Tell me about it. I still have two nt4.0, sp6a bricks. About to try
reapplying sp6a, hope that works. Bummer is one of the boxes is my secured
site, and I don't have a backup of the key, and key manager says access
denied, along with a bunch of other really needed files. If it weren't for
cmd.com and it's utils I'd wouldn't be able to do much of anything. Would be
nice if I still had all the dos utils, got too used to doing it GUI (all the
floppies are probably past shelf life anyway).
Chuck Frolick
ArgoNet, Inc.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
David Rolling
Sent: Tuesday, September 18, 2001 8:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [imail] Nimda Virus
great list but you forgot about me*.tmp.exe files these are the base files
for the mep*.tmp.exe files and can be reload by the iexplorer .exe the
mmc.exe and winzip32.exe,MAPI32.DLL,MPR.DLL,system.ini files this is the
worst virus/worm I have eve seen since being online for 5+ years..
David Rolling
www.infovue.net
President
877-722-2162
========================================================
On the Plains of Hesitation, Bleach the Bones of Countless
Millions Who,
at the Dawn of Victory, Sat Down to Wait and Waiting Died
=========================================================
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Scot Desort
Sent: Tuesday, September 18, 2001 9:31 PM
To: [EMAIL PROTECTED]
Subject: Re: [imail] Nimda Virus
I have cleaned (I think) one Win2k server. Here are the steps I followed:
Here's some suggestions that I've used successfully (so far at least).
YMMV.
Be sure and check your "Guest" user account. The worm will enable it and
also put it in the local administrators group.
To fix the web pages:
Open one of them in notepad or something and look at the last line of the
file. You should see:
<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>
I used Search & Replace from www.funduc.com to search for this string in all
*.htm, *.html, and *.asp files and remove it.
Search for readme.eml, .eml, .nws, admin.dll, readme.exe, riched20.dll.
Delete them if the modified date on them is today. Also, mmc.exe. The good
one should be in \winnt\system32 and will be a larger file size. Note
admin.dll is a valid file for Front Page and will have a smaller file size
and different date.
Search for MEP*.TMP.EXE in the \temp directory and delete them.
Look for root.exe in your web directories and remove it.
Remove the drive shares on the root of your drives.
Other files to look for are load.exe and a modified system.ini. I did not
see these on NT.
I also re-applied SP2 and rebooted.
--
Scot
----- Original Message -----
From: "Charles Frolick" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 7:25 PM
Subject: RE: [imail] Nimda Virus
> Has anyone actually been able to completely remove the virus from their
> system and return to normal? I have used several scanners, and manually
did
> everything I can find documented and still I have two servers that
> essentially paper weights since I cannot connect them to the network, and
> they keep losing more and more functionality. (First lost use of
> Explorer.exe to serial crashing, now several programs are saying access
> denied.)
>
> Chuck Frolick
> ArgoNet, Inc.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jasmine
> Sent: Tuesday, September 18, 2001 3:37 PM
> To: [EMAIL PROTECTED]
> Subject: [imail] Nimda Virus
>
>
> Has anyone found a separate virus removal tool that does not rely on anti-
> virus software yet?
>
> Thanks.
> J.
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
