When you cleaned all machines, were they still physically connected to the network? Did you shut them down totally (remove power lead) after cleaning and leave off network until all machines were cleaned? Did you rescan them before putting them back on the network? I thought that was overkill until a client got Nimda last year and it took me 30 hours to clean from two servers & 15 workstations. Then when all was apparently clean, I tested a backup. Fortunately I was on the phone chatting in front of the server watching the backup (yeah I know - more productive watching paint dry!) but I saw a bunch of disk activity when files that had been archived were backed up. Stopped backup & scanned & there was Nimda again! Took 90 secs to reinfect all machines on the network. Another 26 hour cleanup, using a different tool and removal of the entire offending folder! Lesson that I learnt - don't trust any antivirus product that does not strip suspect files from e-mails. Have been using eScan since, without a single infection. www.mwti.com <http://www.mwti.com/> . Also they have a good cleaning tool here ftp://ftp.microworldsystems.com/download/tools/mwav.exe Stephen Hartley -----Original Message----- From: Syed Muqeemuddin [mailto:smuqeem@xxxxxxxxxxx] Sent: Tuesday, July 01, 2003 2:17 AM To: [ExchangeList] Subject: [exchangelist] RE: Nofer.c Virus on exchange http://www.MSExchange.org/ Yeah, that's right. All machines cleaned, every single workstation scanned and cleaned .. all registries removed. But still the same behaviour... all mails stop for a while... and then suddenly everything comes back. -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, June 30, 2003 6:19 PM To: [ExchangeList] Subject: [exchangelist] RE: Nofer.c Virus on exchange http://www.MSExchange.org/ I take it you mean that the virus was removed and all the registry entries mentioned, were removed, on every mail enabled workstation in your organization. Steve _____ From: Syed Muqeemuddin Sent: Mon 6/30/2003 3:40 PM To: [ExchangeList] Subject: [exchangelist] Nofer.c Virus on exchange http://www.MSExchange.org/ Hi All, We have been struck by the Nofer.c virus, it gets detected by Norton, but nothing happens beyond that. RAV antivirus detects it and we can delete it.. but after a few hours there are a lot of mails beoing replicated again. My collegue removed the registry entries as mentioned by trend and RAv and Sophos .. but still nothing.. it keeps coming back... is there some way I can get rid of it without having to re-install the server. Regards ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: smuqeem@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: exchlist@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') _____ This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. <mailto:administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx> administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx _____