What's going on??

Discussion in 'NOD32 version 2 Forum' started by XxWyldRoguexX, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. XxWyldRoguexX

    XxWyldRoguexX Registered Member

    Joined:
    Sep 16, 2002
    Posts:
    5
    Just bought a bare bone system, installed XP Pro as the OS, installed NOD32 as soon as I could...

    Now I'm getting popups saying my svchost.exe is infected with the Nachi.B worm yet the comp isn't even connected to the internet.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    A link for you.

    http://www.nod32.com/scriptless/msgs/nachib.htm
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sounds like you have loaded infected data.

    Make sure you install a Firewall such as ZoneAlarm, Update Windows with all Critical Updates and Service Packs, Don't share the main "C" drive, Install Spware Blaster, Spyware Guard and Spybot Search and Destroy.

    Hope this helps...

    Cheers :D
     
  4. XxWyldRoguexX

    XxWyldRoguexX Registered Member

    Joined:
    Sep 16, 2002
    Posts:
    5
    I am a bit pissed off with Nod32 :mad:

    It detected the infestation yet did not do anything to help IE: clean/quarantine.

    I would up getting a removal tool elsewhere to remove the worm.

    And that poses a problem as to why the best AV on the market can not clean or quarantine files even tho it's directed to do so??

    Seems kinda expensive to only have an AV tell you that you have a virus & not clean or quaratine.

    Don't get me wrong, I love Nod32... like I stated earlier, it's the best AV on the market. I am just deeply disappointed that it did not do anything to rid the comp of the Nachia.B worm.

    I wonder what the expalination will be on this (if someone will even give an explaination).
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I am not certain as to why nod could not clean the worm, more information would be required. Our experience at ground level has been that Nod is brilliant at stopping infections getting in, however, once in, is not 100% good in getting rid of an infection... Thus, for removal of infections from clients computers, we run a second scan (just to be sure) with an alternative anti-virus program.

    Without knowing how your system is set up and what software you have installed, I can only suggest the following:

    A firewall is absolutely essential these days, some worms continually reinfect straight off the internet if you don't have a firewall you are prown to reinfection.

    I have used the FREE for personal use Zonealarm www.zonelabs.com for over 10 years now, it is a very simple program to use and also very effective. It is also visual, so you can see what is going on...

    I would also check that Windows is actually up-to-date, there have been several critical updates released in the last week or so; while on the internet, go to Tools\Windows Update, when asked click on the "Green" scan for updates button. Make sure you install any “Critical Updates and Service Packs” that are available.

    You should also have Spyware Blaster, Spyware Guard and Spybot Search and Destroy installed and up-to-date, all available from this website.

    This will set your system up like a fortress.

    Hope this helps...

    Cheers :D
     
  6. XxWyldRoguexX

    XxWyldRoguexX Registered Member

    Joined:
    Sep 16, 2002
    Posts:
    5
    I installed Xp Pro on a bare bone comp, then installed Nod32.

    Transfered a few files via a CD made from another comp protected by Nod32.

    Installed 7Zip (my favorite archiver)...

    Hooked up the comp to my LAN ( all workstations have Nod32 installed & updated regulary) so I could run updates on Nod32 as well as Windows Update to get everything current.

    Somehow, in between updating Nod & getting my patches from Windows Update, the comp caught the Nachia.B, which I find totally humorous considering that Windows Update was the ONLY website I went to.

    After Nod detected the Nachi, I directed it to quarantine because the clean option was unavailable to select & it didn't even quarantine the 2 main files of Nachi: svchost.exe & Wkspatch or whatever the name was.

    This is disappointing. A brand new bare bone comp with a fresh install of XP Pro & Nod32 yet it got infected??

    Not only that but Nod could not clean the infection??

    Now do you see why I am bothered?
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sure, I appreciate why you are bothered. Is your network firewalled? We have found in the past that we had to install a firewall before connecting to the internet, as without one, every single time the computer(s) in question was continually reinfected directly from the net.

    Once firewalled, we were then able to update Nod, scan and clean the system.

    Cheers :D
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    More info here http://www.colorado.edu/its/news/nachi.html and here http://www3.ca.com/virusinfo/virus.aspx?ID=38258 basically you were infected because you didn't have a firewall and your windows was not patched... you were infected through open ports (80, 135 and 445).

    Cheers :D
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    NOD or any other virus cannot CLEAN nachi or any other worm all they can do & should do if you tell it to is delete the whole infeected file.

    Anti viruses can only clean a file that is infected, not a file that IS the infection.

    99% if not 100% of worms come into the second category. the infected file in it's entirety is the infection. not an infection has got into the file as happens in some viruses, that ARE cleanable,

    I have receiverd today umpteen copies of the latest netsky.b worm, which NOD says clearly cannot clean, but if you press the delete button it does remove it, which it is supposed to do.
     
  11. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Hi Rogue,

    Don't feel like NOD "let you down". That worm WILL infect any machine that isn't patched, no matter what AV you are using. ;) NOD did it's job--it let you know there was a virus on your computer. FWIW, other AV's fared no better against it.

    You MUST patch your computer against the RPC exploit BEFORE connecting it to the internet, or you WILL become infected with Nachi/Welchia within literally seconds. ;)

    Best o' luck!
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Also NOD quarantine works in a different way to other antiviruses.

    when you puut a file into quarantine with nod it doesn't automatically delete it from the system. the quarantine function seems to be a place to store copies of the file in an encrypted form that cannot run in case it is needed later to send to nod for analysis

    NOD works very differently to other antiviruses in this respect and I suggest you read the help files in this respect. I found it quite a steep learning curve after being used to AVG and other set & forget antiviruses, who use the quarantine folder all deleted or uncleaned viruses
     
  13. mezz

    mezz Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    5
    ok, so I've set up my firewall and updated windows. I looked for Spyware Blaster, Spyware Guard and Spybot Search and Destroy but don't know where to find them on the site. Help? I'd be much appreciated.
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Mezz

    Spyware Guard and Spyware Blaster are by Javacool and available on this site here http://www.wilderssecurity.com/index.php?board=34

    Spybot Search and Destroy can be downloaded here http://beam.to/spybotsd

    All the best...

    Cheers :D
     
  15. mezz

    mezz Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    5
    Ta muchly. I'll give 'em a go.
     
Thread Status:
Not open for further replies.