IPP_0001.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\IPP_0002.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\PAGE1.ASP Infection: JS/Nimda.A@mm
C:\WINDOWS\WEB\PRINTERS\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\HEADLI~1.HTM Infection: JS/Nimda.A@mm
C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\WINDOWS\LASTGOOD\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\LASTGOOD\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE Infection: W32/Nimda.E@mm
C:\WINDOWS\LASTGOOD\SYSTEM32\USMT\MIGWIZ.EXE Infection: W32/Nimda.E@mm
C:\DOCUME~1\ALLUSE~1\DOCUME~1\2COPY~1.EML->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYVIDE~1\TITLE4.EML->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYPICT~1\FREDIS~1.EML->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1\TITLE.EML->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYMUSI~1\PG.EML->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYMUSI~1\SAMPLE~1\3COPY~1.EML->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\MEP1TM~1.EXE Infection: W32/Nimda.E@mm
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\MEP3TM~1.EXE Infection: W32/Nimda.E@mm
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\MEP7.TMP->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\MEP17B.TMP->sample.exe Infection: W32/Nimda.E@mm
C:\DOCUME~1\ADMINI~1\APPLIC~1\AYBWARN.HTM Infection: JS/Nimda.A@mm
C:\DOCUME~1\ADMINI~1\APPLIC~1\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\MSINFO32.EXE Infection: W32/Nimda.E@mm
C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\CITRUS~1.HTM Infection: JS/Nimda.A@mm
C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\IVY.HTM Infection: JS/Nimda.A@mm
C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\LEAVES.HTM Infection: JS/Nimda.A@mm
C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\MAIZE.HTM Infection: JS/Nimda.A@mm
C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\NETWOR~1.HTM Infection: JS/Nimda.A@mm
C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\SWEETS.HTM Infection: JS/Nimda.A@mm
C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\PROGRA~1\COMMON~1\SYSTEM\ADO\MDACRE~1.HTM Infection: JS/Nimda.A@mm
C:\PROGRA~1\COMMON~1\SYSTEM\ADO\README.EML->sample.exe Infection: W32/Nimda.E@mm
C:\PROGRA~1\WINDOW~1\DIALER.EXE Infection: W32/Nimda.E@mm
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE Infection: W32/Nimda.E@mm
C:\PROGRA~1\WINDOW~2\WMPLAYER.EXE Infection: W32/Nimda.E@mm
C:\PROGRA~1\OUTLOO~1\MSIMN.EXE Infection: W32/Nimda.E@mm
C:\PROGRA~1\OUTLOO~1\WAB.EXE Infection: W32/Nimda.E@mm
C:\PROGRA~1\OUTLOO~1\WABMIG.EXE Infection: W32/Nimda.E@mm
C:\PROGRA~1\NETMEE~1\CONF.EXE Infection: W32/Nimda.E@mm
C:\SYSTEM~1\_RESTO~1\RP71\A0017156.DLL Infection: W32/Nimda.E@mm
Scanning D:
D:\OSES\README.HTM Infection: JS/Nimda.A@mm
D:\OSES\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\OSES\I386\COMPDATA\3COM.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ACS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ADMPKXP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\AICDRV.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ALKB2K.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\APFILTR.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\APMERROR.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ASSETCI.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ATGUARD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ATKPROTO.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\AVPGATEK.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\AWARD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\BAYMAN.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\BLACKICE.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\BOSERROR.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CALCOMP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CANO620P.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CANOS100.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CARDEXEC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CIC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CLTMGR.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CNMULTI1.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CPQDIAGC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CPQIJ.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CPQKBD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CPQPNPMG.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CPQPWREX.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CPUFEAT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CRUISE.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CRYSTAL.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CS4281.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\CSREM32.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DAYT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DECML.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DELPERC2.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DLCPROTO.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DMIBIOS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DSMU.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DV_COMP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DV_GEN.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\DWRITE.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\EICONTA.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ENSONIQV.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ENSQAUDM.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\EPSCOLOR.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\EPSON1.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\EPSON3.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\EPSP1270.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\EPSPHOTO.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\EXCHANGE.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\FIDMOU.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\FTCOMP1.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\FTCOMP3.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\GLINT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\GSNW.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HDMON.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HERCULES.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HP4300C.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPAIO1.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPCLJ450.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDJ1000.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDJ810.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDJ880.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK1.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK13.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK2.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK4.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK5.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK6.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK7.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK8.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPDSK9.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPI_USB.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPLJ4050.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPLJ5E.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPMMKB.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPNRD4M.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPPS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPSPARNT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HPTTIDM.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\HP_PLD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\IAVBOOT4.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\IBMTP4.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\IBM_UMS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ICSUPGRD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ILS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\INCOMPAT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\INTELLIP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\IOCLICK.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ISHRNT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ISOTP4.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LDCM.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LEX3200.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LEXDLC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LEXOPTRA.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LEXTCP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LM5700.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LMOPTRA.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\LOGITECH.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MACDRIVE.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MAESTRO0.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MAXELL.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MCA.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MFPBR.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MFPHP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MIN8E.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MSP2.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\MSSS3.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NAV5.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NBFPROTO.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NDCPRTNS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NETFMIGT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NMSMS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NTDSUPG.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NWCLI32.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\OCABLOCK.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\OILCHG25.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\OKIPG1.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\OKIPG2.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\OMC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\OMNIPG10.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ONSTREAM.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\PANADVD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\PANDA.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\PHNIXAD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\PLUST120.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\POWPATH.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\PROLIGHT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\PS2CONT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\PSTRIP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\REACHOUT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\RIPTIDE.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\RUNONCE.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SBS45FXC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SCANDRV.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SFUNFSCG.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SIGMA.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SIIGC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SIWVID.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SNIDPMS.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SNIPCI.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SONIC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SPXBLOCK.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SSCNTRL.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SSI365.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\STB.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SWOFF.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SYSHWCFG.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\SYSMGMT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TITSB.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TIVOLI.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TMASTER.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TMDIGPRO.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TOSDVD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TPCONFIG.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TPFUEL.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TSBAPM.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TSBASD.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TSBHDDPW.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TSBSELBA.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TSCOMP4.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\TSCOMP5.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\UMAX.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\VISN5300.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\VISN6100.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WACOMDRV.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WCE21.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WCGODRV.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WCMIGRAT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WEBSCANX.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WINACHSF.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WINSQL.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\WTCLS2K.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\XEROX6.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\XEROXWCT.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\XLINK.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\YACXG.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\YMHSYNTH.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\ZIPMAGIC.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\NV_AGP.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\COMPDATA\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\OSES\I386\WINNTUPG\FSFILTER.HTM Infection: JS/Nimda.A@mm
D:\OSES\I386\WINNTUPG\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\OSES\DOCS\RELNOTES.HTM Infection: JS/Nimda.A@mm
D:\OSES\DOCS\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\OSES\SUPPORT\TOOLS\README.HTM Infection: JS/Nimda.A@mm
D:\OSES\SUPPORT\TOOLS\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\OSES\VALUEADD\VALUEADD.HTM Infection: JS/Nimda.A@mm
D:\OSES\VALUEADD\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\PRODUC~1\MICROS~1\OFFICE\INTLBAND.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\PRODUC~1\MICROS~1\OFFICE\BINDER.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\PRODUC~1\MICROS~1\OFFICE\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\PRODUC~1\MICROS~1\OFFICE\1033\SCHDPL32.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\PRODUC~1\THINKW~1\THINKW~1.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\AUDIO\WINAMP\WINAMPMB.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\AUDIO\WINAMP\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\INTERNET\AIM_~1\README~1.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\INTERNET\AIM_~1\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\GAMES\HALF-L~1\HL.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\UTILIT~1\NERO\COVERD~1\COVERDES.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\UTILIT~1\NERO\NERO\NERO.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\UTILIT~1\SISOFT~1\EXAMPLES\SYSTEM~1.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\UTILIT~1\SISOFT~1\EXAMPLES\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\UTILIT~1\MOTHER~1\PLUGIN\README~1.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\UTILIT~1\MOTHER~1\PLUGIN\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\UTILIT~2\WINRAR\WINRAR.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\BENCHM~1\MADONI~1.COM\PCMARK~1.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\BENCHM~1\MADONI~1.COM\HELP\PCMARK.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\BENCHM~1\MADONI~1.COM\HELP\README.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\BENCHM~1\MADONI~1.COM\HELP\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\BENCHM~1\MADONI~2.COM\3DMARK~1.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\BENCHM~1\MADONI~2.COM\HELP\3DMARK.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\BENCHM~1\MADONI~2.COM\HELP\README.HTM Infection: JS/Nimda.A@mm
D:\PROGRA~1\BENCHM~1\MADONI~2.COM\HELP\README.EML->sample.exe Infection: W32/Nimda.E@mm
D:\PROGRA~1\VIDEO-~1\QUICKT~1\QUICKT~2.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\VIDEO-~1\QUICKT~1\QUICKT~1.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\AIM\AIM\AIM.EXE Infection: W32/Nimda.E@mm
D:\PROGRA~1\AIM\AIM\AIM~1.EXE Infection: W32/Nimda.E@mm
Scanning E:
E:\SYSTEM~1\_RESTO~2\RP71\A0017097.DLL Infection: W32/Nimda.E@mm
E:\SYSTEM~1\_RESTO~2\RP71\A0017101.DLL Infection: W32/Nimda.E@mm
E:\DOCUME~1\JENNIFER\MYDOCU~1\QUICKE~1.HTM Infection: JS/Nimda.A@mm
E:\DOCUME~1\JENNIFER\MYDOCU~1\JULIE.HTM Infection: JS/Nimda.A@mm
E:\DOCUME~1\JENNIFER\MYDOCU~1\README.EML->sample.exe Infection: W32/Nimda.E@mm
E:\DOCUME~1\JENNIFER\MYDOCU~1\QUICKE~1\BLANK.HTM Infection: JS/Nimda.A@mm
E:\DOCUME~1\JENNIFER\MYDOCU~1\QUICKE~1\TTEZ_P~1.HTM Infection: JS/Nimda.A@mm
E:\DOCUME~1\JENNIFER\MYDOCU~1\QUICKE~1\README.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KAZAA_~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MW961ENU.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\PG.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MIRC602.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\GVS_ENG.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DIVXPR~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KMD202~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KMD202~2.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KMD202~3.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KMD202~4.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\CERTIF~1\WINDOW~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DRIVERS\MW9421~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DRIVERS\EPSON1~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DRIVERS\BJC600~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DRIVERS\DFE530~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DRIVERS\PG.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DRIVERS\41.09\SETUP.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\DRIVERS\41.09\C_A~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\WINAMP~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\KAZAA_~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\DNETC-~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\XPPOWE~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\SISOFT~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\ENTECH~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\QUICKT~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\WINAMP~2.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NERO55~1.14\EASYWR~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NERO55~1.14\INCD33~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NERO55~1.14\KEY-GE~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NERO55~1.14\NERO55~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NERO55~1.14\NEROMP~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NERO55~1.14\NEROMP~2.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NERO55~1.14\THECOL~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\WINRAR\WINRAR~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\WINRAR\MOVIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\WINRAR\WINRAR~1.0CR\PATCHER.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\WINRAR\WINRAR~1.0CR\WINDOW~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NOTETAB\SETUP.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\NOTETAB\DRAGPI~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\KLITES~1\KAZAA_~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\KLITES~1\KAZAA_~2.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\KLITES~1\KAZAA_~3.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\KLITES~1\PG.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\TRILLI~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\ACCUWE~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\CLIPBO~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\MINIBR~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\MYSTUF~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\NEWS-V~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\POP3-V~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\STOCKS~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\TRILLI~2.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\TRILLI~3.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\WINAMP~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\TRILLI~1\PAUL.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\DIVX5\DIVXPR~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\DIVX5\UNTITLED.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\EPSON1~1\SETUP.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\EPSON1~1\PROGRA~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1\MOVIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1\ENTECH~1.CRA\PROGRA~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1\ENTECH~1.CRA\EATPS358\MARIJU~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1\ENTECH~1.CRA\EATPS358\EATPS358\PSTRIP.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1\ENTECH~1.CRA\EATPS358\EATPS358\TITLE4.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1\ENTECH~1.CRA\EATPS358\EATPS358\CRACK\PSTRIP.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POWERS~1\ENTECH~1.CRA\EATPS358\EATPS358\CRACK\NETDEV~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POETRY\THECOL~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\POETRY\RICHED20.DLL Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\AIM\INSTAL~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\AIM\AIM_SE~1.EXE Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MISCIN~1\AIM\FREDIS~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MOM'SF~1\2COPY~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\MOM'SF~1\PICTURES\SPHERE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\JULIE'~1\MARIJU~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\JULIE'~1\RAP\DESKTOP.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\JULIE'~1\LOVE\PROGGY~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\JULIE'~1\RANDOM\WINDOW~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\JULIE'~1\PUNK\SAMPLE~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\JULIE'~1\PRANKS\PROGGY~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\JULIE'~1\ROCK\DESKTOP.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\EVANES~1\SAMPLE~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\EVANES~1\FALLEN\SCAN0003.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MARIJU~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\RICHED20.DLL Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\PROGGY~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\MAYNARD\SAMPLE~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\MAYNARD\LATERA~1\WINDOW~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\MAYNARD\AENIMA~1\DESKTOP.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\MAYNARD\UNDERT~1\SCAN0003.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\MAYNARD\OPIATE~1\C_A~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\MAYNARD\APERFE~1\ADDRES~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\CHEVELLE\MOOVIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\STAIND\JULIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\EARSHOT\MOVIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\SPIRIT~1\2.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\BACKIN~1\SCREEN~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\BUSH\DRAGPI~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\NIRVANA\SPHERE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\PEARLJ~1\TITLE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\HOOBAS~1\MOOVIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\METALL~1\SCREEN~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\PANTERA\MOOVIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\LINKIN~1\PROGRA~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\INCUBUS\MOOVIE~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\DEFAULT\WINDOW~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\MISC\MARIJU~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\3DOORS~1\MOOVIE.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\3DOORS~1\AWAYFR~1\WINDOW~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\MUSIC\3DOORS~1\BETTER~1\TITLE4.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\KYLE'S~1\VIDEOS\NET-DE~1.EML->sample.exe Infection: W32/Nimda.E@mm
E:\MYSHAR~1\COLDWA~2\MYDRAG~1.EML->sample.exe Infection: W32/Nimda.E@mm
Scanning F:

