Not a chance. It can't be cleaned up. Our one server had practically every
.exe program infected. NAV can detect now just can't clean :(
Neil
----- Original Message -----
From: "Scot Desort" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 9:30 PM
Subject: Re: [imail] Nimda Virus
> I have cleaned (I think) one Win2k server. Here are the steps I followed:
>
> Here's some suggestions that I've used successfully (so far at least).
> YMMV.
>
> Be sure and check your "Guest" user account. The worm will enable it and
> also put it in the local administrators group.
>
> To fix the web pages:
> Open one of them in notepad or something and look at the last line of the
> file. You should see:
> <html><script language="JavaScript">window.open("readme.eml", null,
> "resizable=no,top=6000,left=6000")</script></html>
>
> I used Search & Replace from www.funduc.com to search for this string in
all
> *.htm, *.html, and *.asp files and remove it.
>
> Search for readme.eml, .eml, .nws, admin.dll, readme.exe, riched20.dll.
> Delete them if the modified date on them is today. Also, mmc.exe. The
good
> one should be in \winnt\system32 and will be a larger file size. Note
> admin.dll is a valid file for Front Page and will have a smaller file size
> and different date.
>
> Search for MEP*.TMP.EXE in the \temp directory and delete them.
>
> Look for root.exe in your web directories and remove it.
>
> Remove the drive shares on the root of your drives.
>
> Other files to look for are load.exe and a modified system.ini. I did not
> see these on NT.
>
> I also re-applied SP2 and rebooted.
>
> --
> Scot
>
>
> ----- Original Message -----
> From: "Charles Frolick" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 18, 2001 7:25 PM
> Subject: RE: [imail] Nimda Virus
>
>
> > Has anyone actually been able to completely remove the virus from their
> > system and return to normal? I have used several scanners, and manually
> did
> > everything I can find documented and still I have two servers that
> > essentially paper weights since I cannot connect them to the network,
and
> > they keep losing more and more functionality. (First lost use of
> > Explorer.exe to serial crashing, now several programs are saying access
> > denied.)
> >
> > Chuck Frolick
> > ArgoNet, Inc.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Jasmine
> > Sent: Tuesday, September 18, 2001 3:37 PM
> > To: [EMAIL PROTECTED]
> > Subject: [imail] Nimda Virus
> >
> >
> > Has anyone found a separate virus removal tool that does not rely on
anti-
> > virus software yet?
> >
> > Thanks.
> > J.
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
