[ Home  |  FAQ-Related Q&As  |  General Q&As  |  Answered Questions ]


    Search the Q&A Archives


I have a w32.welchia.b.worm in my computer, does anyone know...

<< Back to: [alt.comp.virus] FAQ Part 1/4

Question by Jenster
Submitted on 2/23/2004
Related FAQ: [alt.comp.virus] FAQ Part 1/4
Rating: Rate this question: Vote
I have a w32.welchia.b.worm in my computer, does anyone know how i can get rid of it? i've tried downloading the patch software but it wont come through! thanks.


Answer by VIRUS HUNTER
Submitted on 2/26/2004
Rating:  Rate this answer: Vote
GOTO WWW.NORTON.COM AND GET REMOVAL TOOL.

 

Answer by bebe
Submitted on 2/29/2004
Rating:  Rate this answer: Vote
i have a W32.welchia.B.worm on my computer how do i get rid of it????/

 

Answer by LamerX
Submitted on 3/1/2004
Rating:  Rate this answer: Vote
I run an XP-machine and have the Welchia.B.Worm. I've tried the Norton removal tool as well as "manual" deletion through safe mode Norton scanning to no effect.
Have identified some of the virus locations (temporary internet files\Content.IE5), typically WksPatch[1].exe, WksPatch[2].exe,... WksPatch[4].exe, etc but as I try to put them in quarantine the following merror message shows:

"Error adding file to quarantine. This file may be in use by another process or you may be out of disc space"

Wtf? So is my computer protecting the virus files? What to do?

Note: Strange thing is that though Norton (as well as trendmicro) seems totally blind to the presence of the virus(es) when system scan is made, Symantec Auto-Protect frequently reports on the virus as being identified but "unable to repair" the file.
Norton schizophrenic?

 

Answer by klasse
Submitted on 3/1/2004
Rating: Not yet rated Rate this answer: Vote
Did you turn off system restore, maybe thats why it is still there?

 

Answer by Mandinha
Submitted on 3/2/2004
Rating: Not yet rated Rate this answer: Vote
I also have Welchia in my computer, and as LamerX, I canīt get rid of them!! Yes, I turned off the system restore, passed the tool, I made everything I could do...and my Symantec Auto-Protect continues reporting me the presence of the virus, I see the files WksPatch but I canīt do anything. What can I, better, What can we do? If somebody knows it, please answer.

 

Answer by LindaKay
Submitted on 3/3/2004
Rating:  Rate this answer: Vote
I am having same issue.  Norton will quarantine the files (wkspatch, svchost) and I can delete them or clean with Symantec removal tool but the virus files keeping showing back up.  I have also tried AdWare 6.0 and Spybot. Nothing seems to completely clean the virus.  I have been recommended to rebuild my laptop...yuck!  If someone knows how to clean please let me know.

 

Answer by arggggh
Submitted on 3/3/2004
Rating: Not yet rated Rate this answer: Vote
me too; i am also having the same symptoms (tried to manually remove, turned off system restore, virus keeps coming back) and it is causing quite a bit of system instability. I'm pulling my hair out trying to get it off. please... please someone help

 

Answer by Robbie
Submitted on 3/3/2004
Rating:  Rate this answer: Vote
You must go into your virus protection folder and delete anything being held in quarantine. Then do the system restore stuff and run the removal tool and then There is one thing you must do that is not listed in the removal directions. (It seems long but you just have to open many folders to get to the one with the virus still in it.)Here goes: right click on start button and click on "explore", double click on the "c drive", double click on "windows", double click on "system 32, double click on "config", double click on "system profile", double click on "local settings" (if you don't see it, click on "tools", select "folder options", select "view", and click in the box that says to show all hidden folders), double click on "temp internet files", double click on "content.IE5". You will see 4 folders. You must open each of these folders and delete any file called "wkspatch". Then empty your trash and restart your computer. I was having no luck removing this virus until I did this. It hasn't failed yet.

 

Answer by slimjimmy11
Submitted on 3/3/2004
Rating: Not yet rated Rate this answer: Vote
Hi all,

I'm having the same problem as all of you are having.  Robbie, I tried everything you said to do and found the 4 folders with "wkspatch" files in them.  However, I'm not able to delete the files.  It says the file is being used by another person or program.  Is there a way to get around this?
Thanks.

 

Answer by cannavjj
Submitted on 3/5/2004
Rating:  Rate this answer: Vote
Robbie's answer worked. I deleted all the folders. As for slimjimmy11, try restarting in Safe Mode & then delete.

 

Answer by slimjimmy11
Submitted on 3/6/2004
Rating: Not yet rated Rate this answer: Vote
Hi again,
It's the weirdest thing.  I went into the folders and deleted the wkspatch files.  I went into safe mode and ran the system scan and the welchia removal tool.  They didn't find anything.  So I thought I was in the clear.  But an hour ago, the auto protect popped up again and told me I still have the virus.  WTF?
Is anybody out there experiencing the same thing?

 

Answer by heavn01
Submitted on 3/6/2004
Rating: Not yet rated Rate this answer: Vote
Ya, I clean out all the patch files from my config folder and pass the removal tool and virus scan and when i restart my computer it seems to be okay at first. Then an hour later I get that message from my norton antivirus saying that i have the worm again. It keeps showing up and I can't seem to completely remove it!

 

Answer by johan
Submitted on 3/6/2004
Rating: Not yet rated Rate this answer: Vote
is the removaltool the same for the  W32.welchia.B.Worm as for the W32.welchia.Worm ????
if so it seemes impossible to get this out of the system. i'vetried it all!!!

 

Answer by M.
Submitted on 3/7/2004
Rating: Not yet rated Rate this answer: Vote
"It says the file is being used by another person or program."

You need to end the process. Pres cntrl+alt+del, click on the tab that says "process" (depending on your version  of windows, you may have to hit "task manager" first.) Look for a file in there called WksPatch.exe and click 'end process'. Then try deleting the files again.

 

Answer by jill
Submitted on 3/7/2004
Rating: Not yet rated Rate this answer: Vote
ok i am getting really fusterated i can't do anything to get rid of this worm.I reformatt it comes right back up, it dosn'tactually infect anything because norton removes it but i have to restart the computer because programs don't respond.I don't even know why i am getting this.SOMEONE please help

 

Answer by G.L.06
Submitted on 3/8/2004
Rating: Not yet rated Rate this answer: Vote
I'm having the same problem as the rest of you.I'm new with computers and am finding this very discuraging,I can't even hook my new printer up because of it, any help would be greatly appreciated.

 

Answer by YK
Submitted on 3/8/2004
Rating:  Rate this answer: Vote
I was having the same Welchia.B/Nachi.B problem, and I couldn't remove it with any removal tool or by the regular manual way, but I found a way to remove the whole worm from the computer (it's a little long..):
First you have to get and apply the microsoft "vulenerability patches" found here:
1.http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
2.http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Then download the "Avast! Cleaner" from http://www.avast.com/i_idt_171.html
And download & install Ad-Aware 6 with the newest update ("reference file"), if you don't already have it, from http://www.lavasoft.de/default.shtml.en

OK, now turn off system restore, and reboot in Safe Mode. Then delete all the files found in the 4 folders in C:\WINDOWS1\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5
Then run the Avast! Cleaner- this should delete the svchost file the worm created.
And do a scan with Ad-Aware and delete the Registry keys of Welchia.B that Ad-Aware found (It may also find other Spyware that you might want to delete).

OK, now reboot your computer, turn on system restore, and... that's it!
(I used this method and it worked, so I hope it works for you too)

 

Answer by robbie
Submitted on 3/8/2004
Rating: Not yet rated Rate this answer: Vote
Jill,be sure to update your virus definitions, run the removal tool and install the patch. Also, get rid of all the wkspatch files on your computer.
The worm just comes through a port. You don't have to do anything to get it - just plug into the internet. I got it when I went online to do a virus update..a little ironic, isn't it?

 

Answer by Scott
Submitted on 3/8/2004
Rating: Not yet rated Rate this answer: Vote
I had the worm as well.  All I did was make sure I had all of the recommended and critical windows update files.  I then followed everything YK said.  I found that having those update files did the trick.

 

Answer by Jill
Submitted on 3/9/2004
Rating: Not yet rated Rate this answer: Vote
thx Robbie, i downloaded the patch a day ago and the worm hasn't come up since :)....i recommend to everyone to download the patch for it, it works

 

Answer by Sang
Submitted on 3/9/2004
Rating:  Rate this answer: Vote
1. delete WksPatch[1].exe in C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SXY3S1IJ\WksPatch[1].exe

2. delete SVCHOST.EXE in
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE (12,800 bytes)

I think things mentioned above will work in most cases.

More information is in this site.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101025

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Good luck! Actually, I spent lot of time to get rid of this worm.

 

Answer by Lola
Submitted on 3/10/2004
Rating: Not yet rated Rate this answer: Vote
i've tried everything here with mo luck. I fustrated and getting pretty upset. what else can i do, when i go to contentIe5 there's nothing in the folders to be deleted when i scan my computer there's nothing found, yet norton still gives me that dreaded notification and whenever i delete it, it just comes back. PLEASE HELP!!

 

Answer by Rob
Submitted on 3/10/2004
Rating: Not yet rated Rate this answer: Vote
Delete the svchost.exe file. This is where the wkspatches are made from. There is a good copy of svchost.exe in your system 32 file. you can't delete this. you have to go into the drivers file in the system 32 folder. then delete svchost.exe. If you are unable to, restart in safe mode and try it. hope it helps.

 

Answer by slimjimmy11
Submitted on 3/10/2004
Rating: Not yet rated Rate this answer: Vote
I tried to delete svchost.exe but it wouldn't let me.  So I tried to go into the drivers file in the system 32 folder, but I can't seen to find svchost.exe in the drivers file.  I have been trying everything that's been suggested to no avail.  Please help.

 

Answer by Lola
Submitted on 3/10/2004
Rating: Not yet rated Rate this answer: Vote
I know what you mean slimjimmy11, i don't have the svchost.exe in my system 32 drives either, Thanks Rob for the advice but its not working as i can't even locate the file.

 

Answer by Lola
Submitted on 3/10/2004
Rating: Not yet rated Rate this answer: Vote
Norton just gave me the notification once again, i'm this <> close to giving up, its been 3 days now. I can't find the svchost file in my system32/drivers but there's the "good" one in system32.

