I've had one server infected. Other than the description below, I used
NAI's removal-tool with no problems. It can be found at
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 (may be wrapped)
under the heading "Stand-alone removal tool".
The server was booted in between each step, the whole operation took a
little over 1 hour and it is so far behaving nicely.
S�ren A
> I'm in the middle of an all-nighter killing this thing, I'll tell you
> what is working for me (you need to be at the console):
> Delete Admin.dll and all TFTP* files from %driveletter%\Inetpub\scripts
> Stop and disable the server service
> Reboot
> Apply IIS cumulative patch
> Reboot
> Apply hotfixes for either IE 5.01 SP1 or IE5.5 SP1 (mime header vulns)
> Reboot
> I am running NetShield, so I apply DAT 4161 and then scan and clean.
>
> Kludgy, I know, we are working on scripting this. That is what we have
> so far. I'll update unless someone else does before then. Back to
> work....
>
> -----Original Message-----
> From: Matthew Western [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 19, 2001 8:59 PM
> To: NT System Admin Issues
> Subject: How to remove Nimda from NT Server without a reload
>
>
> Any links on how to remove Nimda from NT without a reload? when i run
> the
> removal tool from this list it crashes... any idea what services it
> overwrites and runs as? i've heard cmd.exe and mmc.exe. we've got
> mmc.exe
> running but when i try to kill it with task manager it says access
> denied...
> ideas?
> Matthew
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
