Need help Removing PE NIMDA A-0

Hello anyone who can help, I have found out that I have the Nimda virus, i'm not sure how i got but i do.  I downloaded the NOD 32 and the "Fix" for Nimda, which scanned my system a removed the virus apparently.  I did a scan with Trogen Hunter as well, nothing was found *these are all deep scans by the way* and then I did one with NOD and nothing was found, but....everytime I start up the computer etc my Outlook Express *which i have never used etc* continues to come up with a "new message" that forwards two attachments one of which says README.VTR or something, knowing fullky well this is the virus.  I also have these little "envelope" type icons they are .EDL files and say things like "smile.edl"  etc.  they are almost in every folder of mine and on my system tray, how do I get ride of these things?!  i scanned one idividually and it said it was clean etc, does anyone out there know how i can get this computer of mine back to normal?  I'm using Microsoft ME and i'm terrible with computers so, i dont know what to do,  I also downloaded the NIMDA protection from your site etc, and it says i'm protected, but I how do i get ride of the EDL files etc.  Also I did an online virus scan at http://housecall.antivirus.com/pc_housecall/comparison_pcc.htm   and it come sup with over 92 files infected, and are "uncleanable"  and also it found a BKDR_ACEBO.A  how do I clean this out?? thanks in advance

-Ryan A

 

sorrythey are not EDL  they are EML's

 

          Ryan

          By no means really informed in this area....but can well understand your frustration.....so until someone more knowledgable can offer you better advise........I will offer a suggestion.


       as you know winMe has a system restore feature....you can disable this feature then run your anti'virus programs again an see if that does the trick....I am not promising that it will work....however, there have been cases were the system restore feature either re-installs a virus or prevents a virus from being cleaned fully.....

     the following instructions will allow you to disable system restore.........follow the same instruction to re-enable it.


    right click on "my computer" icon

   right click on "properties"

   click on "file system"

   click on "troubleshooting"

   put a check in "disable system restore"


     close and run your anti-virus programs.




        take you time Ryan....write down the instructions if need be......an if you are nervous...follow the instruction a few times first...them disable system restore.........an hey if this helps to clean the virus great..if not you wont have lost anything.

                  snowman

 

           Ryan

           sorry....forgot to mention that after you follow the above instruction an disable system restore....shut down your computer.....then re-start an then run your anti-virus programs



                 snowman

 

Hi Ryan,

You could try the Panda Quick Remover.
You can find it here:
http://www.wilders.org/downloads.htm
The name is: pqremove.com
Download it.
Run it (temporarily disable your resident anti-virus and anti-Trojan program).
Reboot.
Run it again.

Please let us know if that helps.

 

Here is a snippet from the write up at NAI on Nimda:
~~~~~~~~~~~~~~~~~
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Res
~~~~~~~~~~~~~~~~~~~~~~~
To see the entire page:
http://vil.nai.com/vil/content/v_99209.htm

There are quite a few stand-alone removal tools for this beastie, you have to close network shares if you have, and you have to be able to replace files which it has renamed or written over.  This is nasty and does corrupt alot of needed files, you may want to just reformat (sorry, but it may be easier).

Be sure to check out the security updates from MS noted in the article, there was a hole in IE which let this malicious script run, you may have missed downloading the patch for it?

Here is yet another removal tool:
http://www.symantec.com/avcenter/tools.list.html

The best of luck to you, hope any of this helps.

 

Thank you so much for the quick reply's i'm very greatful for any help you guys are willing to give, i really appricate this...well I did what you all told me (excpt for reformatting gonna hold off on that as a last resort :0   )

well I had turned off my system resource prior before trying any fixes, it said it cleaned it out, ran the scans again on NOD, Trogen hunter, the fix tools etc and they said they cant find the virus anywhere....well I think that may be true to a sence, but those lil "evelope" things are still there, and my Out Look Express still comes up and trys to forward that README thing.  Now i had an idea that maybe these ar ejust "ghost" files left behind, they may be clean but have program protal calls in them that make them refresh their previous action, these files by the way are things liek "iq04t_new.eml. smile.eml     easterflyer.eml    carter_baptist.eml    iq06t_new.eml    etc etc, the list goes on, I ran a search for all  *.eml   files and found THOUSANDS much hat are EXACT same like "smile.eml and smile.eml"   now I had a question, Could i Just search for every EML file on my computer and just deleate them??  or will that screw up my system, since every virus scan etc says my system is clean etc tec, I just want to get rid of these two problems,  

1.  Seeing those stupied ".Eml" files all over my hard drive  (there is only 1 per folder in my system including one in my system tray)  

2.  My outlook express coming up at startup says "new message, send cancel etc"  which is the README attacthemnt on it with no subject line.....(i also still have th epop up come up and say "do you want Outlook express to be your default e-mail blah blah"  lol    
also I dont know if that BKDR_ACEBO.A   was cleaned, since no tool etc told me so......

again thank you so much for all the help you guys I really appricate it!! if worse comes to worse I guess I will have to re-format

-Ryan A

 

*please note left last*  oh I forgot to mention I right cliked one of these  smile.eml  files and checked propities they say they are "Outlook express E-mail Messages*  so does that mean they are safe to Delete?  also, i should also mention i have NEVER NEVER ever used Outlook express to send any information or anything, never have opened it before and only once has it ever asked to be my Default E-mail client,  now its doing it all the time becuase of this virus thing,  so I dont know if that matters but wanted to give out all infor about what ive touched etc,   so yeah it sais E-mail messages, and I dont rememebr seeing thos eEVER before on my hard drive, so is it safe to delete these THOUSANDS of EML Files?  haha anyways than again!

-Ryan

 

well, it looks like ive come to the conclusion to Re-format my drive....DAMN YOU NIMDA, you win this round....but be fair warned you wont get me again...

well guys thanx so much  for your help and advice, I was hoping I could ask you all another question though,
I have on here some MP3's AVI's and word perfect documents I would love to backup still since some are for school...

Will this VIRUS latch itself onto a DATA burn of these formats?  and if so, then if I made those Mp3's (obviously not all of them)  into an Audio CD, would the virus still attach itself and then infect a computer that I put my CD into, to listen to music at a later time?? (i mean I would make an audio Disk of some mp3's i have on here not the MP3 format itself if it would attach a virus)  I was really hoping I could back up the AVI movie formats and the Mp3 and Word Perfect documents onto  a CD with no way the VIRUS could get on that burn, since some stuff I wont ever be able to get back again, would anyone know if that will be okay??

well thank you All again for your advice and everything! thanx and take care, i'll wait for a response before i Re-Format

-Ryan A  

 

Ryan,

As I understood from you, the Panda Quick remover didn't help; am I right?

You could download/install a trial version of KAV which is capable of scanning in your .eml archives.
Make sure you update it with the latest definitions and let it do a full system scan as deep as possible (of course you have to temporarily disable your other AV/AT programs while doing the scan).

After that, you could do the same thing with a trial version of TDS-3.

I hope it helps.....