Win32/Nachi.B worm

Discussion in 'malware problems & news' started by kando, Mar 2, 2004.

Thread Status:
Not open for further replies.
  1. kando

    kando Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    Dear Sir,

    I have a problem virus and NOD32 can not remove the problem, what can I do?

    Twelve days ago I had a HD failure, I purchased a new HD, partitioned and formatted the drives, installed my Windows XP, Office XP, NOD32 and ZoneAlarm on C:\.
    Then I went to MS Windows Updates and "tried" to update the XP OS!
    Ten days later I contacted the MS technical department here in Australia and requested their help in upgrading the XP OS, I was greatly surprised when they said it was my virus protection software that was causing the problems with the upgrades and patches!
    In the fourteen months I have been using Nod32, it has never interfered with XP upgrades but I bowed to the MS technicians and shutdown NOD32 while upgrading Windows XP!

    It is now the twelfth day since I started upgrading Windows XP and Office XP and I finally got the 30meg security server pack 1! I also collected "eleven" various viruses! Thanks to MS technician instructing me to shut down NOD32!!!
    One of these viruses was spreading over my HD's partitions! (I have two HD's, one 120Gig and one 20Gig, the first HD is partitioned into six 20Gig partitions, C: to H: and the second HD is I:\)

    Nod32 removed nine of these viruses but could not remove all the viruses and the only way I could get them off my other partitions was to format those partitions. This virus would not permit me to delete their folders, it also tried to disallow formatting of these partitions and I had to dismount the HD's in DOS before I could format them, (the virus had spread to three partitions, C:\, G:\ and I:\) After formatting those HD's I ran NOD32 and did a full scan of all partitions and files on the system. The only virus left was: C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe - Win32/Nachi.B worm
    And NOD32 can not remove this virus!

    I downloaded and ran Windows-KB833330-ENU, this patch "supposedly" gets rid of this virus but it hasn't removed it from my system.
    NOD32 still reports:

    worm Win32/Nachi.B found in operating memory. NOD32 cannot clean this infiltration.
    No action can be taken on a memory infiltration.

    Do you know of any way I can remove this virus without formatting my C:\?
    After all the hassles I've had with updating Windows XP, I don't fancy going through that again.

    Any helpful advice you can give me on removing this virus would be greatly appreciated.

    Sincerely,

    Bill Whiteside
    Australia. o_O
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    kando,

    Sounds like bad advice you've got here...

    Anyway, Bitdefender provides a free cleaner for this one (aka Welchia). You can download clicking this link - direct download!

    Keep us posted.

    regards.

    paul
     
  3. kando

    kando Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    Thanks Paul, I'll give it a go right away and keep you informed.

    Bill :)
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Best of luck, Bill ;)

    Make sure to disable system restore btw for the time being, in order to avoid the bugger showing up again.

    regards.

    paul
     
  5. kando

    kando Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    G’day Paul,

    I downloaded the little program, BitDefender from Antiwelchia-EN, but all it did was tell me to go to MS Updates and get the patch and to update Windows XP.
    Now although I had already done that, I did it again, went along to MS Windows Updates, downloaded and ran the patch (Windows-KB833330-ENU) and checked for any updates for XP, there were three, all to do with running games; I don’t run games so I didn’t bother downloading those patches.

    Now it’s 6.05am and I’m finally rid of that stubborn little sucker, No Thanks to MS!
    After a lot of mucking around I finally got the dirty little sucker where I could deleted it!
    It was quite easy, but time consuming! Anyway, both NOD32 and BitDefender have now declared my system to be “VIRUS FREE”!! :D

    I see no reason why my method of dumping a stubborn virus like “Nachi.B worm” can not be applied to other viruses that NOD32 can not remove. i.e. memory resident viruses. So just incase you want to know how I got rid of it I’ll tell you, it’s time consuming but worth it!
    Okay, let me tell you right up front, I’m no wiz-kid with a computer and eighteen years ago when I first got the computer bug, (I was well into my 40’s) I was the greatest at stuffing-up “any” computer! Anything I know about computers I’ve learnt the hard way!
    Anyway getting back to extracting the bug; I ran NOD32 and found three bugs were residing on my computer, one at:
    C:\WINDOWS\SYSTEM32\DRIVERS\ and its name was svchost.

    The second was in:
    I:\System Volume Information\_restore{58283119-37DF-4A2B-8E2D-3A98A0ECA6E9}\RP22\A0003484.exe - Win32/Nachi.B worm, and the third was in: C:\System Volume Information\_restore{58283119-37DF-4A2B-8E2D-3A98A0ECA6E9}\RP38\A0003917.exe - Win32/Nachi.B worm

    As far as I can tell, the patch from MS actually put the virus into these two “Restore” folders! (I ran the patch twice, once when I downloaded it the first time, yesterday, and again today when BitDefender said I should download and run the patch, so that would account for the two restore folders.