I've started my computer in safe mode, turned off the restore, ran the symantec tool a billion times with the same result...NOTHING FOUND. but yet the notification comes up minutes later, and norton quarentines it, i delete it. check the 4 folders in content IE5, find nothing in all 4 of them. come here and try EVERY suggestion given by you guys, and still the notice comes. I don't know what else to do. I've downloaded the patches but, i don't know if they've installed because the comp freezes.

Does anyone else have an suggestions for me? i'm really desperate. but please don't tell me to use the symantec tool again b/c that doesn't work for my system. because i have the welchia.b.worm but it only searches for the welchia.worm. But that's about it. Thanks for reading ):/:)


 

Answer by ET
Submitted on 3/11/2004
Rating: Not yet rated Rate this answer: Vote
I'm having the same problems removing the w32.welchia.b worm from my computer running windows xp. I also cannot download anything without getting a notification about this worm and I cannot download windows updates since I've had this virus. Can anyone help?

 

Answer by Dolfy
Submitted on 3/11/2004
Rating: Not yet rated Rate this answer: Vote
I followed the process  that  YK indicated and I think that I got rid of the virus.  At least it does not show up again in any of the scannings.  The problem that originally make me think that I may have a bug was that as soon as I connected with the internet, everything was SO slow…sometimes it would not even connect with my server (phone).  Even though it seems that I got rid of the virus, I am still having the same problem.  Can anybody help me to know what to do next?

PS There was an INDEX file with the folders in “content.IE5” that I did not delete.  Should I have deleted it?  THANKS TO ALL.  Dolfy

 

Answer by jake36
Submitted on 3/11/2004
Rating: Not yet rated Rate this answer: Vote
If you have a compaq or Hp there is a second partition on your hard drive. Check to see if the files are on that drive also, and try running the tool on the second partition too

 

Answer by Dolfy
Submitted on 3/11/2004
Rating: Not yet rated Rate this answer: Vote
PS:  I just realized that I still have the file SVCHOST.exe in my system 32 folder.  I did the whole process all over and I cannot delete it.  I would really appreciate if anybody can tell me how to do it.  Thanks, again.  Dolfy

 

Answer by johan
Submitted on 3/11/2004
Rating: Not yet rated Rate this answer: Vote
I just wonna thank YK soo much for helping me totally getting rid of this problem !!!!

I hope you live a good life !!

ps: i have a question, is it legal to download music from dc++ in the US?

 

Answer by Karin
Submitted on 3/11/2004
Rating:  Rate this answer: Vote
ROBBIE= IN YOUR INSTUCTIONS I FOLLOWED EVERYTHING UP UNTIL SYSTEM PROFILE BUT THEN I DIDNT HAVE A LOCAL SETTINGS.  PLEASE HELP I AM IN SUCH NEED OF HELP.

 

Answer by Rob
Submitted on 3/12/2004
Rating: Not yet rated Rate this answer: Vote
Karin, you can't see the local settings file because it is hidden. You need to click on tools, folder options, view, and then select to view hidden folders. This should let you see the folder. Then go in and do all of the other stuff and delete the wkspatches.

 

Answer by mortisha
Submitted on 3/12/2004
Rating:  Rate this answer: Vote
Just Like To say a big thank you to YK for his posting , I followed his advise and it got rid of the NASTY  virus first time round.I made sure i  downloaded all the links turned off system restore and started in safe mode removed the virus ,ran the virus prog, ran adaware etc .then rebooted and ran norton {updated Definitions} HAY PRESTO no more nasty virus .I think a lot of you are failing to go into safe mode when searching for the virus,which will obviously cause you  problems .Make sure your in safe mode and do all of YK's advice in there{F8 at bootup = safemode} Cant Thank YK Enough for the advice .Cheers your a Very Nice Person.To all you virus writers out there why dont you all get together and do something constructive with your computer skills like write a virus proof operating system instead of causing the rest of the population so much hassle ??????

 

Answer by superluvrgurl
Submitted on 3/12/2004
Rating: Not yet rated Rate this answer: Vote
i also have this stupid worm thingy. I have tried deleting the files but it won't let me! this is really getting aggrivating. I called the support center for my computer and they told me to do a destructive recovery but im gonna loose everything if I do that!
HELP!!!!!!!!!!!!!!

 

Answer by Ozzie
Submitted on 3/12/2004
Rating: Not yet rated Rate this answer: Vote
I ran a full format with fdisk/MBR and i still have that damn thing?????????\go figure

AARRAAAAGHHHHHHHHH!!!!!!!!
I will try the above steps now i guess,never thought it would stil be around AFTER fdisk/mbr.

 

Answer by naz
Submitted on 3/13/2004
Rating: Not yet rated Rate this answer: Vote
plz help me get rid of the welchia worm!

 

Answer by Lola
Submitted on 3/13/2004
Rating: Not yet rated Rate this answer: Vote
jake36 you mentioned something about doing something to the partition on the  hard drive if one owns an HP, i'm working off an Hp but i don't know what you mean by that.

Can you please help me?

 

Answer by Simon
Submitted on 3/14/2004
Rating: Not yet rated Rate this answer: Vote
Download and install WindowsXP-KB824146-x86-ENU.exe and follow YK instructions

 

Answer by OldTack
Submitted on 3/15/2004
Rating: Not yet rated Rate this answer: Vote
Just like to say thx to YK, was having a complete nightmare with this on, formatted my hdd 3 times(was doing it anyway) but kept getting the worm everytime i logged on the net to update norton, followed your advise to the tee and all seems well(apart from my brain which spent far too long on this one)
thx again
Tack

 

Answer by Titan
Submitted on 3/15/2004
Rating: Not yet rated Rate this answer: Vote
Oh God! Everything i see here were tried but still not helping at all! What am i supposed to do??? Sigh.... *CURSE THE CREATOR*

 

Answer by mebl
Submitted on 3/16/2004
Rating: Not yet rated Rate this answer: Vote
This virus must place something in the mbr or boot sector because I have repartitioned the drive several times and even ran western digital's utility to zero fill, but the virus still comes back after the install. I know the installation disk doesn't have the virus cause I used it on another computer and that computer doesn't have this virus.

I enabled the bios virus protection but it has not alerted once during the partioning or the complete winxp install.

The only thing I can try next is to fix the mbr. I hope someone out there comes up with a fix soon cause this virus is really irritating!

 

Answer by donna
Submitted on 3/16/2004
Rating: Not yet rated Rate this answer: Vote
find svchost.exe using computer search. Enter '.exe' for file name, 'svchost' in 'words containing etc'..it doesn't show up otherwise.

I've just deleted it sucessfully..if it comes back again I'll do what yk said

 

Answer by ET
Submitted on 3/16/2004
Rating: Not yet rated Rate this answer: Vote
I would like to try everything suggested by YK except that since I got this virus I have not been able to download any patches. Everytime i access the internet a box pops up in the corner that tells me the computer has the w32.welchia.b worm again and I am not able to download anything. Is there any other way to get the patches besides downloading them.

 

Answer by OldTack
Submitted on 3/17/2004
Rating: Not yet rated Rate this answer: Vote
ET, if you are unable to download the windows critical updates that YK suggests, you will have to download them from another system and burn to cd, this is what i did however i used my flash drive. I then booted my infected system, ran the removal tools, then installed the updates from microsoft,only then did i go online and update virus software, voila worm gone. If you have a problem using another system to download the patches and burn to cd, you could always contact microsoft and request the free critical update cd. Good luck with it
Tack

 

Answer by mebl
Submitted on 3/17/2004
Rating: Not yet rated Rate this answer: Vote
Well, I finally got rid of the virus. However, I didn't have any wkspatch files. I deleted the all the files and folders in the C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\ folder as suggested by YK and did it in safe mode.

Also, I already had the patches installed. If u get the NT/Auth shutdown dialog, just click Start > Run > cmd > Enter key and type shutdown -a to stop the shutdown.

After deleting the files I fdisked the drive again and reformatted my partitions. This time I noticed that I was unable to delete the extended partition for some odd reason, but after created the new partitions, everything was fine.

One thing I noticed when I first installed XP is that the install was different then the normal install and asked different questions. I think this was due to the virus already being there when the drive had win98se. This virus doesn't do anything on win98se.

After getting rid of the virus, the install went normal without the different question screens.

People having problems with the Nachi.B virus should follow YK's suggestion. Make sure the patch is installed and u r in safemode with the system restore turned off.

Press F8 while booting to get to safemode.
r-click My Computer > properties > System Restore Tab > put a check in Turn off Sytem Restore on all drives. (don't forget to turn restore back on after the reboot once the virus is for sure gone.

 

Answer by mebl
Submitted on 3/17/2004
Rating: Not yet rated Rate this answer: Vote
I just got the virus on my other computer, even with the MS patches, after I turned off the microsoft firewall. Robbie is right that this must be a port virus.

Solution is to turn on the microsoft built-in firewall in XP after removing the files listed by YK or install something like zone alarm.

 

Answer by BG
Submitted on 3/21/2004
Rating: Not yet rated Rate this answer: Vote
I had the W32.Welchia.B Worm and followed Robbie's advice above - it worked perfectly - Thanks Robbie.

Remember to empty the wase bin and then get the Microsoft Patches to stop it happening again.


 

Answer by pablo
Submitted on 3/21/2004
Rating: Not yet rated Rate this answer: Vote
hey. I am just wondering how to get rid of the svchost file in the system32 file.
I can't delete it even in safe mode. I am desperate. I have followed most of the instructions posted here, the only thing left is the svchost file.

Any suggestions? God bless you!!

 

Answer by Toriyama
Submitted on 3/22/2004
Rating: Not yet rated Rate this answer: Vote
For all those who have had problems deleting the files till now: Nortan AntiVirus has a buildin del tool ("Whipe out", under additional tools) which can delete the files without any problems.

 

Answer by Tom
Submitted on 3/22/2004
Rating: Not yet rated Rate this answer: Vote
I have a dell computer running xp..I need help in destroying this worm.W32.welchia.b.worm.  Can someone walk me through the process.

Where did this worm orginate from.   Also if I remember correctly there was a notice telling me that this worm would automatically remove itself maybe in June 2004. Does this sound familiar?  

Thank you.

 

Answer by Titan
Submitted on 3/22/2004
Rating:  Rate this answer: Vote
About the microsoft patches, i see that there are patches for Win XP 32-bit and 64-bit. How do i check if my own system is 32 or 64 bit?

 

Answer by Dany
Submitted on 3/23/2004
Rating: Not yet rated Rate this answer: Vote
Finally i kill the virus!
Thank's to all for the help!
I do so: i follow step by step the YK answer, but the virus come back, so i went to "Tools" - "Windows Update" on the explorer bar and i made ALL the important upgrade listed here.
Than...it's a week that the virus don't pop up!!!
P.S
For Titan, if you have an Intel processor you have the 32 bit system. The 64 bit is only in some AMD processor.

 

Answer by pablo
Submitted on 3/23/2004
Rating: Not yet rated Rate this answer: Vote
hey!
The virus is gone!
Thank you to all for your advice, I hope you guys all have luck deleting this thing.
If you read carefully the messages posted here, you will find the answer to how delete this thing.

Take care

 

Answer by robbie
Submitted on 3/23/2004
Rating: Not yet rated Rate this answer: Vote
Sorry, Karin, I've been off skiing for 10 days (without computer).
When you go to system profile, if the "local settings" folder is not showing, click on Tools, select "folder options", select "view" and click on the option to show all hidden folders. Then, you should see the local settings folder.

 

Answer by snail
Submitted on 3/24/2004
Rating: Not yet rated Rate this answer: Vote
dear yk
please give me a step to step instruction of how to apply the microsoft vulnerability patch on the 2 websites that you mentioned.
I have tried to go to the website but do not know how to apply the patch.  I am fedup with this welchia worm as I cannot seem to rid of it.   Thanks.

 

Answer by FedUp
Submitted on 3/24/2004
Rating: Not yet rated Rate this answer: Vote
Hello.. just a quick question for YK or any of those that tried YK's method.. i have downloaded the patches etc. the only thing is when i go to C:\WINDOWS1\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5, should i delete all the files? or just the ones that are called WksPatch[1].exe, WksPatch[2].exe,... WksPatch[4].exe, etc?  Also, i dont have only 4 folders sitting there.. i have more than 4.. around 6.. hmm.. please help someone! ill be forever grateful..

 

Answer by Caudeceus
Submitted on 3/26/2004
Rating: Not yet rated Rate this answer: Vote
I am having trouble with the worm. I have applied the patches YK mentioned, did all the virus scans YK suggested, deleted all the WksPatch files and the virus keeps coming back! I already used Norton's virus scanner, and its Welchia fix program. Nothing works. I cannot find the svchost file in the system32/drivers folder. Does it exist in somewhere else other than in system32? I tried to make my computer search for it and it can only find the one in system32. I did all this in safe mode with system restore turned off. Is there anything I'm missing? I really want to get rid of this nasty virus.

 

Answer by YK
Submitted on 3/26/2004
Rating:  Rate this answer: Vote
Hi all, I'm glad my advice worked for alot of you (:

snail, to download the patches go to the websites I mentioned, and then under "General Information" click "Patch availability", then choose your operating system, see Dany's answer about whether you have a 32 or 64 bit system, and download the patch. Then run the patches and follow the instructions to apply them.

FedUp, you should delete all the files in all of the folders that are in Temporary Internet Files. I'm not sure if they are all related to the worm, but they are all "temporary" internet files that the computer doesn't need, so it would be safer to delete them all, just in case they are related.

About the svchost file that's located in the Windows/system32 folder- it's not related to the worm (only the one in Windows\system32\drivers) and it's a process that Windows needs, so it shouldn't be deleted.

Hope this helps!

YK

 

Answer by Caudeceus
Submitted on 3/26/2004
Rating: Not yet rated Rate this answer: Vote
What if I have the worm, but it doesn't exist in the windows/system32/drivers folder? Does it exist somewhere else?

 

Answer by FedUp
Submitted on 3/26/2004
Rating: Not yet rated Rate this answer: Vote
I have finally done it! Again thanks a million to YK.. to the rest of u follow closely what YK has said and other than that make sure that u download all the patches that symantec tells u to on this website http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html
also, those of u that cant seem to delete the svchost.exe Bad file, thats prly cuz Norton has already deleted it for u.. just make sure that u clean up all the Norton quarantine folders and backup folders in which the worm is identified.  Hope u follow.. Good luck and dont worry its not impossible!

 

Answer by snail
Submitted on 3/28/2004
Rating: Not yet rated Rate this answer: Vote
YK
I tried everything you say so many times but the worm keep on popping up.  It has been more than a month already and I am really getting fedup of this worm.  My system has become very unsteady as a result.
Is it safe in this case to make a purchase on internet?
Even as I type this the worm keeps popping up.  Await your further advice

 

Answer by YK
Submitted on 3/28/2004
Rating:  Rate this answer: Vote
snail, make sure you have all the critical windows updates- in internet explorer go to "Tools", "Windows Update", and install all the updates.
Then turn system restore off, restart in safe mode, (make sure that you're not connected to the internet) and do  everything that follows- Avast!Cleaner, etc.

I'm not sure if it's safe to make a purchase, I think it is..


Good luck, hope you get rid of it,

YK

 

Answer by cranker
Submitted on 3/28/2004
Rating: Not yet rated Rate this answer: Vote
My norton internet security detects a "Welchia_ICMP_Scan" intrusion.  I don't think it is getting in but it keeps popping up constantly.  How can I stop this.

 

Answer by Alice
Submitted on 3/28/2004
Rating: Not yet rated Rate this answer: Vote
I have the same question,and what shall I do?thank you for your help!

 

Answer by jpc165
Submitted on 3/30/2004
Rating: Not yet rated Rate this answer: Vote
Last night I successfully deleted the w32.welchia.b.worm on my friends machine.  He did not have an up to date virus protector or a firewall(very very bad).  I installed zonealarm, ran windows update, then installed norton and updated all the definitions.  Once norton located the worm it would not let me delete it.  So I brought up the task manager and killed all versions of svchost.exe.  The computer attempted to shutdown itself (another symptom of this worm according to microsoft).  Before it was able to shutdown I went back to norton and was able to successfully  delete the worm.  Norton won't be able to delete this worm while its executing.  :)

 

Answer by konfuzd
Submitted on 3/30/2004
Rating: Not yet rated Rate this answer: Vote
Hey guys,
I have also struggled with this worm for about a month now, tried everything above to no avail..
Finally I got frustrated and un-installed Norton, because I was getting sick of all the pop-ups. I then ran the fix tool, and it removed the worm, and I've been free since...

I hope this works for you guys.... and I hope they find the SOB that created this worm and hang him by his testicles!!!
I hope this works for some of you

 

Answer by chz939
Submitted on 3/31/2004
Rating: Not yet rated Rate this answer: Vote
Hello there,

I was struck by this worm yesterday and I followed what YK mentioned. But I can still find the folders in content.IE5. And my Norton doesn't work well.It is always closed automatically. It is the same with the registration table. It always shut down automatically.
Anybody meet with such situation? Any suggestions?
By the way, what is fix tool?
Thanks!

 

Answer by Jarad
Submitted on 4/2/2004
Rating: Not yet rated Rate this answer: Vote
Thank you all so much, I'm trying all of this advice... I just have once question, is anyone having the problem of not being able to open task manager? I press ctrl alt del and the little sign of it shows up in the task bar, but it won't pop up and i click on it and do everything, when i right click, my comp just sits there, im wondering if this is a sign of the worm, or another virus.(i hope not)

 

Answer by TooSi
Submitted on 4/2/2004
Rating: Not yet rated Rate this answer: Vote
When the virus is executing it won't leave you open the TaskManager...

 

Answer by fiorde
Submitted on 4/3/2004
Rating: Not yet rated Rate this answer: Vote
Iīl do everything that YK said but norton send the message that there are that virus in my computer.

I don't know how to do!!!

Please held me.

I have al the things that the other people said.

 

Answer by SG
Submitted on 4/5/2004
Rating: Not yet rated Rate this answer: Vote
Thank you, All of you.
How can I turn off system restore?

 

Answer by Jackofalltrades
Submitted on 4/6/2004
Rating: Not yet rated Rate this answer: Vote
Does anyone know how to do a system restore on
Windows Professional 2000. I have the w32 worm and many others. I am trying to do a system restore so I can run a virus scan in safe mode.
Any suggestgions

 

Answer by delmon01
Submitted on 4/6/2004
Rating: Not yet rated Rate this answer: Vote
Hi, I've tried everything you advised on this site but I still have the virus. Even after I run in safe mode and delete all the files in Temp Internet File, the Avant Cleaner does not find anything and the same for Ad Aware.
Any other good advise? As well I can not locate the svchost.exe, but after I open the computer Norton will advise me about the virus.
HELP!!! Thanks

 

Answer by someone
Submitted on 4/7/2004
Rating: Not yet rated Rate this answer: Vote
delmon u have to get the vulnerability patches YK sed....found here

1.http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
2.http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

 

Answer by snail
Submitted on 4/8/2004
Rating: Not yet rated Rate this answer: Vote
YK,  I have tried everything you instructed and finally, after more than one month,  whoopee.........I have been without the stupid worm for a week already..........Thanks you very much.

 

Answer by mahsa
Submitted on 4/10/2004
Rating: Not yet rated Rate this answer: Vote
Trust me, it will work. just go to this    

wehttp://216.239.39.104/translate_c?hl=en&sl=fr&u=http://www.membres.lycos.fr/securizer/def/welchia.b.htm&prev=/search%3Fq%3Dw32.welchia.B.worm%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa%3DGbpage

which I gave you. choose: disinfection: click here(Tools for symantec repair : Fixwelch) download it and it will kill the worm by itself. I couldn't delete svchost even in a safe mode. it deleted it for me! it will just take 5 min.

 

Answer by static
Submitted on 4/10/2004
Rating: Not yet rated Rate this answer: Vote
Thank you everybody. I deleted the worm in safe mode.. just make sure you clean up the windows startup, coz it will pop again, and download all updates from microsoft... helped for me + symantec FixWelch.exe (in safe mode)

 

Answer by JR
Submitted on 4/12/2004
Rating: Not yet rated Rate this answer: Vote
I have had the same problem but am more worried by the fact that I cannot access any of the anti-virus site such as Symantec or Trend. Is this also a symptom and if so what is the cure.

Thanks

 

Answer by Hughie
Submitted on 4/13/2004
Rating: Not yet rated Rate this answer: Vote
I tried everything here, without success, two patches from Microsoft, Avant Cleaner, Ad Aware 6, Norton, all done in safe Mode, spent hours and still it reappeared, (normally about 3 mins on line) I heard it was date sensitive (expires 4th June) so I have put my clock forward two months, to date no reoccurence. Any boffs out there tell me if this will work, 2 hours on line. !!

 

Answer by manhar
Submitted on 4/13/2004
Rating: Not yet rated Rate this answer: Vote
I use a virus scanner called Solo.
It found the virus and deleted it pronto!
Double checked afterwards with an Online HouseCall virus scan and am clear. Try Solo it seems to do the job easily.

