Welchia/Nachi virus doubt

[Tojo]

Hello

A friend of mine got infected with the Welchia/Nachi worm virus in it's XP
machine. I ran the Stinger utility and it said it was removed from the
system but I still see 5 svchosts processes in the processes list, the
regedit and NAV processes are stopped seconds after they're started and none
of the Microsoft security patches can be installed. The integrated firewall
is on. Could somenone give any directions on this please?

Thanks,
Tojo

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

Assuming they have an actual XP CD as opposed to a recovery CD, try a Repair
install as follows:
NOTE, while a repair install should leave their data files intact, if
something goes wrong during the repair install, they may be forced to start
over and do a clean install of XP. If they don't have their data backed up,
they would lose their data should that eventuality occur.

Boot from the CD. If the system is set to be able to boot from the CD, it
should detect the disk and give a brief message, during the boot up, if you
wish to boot from the CD press any key.

Once they have pressed a key, setup should begin. They will see a reference
asking if they need to load special drivers and another notice that if you
wish to begin the ASR (Automatic Recovery Console) depress F2. Just let
setup run past all of that. It will continue to load files and drivers.

Then it will bring them to a screen. Eventually, they will come to a screen
with the option to (1) setup Windows or (2) Repair Windows Installation
using the Recovery console.

The first option, to setup Windows is the one they want and requires them to
press enter. When asked, press F8 to accept the end user agreement. Setup
will then search for previous versions of Windows. Upon finding their
version, it will ask if they wish to Repair their current installation or
install fresh. Press R, that will run a repair installation. From there
on, follow the screens.

If they only have a recovery CD, their options are quite limited. they can
either purchase a retail version of XP which will allow them to perform the
above
among other tools and options it has or they can run their system recovery
routine with the Recovery CD which will likely wipe the drive, deleting all
files but will restore their setup to factory fresh condition.

 

[Bruce Chambers]

Greetings --

Welchia more than likely brought along a friend or two.

This behavior, which also often applies to MSConfig.exe and
Regedit.exe, is typical behavior of more than one virus/worm, the
three below being the most common:

W32.Klez
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Yaha
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Spybot.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH