NAV2003 keeps finding Welchia worm!

P

PHiLiP

Just reinstalled XP from scratch, but very soon after I go online to go
to WindowsUpdate to patch it with SP1 and other updates NAV gives me a
Welchia and Blaster warning.

I used Symantec's Blaster removal tool and it found nothing.

I used Symantec's removal tool as per their instructions (including
disabling System Restore), but it keeps coming back every time I go
online, I get the warning from NAV about finding the worm.

I have only managed to update with SP1 so far. Should I finished
updating with all the critical patches first before trying the removal
tool again? Thanks.
 
J

Jon

Where is nav finding blaster/welchia? location and file name. make sure
you have both patches applied to protect against it. ms03-007 and ms03-039.

If symantec's tool says you are clean, but the program says you are not, I
would contact symantec support to see if they can figure out the discrpency.

Jon
 
R

Rick \Nutcase\ Rogers

Hi Philip,

Enable the XP firewall, this will prtect you long enough to get the updates.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone
 
P

PHiLiP

The NAV message gives a different name each time, but it's always
pointing to the SYSTEM32 folder, e.g., "C:\Windows\System32\TFT9253".

The removal tool keeps finding a file called svchost.exe in this folder:

C:\Windows\System32\Wins\

which is the same as being described by Symantec.


Is it possible the worm is being "pushed" to the computer because I
haven't installed the patches yet?



| Where is nav finding blaster/welchia? location and file name. make
sure
| you have both patches applied to protect against it. ms03-007 and
ms03-039.
|
| If symantec's tool says you are clean, but the program says you are
not, I
| would contact symantec support to see if they can figure out the
discrpency.
|
| Jon
|
| | > Just reinstalled XP from scratch, but very soon after I go online to
go
| > to WindowsUpdate to patch it with SP1 and other updates NAV gives me
a
| > Welchia and Blaster warning.
| >
| > I used Symantec's Blaster removal tool and it found nothing.
| >
| > I used Symantec's removal tool as per their instructions (including
| > disabling System Restore), but it keeps coming back every time I go
| > online, I get the warning from NAV about finding the worm.
| >
| > I have only managed to update with SP1 so far. Should I finished
| > updating with all the critical patches first before trying the
removal
| > tool again? Thanks.
| >
| >
|
|
 
C

Chris Catt

Hi, I have a PC workstation that has exactly the same proble. A fresh
install abd as soon I as went to the Update site Mcafee picked up the very
same virus in svchost. As this PC is on a domain if I enable to firewall it
has problems connecting.......
Chris
 
M

Michael Stevens

PHiLiP said:
The NAV message gives a different name each time, but it's always
pointing to the SYSTEM32 folder, e.g., "C:\Windows\System32\TFT9253".

The removal tool keeps finding a file called svchost.exe in this
folder:

C:\Windows\System32\Wins\

which is the same as being described by Symantec.


Is it possible the worm is being "pushed" to the computer because I
haven't installed the patches yet?
Click to expand...

Yes, you have to enable the firewall before going on line. Even for
activation.
You can download the updates and burn them to CD so you can apply before
connecting to the internet.

--

Michael Stevens MS-MVP XP
(e-mail address removed)
http://michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://michaelstevenstech.com/outlookexpressnewreader.htm
 
R

Rick \Nutcase\ Rogers

Hi Chris,

Then your domain administrator has a big problem on his/her hands.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone
 
C

Chris Catt

Hi Rick, can you elaborate please, I'm not talking firewall on the server
but on the w/station....
Chris
 
B

Bruce Chambers

Greetings --

If you connected the PC to the Internet without having first
enabling a firewall, without having first installed an antivirus
application with current virus definition files, and/or before
installing the KB824146 Hotfix, you're very likely to get infected
from any of the thousands of PCs on the Internet that are constantly
broadcasting the Blaster and/or Welchia worms. It only takes a few
seconds of exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
R

Rick \Nutcase\ Rogers

Hi Chris,

Either the worm is inside the internal network, or the network's firewall is
not configured correctly. Either way, the problem should be on the shoulders
of the network admin.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone
 
D

Dwight Stewart

Bruce Chambers said:
To stay on-line long enough to get the necessary
updates, patches, and removal tools, click Start >
Run, and enter "shutdown -a" when the next RPC
countdown begins. This will abort the shut down.
Also, make sure you've enabled a firewall before
starting, to preclude any more intrusions while
getting the updates/patches/tools.
Click to expand...


And don't forget to turn off "System Restore" in the "My Computer"
properties before running any repair tool. Otherwise, System Restore will
reinstall the virus, starting the entire process all over again.


Dwight Stewart (W5NET)

http://www.qsl.net/w5net/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

XP Home and Welchia worm - Does Automatic Windows Update Protect? 1
quick question about the worm 5
Uninstalling Norton AntiVirus 2001 after upgrade of OS 1
worm? remote procedure call 4
best AV, where else can worm hide? 1
W32 Blaster F Worm 10
Print spooler service terminated unexpectedly 2
worm question 2

Top