 

Answer by Bec
Submitted on 4/18/2004
Rating: Not yet rated Rate this answer: Vote
I'm having the same problem with not being able to access any anti-virus websites. Also, when I try running Norton again, it can't find the worm. I've downloaded the worm removal tool from another website, and it hasn't picked it up. I don't know what to do!

 

Answer by Boro
Submitted on 4/19/2004
Rating: Not yet rated Rate this answer: Vote
Thanks to YK for the tips, i followed them to the letter with some minor tweeks and i seem to have removed the virus!

I used the following program called stinger to delete the two virus files.

http://vil.nai.com/vil/stinger/

Then i downloaded but didnt run the two patches from microsoft. Then i disconnected from the internet and ran the stinger program again just to make sure it hadnt crept back in while i was downloading.

Rebooted in Safe Mode and ran the two patches without a problem.

Then found the four files YK mentioned and use a File Shredder type program to delete them.

Then rebooted and turned on system restore.

Job done!

 

Answer by Sandy
Submitted on 4/19/2004
Rating: Not yet rated Rate this answer: Vote
Can someone also help me, I have this worm.nachi.b thing as well and i can't get rid of it.  Is there any definite way of deleting it? I've tried various steps from what you all have posted but none of them have worked. Help!

 

Answer by Danny
Submitted on 4/19/2004
Rating: Not yet rated Rate this answer: Vote
I see everybody says to delete the infected svchost...Isn`t that an important file that`s being used by windows? Is it safe to delete it?

 

Answer by Bec
Submitted on 4/20/2004
Rating: Not yet rated Rate this answer: Vote
Ok guys, I don't know what I did wrong. I followed everyone's suggestions about patches, rebooting in safe mode, shutting off system restore, deleting the wkspatch[1] file. I even installed Avast etc. Nothing worked. Eventually, I used task manager to end the processes of all the svchost's that kept popping up, then managed to delete it. Now my computer is deceased. It will start up in normal mode, but you can't run any programs. I tried to restore svchost from the recycle bin, but it won't let me. It won't even let me cut and paste it from the recycle bin, or even a floppy disk. I'm out of ideas. Is there anything I can do to get my computer running again without having to reinstall windowns???

 

Answer by danny
Submitted on 4/20/2004
Rating: Not yet rated Rate this answer: Vote
svchost is an important file ....without it windows cannot run properly!

http://ask-leo.com/archives/000105.html


 

Answer by Casual
Submitted on 4/21/2004
Rating: Not yet rated Rate this answer: Vote
I also get this worm in my PC.  Now I cannot access www.symantec.com and websites of other major anti-virus solution provider.  Is this an effect of this worm?

 

Answer by chris
Submitted on 4/27/2004
Rating: Not yet rated Rate this answer: Vote
i was reading some of the entreis

The way you turn off system restore ( or the way i did) is that you go to hhelp and enter turn off system restore and it wil give you a list of things to do in cluding turning off the system restore

 

Answer by km
Submitted on 4/28/2004
Rating: Not yet rated Rate this answer: Vote
Do window update regularly will solve the problem.

 

Answer by worm free
Submitted on 4/29/2004
Rating: Not yet rated Rate this answer: Vote
I found the worm on April 21, came here follwed all of YK and Robbie's suggestions. (Read postings listed above, start at the beginning and read to the end!!!!!!!!) It worked the first time  I tried.  When you try to open the four folders -(YK mentioned) if you click on the folders they open but nothing is listed.  When I tried  right clicking and then clicking on open the folders opened and I found the wksptch  files Robbie mentioned.  Read YK and Robbie's postings!!!  THEY WORK!!!! Thanks to all!!!!!!!!

 

Answer by chris
Submitted on 5/2/2004
Rating: Not yet rated Rate this answer: Vote
I need help

I dicovered the worm a while ago now and i tried everything to get rid of it. I have Norton, Spy bot search and destroy, ad aware 6 and Avast cleaner and none of them have found and removed the worm.

I followed Jk's advice and Robbies also, i delested the files in the temp. interent folder and emptied my quartine, i thought it was over... it wasnt. Norton popped up the next day saying that i had the worm again but was unable to delete the files. This happened twice in a row, after the second alert Norton again popped up and said that Norton has deleted the worm from your computer, im think that is weird.... This happens every time i tunr my computer on.

Can some one plze help me?

 

Answer by Nathan Houle
Submitted on 5/4/2004
Rating: Not yet rated Rate this answer: Vote
This Virus is infecting our school network we need help getting rid of it... e-mail me at nathanhoule@hotmail.com

asap

 

Answer by Casual
Submitted on 5/6/2004
Rating: Not yet rated Rate this answer: Vote
Download stinger from http://vil.nai.com/vil/stinger
It works.  It can also kill other recent virus.

 

Answer by JR
Submitted on 5/9/2004
Rating: Not yet rated Rate this answer: Vote
With reference to the problem I had with not being able to access the anti-virus I found that it was caused by the Qhosts.apd trojan. Download stinger from http://vil.nai.com/vil/stinger and use to clear the problem.

