W32.Nimda.E@mm Removal Tool 1.0.0

Symantec has provided a tool to remove infections of W32.Nimda.E@mm
This tool is designed to remove infections of W32.Nimda.E@mm. It will not remove infections of W32.Nimda.A@mm. If you need to remove a W32.Nimda.A@mm infection, obtain the W32.Nimda.A@mm Removal Tool.
The W32.Nimda.E@mm Removal tool does the following:
- Terminates all processes associated with the virus.
- Terminates the Explorer.exe process and relaunches it. The virus injects itself into Explorer.exe, which makes this step necessary. Because of this, you may see the desktop flash (this is expected behavior).
- Detects all types of W32.Nimda.E@mm infections. Repairs those files that can be repaired. Deletes .eml, .nws, .doc, and .txt files that have been detected as infected.
NOTE: The tool will not delete .eml files in cases where the extension is not one of the four mentioned above. For example, a file with the double extension .eml.bad will not be deleted. You must manually delete such files.
- Repairs the System.ini file by removing the modifications made to the shell= line.
- Removes the guest account from the Administrator group and disables the guest account in the Guests group.
- Repairs multiple HTML infections.
- Returns shared drives and folders to default security settings.
Command-line switches available in this tool:
- /NOFIXSHARE - Disables share repair (use of this switch is not recommended).
- /NOFIXREG - Disables registry repair (use of this switch is not recommended).
- /SILENT, /S - Enables silent mode.
- /LOG=[PATH NAME] - Creates a log file where [PATH NAME] is the location in which to store the output of the tool.
- /RWPWD=[PASSWORD] - Applies this password to Windows 9x Read/Write Shares
- /ROPWD=[PASSWORD] - Apply this password to Windows 9x Read-Only Shares
- /MAPPED - Scans mapped network drives.
Once a system has been attacked by W32.Nimda.E@mm, it is possible that the computer has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to the system, including but not limited to the following:
- Stealing or changing passwords or password files
- Installing remote-connectivity host software, also known as backdoors
- Installing keystroke-logging software
- Configuring of firewall rules
- Stealing of credit card numbers, banking information, personal data, and so on
- Deletion or modification of files
- Sending of inappropriate or even incriminating material from a customers email account
- Modifying access rights on user accounts or files
- Deleting information from log files to hide such activities
If you need to be certain that your organization is secure, you must reinstall the operating system, and restore files from a backup that was made before the infection took place, and change all passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator.