Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W32/Nachi-B and W32/Bobax-C

Status
Not open for further replies.
Mike Lewis

Mike Lewis

Programmer
Jan 10, 2003
17,516
Scotland
I recently became infected with W32/Nachi-B and W32/Bobax-C. As far as I know, I have successfully removed both these viruses. But, as I was doing so, I noticed a strange change to my system.

I can no longer bring up MSCONFIG or REGEDIT. When I try, the program appears on the screen for about one second, and then vanishes. The same thing happens if I hit Ctrl-Alt-Del to bring up Task Manager.

Is this a known side-effect of either of the above viruses? Or of any other virus? I can't find any information on my AV vendor's website about this.

My system is Windows XP Pro SP1 on an IBM Thinkpad. As far as I can see, none of my other programs or utilities are affected in this way.

Any advice would be appreciated.

Mike


Mike Lewis
Edinburgh, Scotland

My Visual Foxpro web site: My Crystal Reports web site:
 
Sort by date Sort by votes
Ouch! Although I don't have a specific answer, this sure does sound like a trojan/adware/worm behavior. Try these:

Spybot Search and Destroy (good for tracking cookies)
Ad-Aware (finds adware including CooWebSearch code)
HijackThis (lists out all running services but you may need help to identify suspicious entries)
CWShredder (hard to download the latest since sites hosting it often get DOS attacks)
PestPatrol (online scanner)
a multitude of other only AV scanners

These programs are constantly being updated. download.com has most of them, but you can do a web search to see if thee is anything newer than what it has.

dbMark
 
Upvote 0 Downvote
dbMark,

Many thanks for those leads. I know about some of them. I'll check out the others.

Since posting my message, I did some more research and have become convinced this is a virus. My existing AV software (Sophos) didn't pick it up, but I haven't got the very latest update yet.

For the benefit of others, I did find a way round the particular problem I mentioned -- the inability to run MSCONFIG, REGEDIT, etc (also the DOS command prompt). It seems that many viruses will clobber these and other low-level utilities (including AV programs), presumably to prevent savvy users detecting the virus.

My solution was to create a new folder, copy the relevant EXE files to it (MSCONFIG.EXE, REGEDIT.EXE, TASKMGR.EXE and also CMD.EXE), change their names, and run the utilities by double-clicking on them. This works fine, apart from the minor inconvenience of not being able to bring up the task manager via Ctrl-Alt-Del.

Mike




Mike Lewis
Edinburgh, Scotland

My Visual Foxpro web site: My Crystal Reports web site:
 
Upvote 0 Downvote
For AV protection I use F-Prot by Frisk Software which has been quite reliable for years. It has inexpensive versions for Windows, Linux and others. The DOS version runs from the DOS/command prompt and is FREE on the download page. You can get a free trial versions at Their commercial licensing fees are remarkably inexpensive. They used to update their definition files weekly in the good old days, but recently it been more often and I've seen some days where two updates came out in the same day, so they're on top of what's happening.
 
Upvote 0 Downvote
dbMark,

Thanks. I'll make F-PROT the next thing to try.

I just downloaded the free demo version of the Trend Micro AV (which I think is also known as PC-cillin or something). It failed to detect the virus, but I noticed the signature file is a couple of weeks out of date, and you're not allowed to update it during the free trial period.

I'll probably fork out for the full version, but I'll try F-PROT first.

Mike

Mike Lewis
Edinburgh, Scotland

My Visual Foxpro web site: My Crystal Reports web site:
 
Upvote 0 Downvote
MikeLewis,

Both of the viruses you mentioned depend on various Microsoft vulnerabilities. If you haven't already done so, you will want to go to windowsupdate.com and update your system asap.

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

Trent the Uncatchable in The Long Run by Daniel Keys Moran
 
Upvote 0 Downvote
JBracket,

Thanks for that. I was aware of the updates, and I wish I had installed them. The dangers of complacency ....

I'll now make sure the system is up to date. But, of course, that won't help get rid of the present intruder.

Mike


Mike Lewis
Edinburgh, Scotland

My Visual Foxpro web site: My Crystal Reports web site:
 
Upvote 0 Downvote
Present intruder? I thought you had gotten rid of it already. Apologies if I misunderstood. If you are still infected, you can download McAfee's stinger tool at It will take care of Nachi for you. Then try Trend's housecall for Bobax.

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

Trent the Uncatchable in The Long Run by Daniel Keys Moran
 
Upvote 0 Downvote
Jbracket,

Present intruder? I thought you had gotten rid of it already.

I successfully got rid of Nachi and Bobax. I now seem to have another bugger, which I haven't managed to eradicate. This new nastie is the thing that seems to stop me going into RegEdit, etc. It also seems to constantly want to dial up my Internet connection and start sending and receiving data.

For that reason, I am reluctant to use the infected machine with the modem connected. So I can't do any on-line checks or automatic updates directly from that machine. I have to do them via my Windows 98 system.

But I'll keep trying.

Mike


Mike Lewis
Edinburgh, Scotland

My Visual Foxpro web site: My Crystal Reports web site:
 
Upvote 0 Downvote
If you haven't used hijackthis or something similar to look at your processes, you ought to give that a shot too, you should be able to spot the dialer processes with that and get rid of them so you can be more comfortable with having that machine online to finish its cleanup.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
298
2ffat
2ffat
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
355
SamBones
SamBones
DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
757
DrB0b
DrB0b
2ffat
  • Locked
  • News
C-Ware Bundled on "ALL" Freeware Sites
Replies
6
Views
458
xit
xit
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
481
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top