Win32/VB.NHZ worm

Discussion in 'NOD32 version 2 Forum' started by luvinum, Feb 18, 2007.

Thread Status:
Not open for further replies.
  1. luvinum

    luvinum Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    4
    This virus was found by NOD32, but it couldn't delete it. I've looked at several virus databases including NOD32's, Symantecs and Mcafee's and i can't find any information on the virus.

    The log of the threats are as follows:

    file G:\EXPLORER.EXE Win32/VB.NHZ worm deleted ADAM\Adam Event occurred at an attempt to access the file by the application: C:\WINDOWS\EXPLORER.EXE.
    file C:\WINDOWS\system32\explorer.exe Win32/VB.NHZ worm Alert was generated during the system startup file check.
    file C:\WINDOWS\system32\EXPLORER.EXE Win32/VB.NHZ worm ADAM\Adam Event occurred at an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
    file C:\WINDOWS\system32\EXPLORER.EXE Win32/VB.NHZ worm NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    file C:\WINDOWS\system32\explorer.exe Win32/VB.NHZ worm Alert was generated during the system startup file check.
    file C:\WINDOWS\system32\EXPLORER.EXE Win32/VB.NHZ worm NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\Programmi\Windows Defender\MsMpEng.exe.
    file C:\WINDOWS\system32\EXPLORER.EXE Win32/VB.NHZ worm NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: \??\C:\WINDOWS\system32\winlogon.exe.

    The first of the virus's were deleted, and the result of this is that my flash drive now can't be opened by simply double clicking it, you have to right click and press autoplay, and then tell it to open in a folder. I think that the virus must have done the same thing to my C drive as well because it won't open without right clicking and saying open.

    Any help would be much appreciated!
     
  2. ASpace

    ASpace Guest

    Hello . A definition against that worm (W32/VB.NHZ) was added in signature verions 1882 (20061124).

    Make sure your definitions are up-to-date by pressing Control Center -> Update -> Update now .

    Read NOD32's tutorail and make sure your settings are the same as here.

    Boot in Safe Mode , open NOD32's on-demand scanner (from Start->Programs->ESET->NOD32) , make sure your NOD32 uses Control Center profile and then perform full scan over your hard drives . More about Safe boots can be found here .NOD32 will take care of these threats :)
    Now restart your machine as your normally do . Open Control Center->AMON->Setup->"Actions" tab and choose Prohibit access and show alert windows...
    Confirm with OK and hide the Control Center .

    If you don't see alerts any mode , the malware is completely gone ! :thumb:

    You can also use Ewido Micro for second opinion

    After you remove the malware you can sfc.exe to verify critical system files are where they should be , information here
    Good luck ;)
     
  3. luvinum

    luvinum Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    4
    Thanks alot, i think the worm has gone, but do you have any idea how i could fix the problems its caused? now the annoying sound you get when a warning message comes up is going off randomly all the time, i can't open C or my flash drive without right-clicking and opening, when i look at the properties of my flash drive the whole box is full of "+" and "-"'s. These seem quite small but i don't know what other problems it might have caused which i can't see....

    thanks again
     
  4. ASpace

    ASpace Guest

    Since you don't report about infected file in your system restore points (C:\System Volume Information) , they should be clean . You can try to perform System Restore to a previous state before you got infected so that you fix any possible damages from the worm .
    Start->Programs->Accessories->System Tools->System Restore

    Follow the instructions to restore to a state some days before you got infected . After you reboot things should be ok . Perform full scan with NOD32 again to ensure the worm will not be there :thumb:

    I am not sure the above will 100% help but you can try it
     
  5. luvinum

    luvinum Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    4
    well actually, when i put the computer into safe mode and scanned, it found and deleted a virus in my system volume restore folder...do u still recomend i system restore? and when i system restore does that mean that all the changes including programs i installed and files i made since the time i restore to will go too?

    thanks
     
  6. ASpace

    ASpace Guest

    Yes , try System Restore but restore to older date , before you noticed the worm . The worst thing that can happen is to restore the worm but you can clean it back again . Try to see if this helps :thumb:
     
  7. luvinum

    luvinum Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    4
    ok i tried system restore to two days ago when there was no beeping noise, but it hasn't helped. There is still this constant beeping noise and its driving me insane :p Is there any other way i can restore system files (other than reinstalling xp)?

    thanks for your time!
     
  8. ASpace

    ASpace Guest

    Have no idea . Contact ESET Tech Support here , describe well your problem and add a link to this thread . Please , Let us know how you go :thumb:
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It sounds like a hardware issue, is your system overheating, or a key stuck on your keyboard?

    Cheers :D
     
  10. nikinikiniki

    nikinikiniki Registered Member

    Joined:
    May 21, 2007
    Posts:
    1
    just got the solution how to fix damage after Win32/VB.NHZ

    I've also caught this Win32/VB.NHZ from flash drive ( it looks like virus activates when Windows XP scans inserted drive to display AutoPlay window ). Node cleaned virus but this virus also damaged my system in the same way as :
    Googling to find the solution for this problem didn't help ( I didn't want to use System Restore ), so I found the solution by myself ( I used regmon and far manager to see what registry keys are read when clicking right mouse button on flash drive ).

    Open registry editor and go to
    rename MountPoints2 to MountPoints2_bad and see if your problem with flash drives is gone.
    It looks like this key is dynamically updated when user clicks with right mouse button on drives so renaming it will not harm to anything.

    in my case bad data was situated in
    Hope this will help
    Regards ...
    and sorry for horrible english ...
     
    Last edited: May 21, 2007
  11. prad_pro_mac

    prad_pro_mac Registered Member

    Joined:
    Sep 24, 2007
    Posts:
    1
    I have the same problem with my external USB Hard Disk drive.

    I follow these steps:
    1. Clean all the drive with NOD32 version2545.
    2. It cannot clean the virus simply delete it.
    3.From My Computer Window Open Tools Menu>Folder Option
    4. click View tab>Activate hidden files and folders also checkoff 'Hide Protected Operating System files'
    5. now open your external drive You will see an Autorun.inf file. Simply delete it also for safety delete all the folders in System Volume Information.
    6. You can now right click and open your flash drive.

    Best of LUCK :thumb:
     
Thread Status:
Not open for further replies.