Results of virus scanning:

Files: 29778
MBRs: 1
Boot sectors: 2
Objects scanned: 24460
Infected: 493
Suspicious: 8
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 57:35

kt · May 7, 2003

That's Nimda.. go download the removal tool. It fits in a floppy and it will remove/clean nimda infected files.

Link to download Nimda removal tool

I had to clean about 50 workstations from Nimda infections before. The worst infected one I had to replace the Riched20.dll file from a known clean version. Those stations are still running today.

RyanM · May 7, 2003

I already went ahead and had F-prot disinfect.

What worries me is several things:

The presence of an IRC trojan.
The presence of another trojan.
The presence of a backdoor proggie.

And the fact that since I couldn't simply quarantine the files with F-prot, I'll never figure out which file started the chain reaction and pinpoint what f*ckhead ran it.

EeyoreX · May 7, 2003

Did the virus get past your AV software? Or was there no AV software to begin with?

\Dan

RyanM · May 7, 2003

Originally posted by: EeyoreX
Did the virus get past your AV software? Or was there no AV software to begin with?

\Dan

Well, I don't believe in AV software. I've never used it myself. And though I considered it for their computer, I was turned off by the way AV software has become a subscription thing. It's ridiculous.

But after two such incidents, I may very well have to explore that route. ::shudder::

prosaic · May 7, 2003

Hi,

I'm not trying to start a quarrel here, but you might want to reconsider your lack of belief in AV software.

http://subscriber.anandtech.com/messageview.cfm?catid=33&threadid=1037966&forumid=1

- prosaic

crisscross · May 7, 2003

Originally posted by: prosaic
Hi,

I'm not trying to start a quarrel here, but you might want to reconsider your lack of belief in AV software.

http://subscriber.anandtech.com/messageview.cfm?catid=33&threadid=1037966&forumid=1

- prosaic

do you have a non-subscriber link to that thread?

prosaic · May 7, 2003

Doh! Sorry, I meant to change the link. For future reference I think you just substitute "forums" for "subscriber" in the url, like this --

http://forums.anandtech.com/messageview.cfm?catid=33&threadid=1037966&forumid=1

Sorry, didn't mean to be thoughtless.

- prosaic

Edit for el goofo.

crisscross · May 7, 2003

no problem

thanks for the link!

RyanM · May 7, 2003

AntiVir...interesting. Since this one's free, I'll go ahead and use that on their system. Hell, maybe I'll put it on mine.

But after 7 years of no viruses, I really have a hard time justifying the CPU, memory, and disk usage of running resident virus proggies.

Maybe I'll just have the DOS version run on every reboot. Since I reboot once every month or so, that should do the trick.

RyanM · May 8, 2003

Really digging this Anti-vir. I even installed it on my own computer, if you'd believe that. Although it's gone the moment I notice it gagging up too many CPU cycles.

Anyways, the family computer is cleaned up. All viruses, trojans, and malicious apps are quarantined in a passworded zip file.

As best I can determine, the Creation date of the original sample.exe container mail was May 4, 2003, @ 11:44 PM. The other 100 or so copies of itself appeared all around May 5, 2003, @ 2:32 AM. So basically, someone downloaded it, and executed it about 3 hours later.

Lovely.

Now I just have to get my family members in separate rooms and interrogate them.

WHERE WERE YOU ON THE NIGHT OF THE 4th?

Mwuahahahahaahaah.

prosaic · May 8, 2003

Be merciless! But remember to slap your own risk for not having protected them from their own folly.

Seriously, if they value their data and the availability of their computer(s) they need to learn to be cautious (and to keep their AV software updated). Especially given the situation I hope that any important data gets backed up regularly to external media. Good luck in the inquisition! (Nobody expects the Spanish Inquisition!)

- prosaic

NIMBA virus on the family computer - Calling all digital exterminators

Platinum Member

Golden Member

Golden Member

Discussion Club Moderator<br>Elite Member

Platinum Member

Diamond Member

Platinum Member

Diamond Member

Golden Member

Platinum Member

Platinum Member

Platinum Member

Diamond Member

Platinum Member

Platinum Member

Platinum Member

Senior member

Golden Member

Senior member

Golden Member

Platinum Member

Platinum Member

Senior member