    Using Windows Explorer I went to C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe and tried to delete the file, no go! I then changed its name from svchost.exe to Bad-Boy-1
    That let me cut and paste it into C:\Windows\Temp\! From there I tried to delete Bad-Boy-1, again no go! I then created a folder C:\Windows\Temp_1 and moved the virus, Bad-Boy-1, into the C:\Temp_1 folder.
    I then cut the folder C:\Temp_1 and pasted it into F:\ and again tried to delete the file and\or the whole folder, again No Go!

    As I have nothing on F:\ I then opened the command prompt in Windows XP and went back to the root, C:\, from there I typed in: FORMAT F: and got the message:
    WARNING, ALL DATA ON NON-REMOVABLE DISK
    DRIVE F: WILL BE LOST!
    Procede with format <Y/N>? (I type in Y and hit enter!
    Verifying whatever size your partition is.

    You then get the message:

    Format cannot run because the volume is in use by another process.
    (This little sucker of a virus tries real hard to remain on your system)
    Format may run if this volume is dismounted first.
    ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
    Would you like to force a dismount on this volume? <Y/N>
    Here I type in Y and hit enter and get the message:

    Volume dismounted. All opened handles to this volume are now invalid.

    It then begins the format of F:

    At this point you can do what I did, went and made a mug of tea and made a ham sandwich, when I returned to the PC it still had over 50% of the partition to format!
    So you see, it’s not fast but it works!!!

    When the format is finished it asks for a label for the partition, I give it the same label as it had to begin with, Fourth!

    I ran NOD32 and sure enough found only two viruses on my system!
    I:\System Volume Information\_restore{58283119-37DF-4A2B-8E2D-3A98A0ECA6E9}\RP22\A0003484.exe - Win32/Nachi.B worm.

    And the second was in: C:\System Volume Information\_restore{58283119-37DF-4A2B-8E2D-3A98A0ECA6E9}\RP38\A0003917.exe - Win32/Nachi.B worm

    I went to these two files with Windows Explorer and renamed the both to Bad-Boy_1 and Bad-Boy_2, once renamed I moved the two files into a Temp folder on F:\, I again tried to delete the F:\Temp folder and once again, No Go!
    So again I fired-up Command Prompt and went through the format F: thing! It works!!!
    When I had finished, Nod32 and BitDefender both state “No Viruses Anywhere On Any Partition”

    Thinking about it now, I may have been able to create an A:\Temp folder on a floppy and paste the renamed virus into that, then run the format A: command from Command Prompt! I don’t know if that would work but I see no reason why it would not!!

    Thanks for your help Paul,

    Cheers mate,

    Virus FREE Bill. ;)
    Australia.
     
  6. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    These were the steps we took on Nachi infections:

    1. D/L Microsoft patch to infected machine. D/L Nachi-specific removal tool from AV site of choice. Install both.
    2. Ensure AV is up to date.
    3. Pull computer off network/internet.
    4. Disable system restore (if applicable)
    5. Reboot and run AV in Safe Mode.
    6. Delete any files id'd as "infected".
    7. Reboot. Run Nachi-specific removal tool for good measure.
    8. If clean--Reboot. Re-enable System Restore.

    HTH
     
  7. Dom

    Dom Guest

    I too have the Nachi.b Virus. Go to www.nod32.com and read about it there. It is also worth noting that this virus will uninstall itself in June this year ! It searches for two other viruses and removes them !
     
  8. angeloj

    angeloj Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    2
    Hi
    I'm replying because I could not find the "start new thread" button on the board index page (maybe I'm blind - more likely it's this :blink: computer): its had this Nachi.B worm for a while in the System Volume Restore... _restore...etc just like a lot of you. However, the system properties on my computer (Win XP Pro) does not have a system restore tab or way of switching system restore on or off. I've run many anti-viruses (AVG, Bitdefender, Symantec etc.)- all failed. Is there any other way of solving this?
    Regards
    angeloj
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Can you get to system restore through your sys tools. I have never seen an xp computer with out a restore tab in sys properties. see scrn sht.
     

    Attached Files:

  10. SomeSGppl

    SomeSGppl Guest

    i have that pro of virus found in restore files.....b4, try this: firstly create a new system restore point. then goto your harddrive properties, select disk cleanup, follows by more options, select system restore cleanup and apply. this will cleanup all infected restore point in your pc and leave you with the last good one that u have just did in step 1.
     
  11. someSGppl

    someSGppl Guest

    Try download these 2 updates b4 u run yr UPDATED AV program to remove nachi.b from yr system: WindowsXP-KB823980-x86-ENU, Q815021_WXP_SP2_x86_ENU. i think this will help. if still have pro, download this to check if u still have bug in yr system DoomCln-KB836528-v3-ENU, all the above updates can be found in the window update website.
     
  12. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    If you can not find system restore on your xp pro I would contact microsoft tech support and find out what their thoughts are about your restore being gone.


    http://support.microsoft.com/
     
  13. araye

    araye Guest

     
  14. jakobas

    jakobas Guest

     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    jakobas,

    Do you have a question/problem to post? If so, by all means do ;). If not, your quite posts will be removed within 24 hours.

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.