 

Answer by Karin
Submitted on 5/10/2004
Rating: Not yet rated Rate this answer: Vote
I have a W32. Blaster worm.  Has anyone had any luck removing this?  My computer isn't able to stay online long enough to download anything so I am using another computer to search for help.  Please help if anyone has any luck.  THANK YOU

 

Answer by Alex P.
Submitted on 5/17/2004
Rating: Not yet rated Rate this answer: Vote
I had the Worm and I removed it using the solution by YK further up this page. It removed the worm. Now I have another problem. somehow Adware and or spyware got on my computer and I cannot remove either of them. Every time I click on Internet Explorer Icon, my CD and DVD doors open automatically and a screen opens up on my monitor telling me to purchase a program to remove both of these popup programs. Does anyone have a solution to this????

 

Answer by Gemz
Submitted on 12/10/2004
Rating: Not yet rated Rate this answer: Vote
i have loads of viruses on my computer plz help me how du i reboot my computa my internet and computer is running VEYR slow plz plz plz sumbody help me!!!!

 

Answer by asherman_23
Submitted on 1/2/2005
Rating: Not yet rated Rate this answer: Vote
you ave to turn off automatic restore then carry on with the removall procedure

 

Answer by marwa
Submitted on 1/20/2005
Rating: Not yet rated Rate this answer: Vote
my nortron on my computer showed this message:(w32.hllw.gaobot) and it can not repair it

 

Answer by stef
Submitted on 6/28/2005
Rating: Not yet rated Rate this answer: Vote
First of all you need to find the virus on your computer and right click it. Then click scan with nortons anti virus ( or whatever antivirus system you have). Then if it still doesnt go, go into add remove programs and remove internet optimizer, if it allows you, chances are it won't. Finally go into internet explorer click on tools, options, privacy, advanced and BLOCK cookies from both parties.

 

Answer by Paintballking@yahoo.com
Submitted on 1/4/2006
Rating: Not yet rated Rate this answer: Vote
I think you can go to www.Windows.com and look up articles serial number and call and tell the phone person that you want them to send you that fix for that article.  I believe their is a Svchost.exe fix there...

 

Answer by dave
Submitted on 8/29/2006
Rating: Not yet rated Rate this answer: Vote
hey all, i have an error that comes up saying svchost error the memory at 0*007894a is not referenced at 0*0000000, when i click ok a rfc shutdown screen appears and gives me 60 seconds to save work and shuts down, (i can get rid of this by typing shutdown -a in the run window. i have tried downloading loads of programs to get rid of the worm but i cant seem to find any that work-if i try and do a windows update it wont allow me access their site it just blocks me. i think that the virus has come in through the f-secure software i was using as anytime i try and access it it says its unavailable, so i tried to unistall it but it wont allow me, this has been going on for a week now and i cant find  and fix- would any of ye have experienced this problem before and if so how would i fix it.. cheers dave

 

Answer by MeKL
Submitted on 10/10/2006
Rating: Not yet rated Rate this answer: Vote
hi as soon as i turn my computer on,all them browser windows keep poping up + every sec the security alert on my pc is going nuts telling me that i have a worm, my programs starting on there own, i have to turn them off all the time witch make it nearly imposible to look 4 HELP.Just find this web site that give me some hope after 2 day pulling my hair,i tried many removal software for everythings that i can t even install(they are all corupt so my computer say).WHAT IS GOING ON !!? don t know what to try next can sombody help me?

 

Answer by Kristjan ( janucrio@yahoo.co.uk )
Submitted on 11/21/2006
Rating: Not yet rated Rate this answer: Vote
i had this worm coming yesterday, my AD-Aware SE had found it thi skind of worm donīt remember itīs proper name. there wre two files and they were removed after that i also used my newly updated Spybot Search and Destroy as well it found nothing.

but the worst is

1: The ask manager doesnīt show up if i press CTRL-ALT-DEL
2: Iīve also tried to right click on the taskbar and choose Task Manager but nothing happens
3: Iīve downlaoded a removal tool from Symantec homepage but it didnīt work

I know it  outh there have tried all advices iīve read here but nohting works when i try to find the mentioned file in the C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SXY3S1IJ\WksPatch[1].exe adress But itīs empty in all corners, but i know itīs out there.

Iīve only had this since the summer, am an 19 year old boy attending at a middle school am am using this Compag Presario V5000 for schoolwork and have many programs but my dad says that the only thing that he vould do is to completely re-install the Win-XP system but i donīt want that to happen. So if anybody can help me then please respond

 

Your answer will be published for anyone to see and rate.  Your answer will not be displayed immediately.  If you'd like to get expert points and benefit from positive ratings, please create a new account or login into an existing account below.


Your name or nickname:
If you'd like to create a new account or access your existing account, put in your password here:
Your answer:

FAQS.ORG reserves the right to edit your answer as to improve its clarity.  By submitting your answer you authorize FAQS.ORG to publish your answer on the WWW without any restrictions. You agree to hold harmless and indemnify FAQS.ORG against any claims, costs, or damages resulting from publishing your answer.

 

FAQS.ORG makes no guarantees as to the accuracy of the posts. Each post is the personal opinion of the poster. These posts are not intended to substitute for medical, tax, legal, investment, accounting, or other professional advice. FAQS.ORG does not endorse any opinion or any product or service mentioned mentioned in these posts.

 

<< Back to: [alt.comp.virus] FAQ Part 1/4


[ Home  |  FAQ-Related Q&As  |  General Q&As  |  Answered Questions ]

© 2008 FAQS.ORG. All rights reserved.