>Has anyone been successful in removing
>W32/Nimda@MM from their IIS 4.0 servers?
Microsoft recommends a rebuild. But, this post was seen recently, and
might be worth a try (but remember that not rebuilding might not fix
everything...):
-Scott
---
I have cleaned (I think) one Win2k server. Here are the steps I followed:
Here's some suggestions that I've used successfully (so far at least).
YMMV.
Be sure and check your "Guest" user account. The worm will enable it and
also put it in the local administrators group.
To fix the web pages:
Open one of them in notepad or something and look at the last line of the
file. You should see:
I used Search & Replace from www.funduc.com to search for this string in all
*.htm, *.html, and *.asp files and remove it.
Search for readme.eml, .eml, .nws, admin.dll, readme.exe, riched20.dll.
Delete them if the modified date on them is today. Also, mmc.exe. The good
one should be in \winnt\system32 and will be a larger file size. Note
admin.dll is a valid file for Front Page and will have a smaller file size
and different date.
Search for MEP*.TMP.EXE in the \temp directory and delete them.
Look for root.exe in your web directories and remove it.
Remove the drive shares on the root of your drives.
Other files to look for are load.exe and a modified system.ini. I did not
see these on NT.
I also re-applied SP2 and rebooted.
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
