General discussion

Locked

Nimba Virus Recovery

By chinahope ·
How can you restore a 98 second edition machine from the attack of the Nimba Virus?

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

format

by Pills In reply to Nimba Virus Recovery

I had the same problem with one of my pc's I tried to remove the virus but it was to far gone, in the end I had to format the pc by putting a win98 startup disk in the floppy and running the format utility from it, once I got the pc up and running again I found some software from the net to check for any backdoors the virus may have left. hope this helps.

Collapse -

by CJMPE In reply to Nimba Virus Recovery

If your workstation isn't too far gone, you can carry out the following procedure:

Disconnect system from the network.

Scan all files on all local hard drives and disinfect/delete with your favorite anti virus package.

Open "system.ini" innotepad. Locate the following line:

"shell=explorer.exe load.exe -dontrunold"

and delete "load.exe -dontrunold". Save the file when complete.

Open "wininit.ini" in notepad. Look for strings that contain the following information (where XXXXrepresents four hexadecimal digits):

[rename]
NUL=C:\WINDOWS\TEMP\MEPXXXX.TMP.exe

Delete these lines if found and save the edited file.


Search the system for the "riched20.dll" file. If file is located, scan it with your anti virus package. If it is infected, replace with the original Windows media. The file will be located in a CAB file on your CD's and can be extracted using WinZIP. I don't remember which CAB file contains "riched20.dll" but the files are archived in the CAB files in alphabetical order, so start around file # 25 or 30.

Reboot the system.

Perform another full scan from the GUI with action set to "Disinfect".

*While scanning the drive, if your software finds JS/Nimda.A@mm in any *.HTML, *.ASP, or *.HTM files as well as files that contain the words "DEFAULT", "INDEX", "MAIN" or "README" in the filename, edit the appropriate file and remove JavaScript code the the virus adds referring to README.EML file, or restore the affected files from a backup. The virus appends the JavaScript code.

Finally, review the permissions of your shared folders. The virus may alter the permissions of the existing shares and/or add new ones.

I know this sounds tedious, but it should take no more than about1 hour and afterward, you will know if a complete system rebuild is in order.

Back to Malware Forum
2 total posts (Page 1 of 1)  

Related Forums