General discussion

  • Creator
    Topic
  • #2124071

    Nimba Virus Recovery

    Locked

    by chinahope ·

    How can you restore a 98 second edition machine from the attack of the Nimba Virus?

All Comments

  • Author
    Replies
    • #3555374

      format

      by pills ·

      In reply to Nimba Virus Recovery

      I had the same problem with one of my pc’s I tried to remove the virus but it was to far gone, in the end I had to format the pc by putting a win98 startup disk in the floppy and running the format utility from it, once I got the pc up and running again I found some software from the net to check for any backdoors the virus may have left. hope this helps.

    • #3564713

      Reply To: Nimba Virus Recovery

      by cjmpe ·

      In reply to Nimba Virus Recovery

      If your workstation isn’t too far gone, you can carry out the following procedure:

      Disconnect system from the network.

      Scan all files on all local hard drives and disinfect/delete with your favorite anti virus package.

      Open “system.ini” innotepad. Locate the following line:

      “shell=explorer.exe load.exe -dontrunold”

      and delete “load.exe -dontrunold”. Save the file when complete.

      Open “wininit.ini” in notepad. Look for strings that contain the following information (where XXXXrepresents four hexadecimal digits):

      [rename]
      NUL=C:\WINDOWS\TEMP\MEPXXXX.TMP.exe

      Delete these lines if found and save the edited file.

      Search the system for the “riched20.dll” file. If file is located, scan it with your anti virus package. If it is infected, replace with the original Windows media. The file will be located in a CAB file on your CD’s and can be extracted using WinZIP. I don’t remember which CAB file contains “riched20.dll” but the files are archived in the CAB files in alphabetical order, so start around file # 25 or 30.

      Reboot the system.

      Perform another full scan from the GUI with action set to “Disinfect”.

      *While scanning the drive, if your software finds JS/Nimda.A@mm in any *.HTML, *.ASP, or *.HTM files as well as files that contain the words “DEFAULT”, “INDEX”, “MAIN” or “README” in the filename, edit the appropriate file and remove JavaScript code the the virus adds referring to README.EML file, or restore the affected files from a backup. The virus appends the JavaScript code.

      Finally, review the permissions of your shared folders. The virus may alter the permissions of the existing shares and/or add new ones.

      I know this sounds tedious, but it should take no more than about1 hour and afterward, you will know if a complete system rebuild is in order.

Viewing 1 reply thread