[ Home | FAQ-Related Q&As | General Q&As | Answered Questions ]

Search the Q&A Archives

I have a w32.welchia.b.worm in my computer, does anyone know...

<< Back to: [alt.comp.virus] FAQ Part 1/4

Answer by LamerX
Submitted on 3/1/2004
Rating:	Rate this answer:
I run an XP-machine and have the Welchia.B.Worm. I've tried the Norton removal tool as well as "manual" deletion through safe mode Norton scanning to no effect. Have identified some of the virus locations (temporary internet files\Content.IE5), typically WksPatch[1].exe, WksPatch[2].exe,... WksPatch[4].exe, etc but as I try to put them in quarantine the following merror message shows: "Error adding file to quarantine. This file may be in use by another process or you may be out of disc space" Wtf? So is my computer protecting the virus files? What to do? Note: Strange thing is that though Norton (as well as trendmicro) seems totally blind to the presence of the virus(es) when system scan is made, Symantec Auto-Protect frequently reports on the virus as being identified but "unable to repair" the file. Norton schizophrenic?

Answer by Robbie
Submitted on 3/3/2004
Rating:	Rate this answer:
You must go into your virus protection folder and delete anything being held in quarantine. Then do the system restore stuff and run the removal tool and then There is one thing you must do that is not listed in the removal directions. (It seems long but you just have to open many folders to get to the one with the virus still in it.)Here goes: right click on start button and click on "explore", double click on the "c drive", double click on "windows", double click on "system 32, double click on "config", double click on "system profile", double click on "local settings" (if you don't see it, click on "tools", select "folder options", select "view", and click in the box that says to show all hidden folders), double click on "temp internet files", double click on "content.IE5". You will see 4 folders. You must open each of these folders and delete any file called "wkspatch". Then empty your trash and restart your computer. I was having no luck removing this virus until I did this. It hasn't failed yet.

Answer by YK
Submitted on 3/8/2004
Rating:	Rate this answer:
I was having the same Welchia.B/Nachi.B problem, and I couldn't remove it with any removal tool or by the regular manual way, but I found a way to remove the whole worm from the computer (it's a little long..): First you have to get and apply the microsoft "vulenerability patches" found here: 1.http://www.microsoft.com/technet/security/bulletin/MS03-007.asp 2.http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Then download the "Avast! Cleaner" from http://www.avast.com/i_idt_171.html And download & install Ad-Aware 6 with the newest update ("reference file"), if you don't already have it, from http://www.lavasoft.de/default.shtml.en OK, now turn off system restore, and reboot in Safe Mode. Then delete all the files found in the 4 folders in C:\WINDOWS1\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5 Then run the Avast! Cleaner- this should delete the svchost file the worm created. And do a scan with Ad-Aware and delete the Registry keys of Welchia.B that Ad-Aware found (It may also find other Spyware that you might want to delete). OK, now reboot your computer, turn on system restore, and... that's it! (I used this method and it worked, so I hope it works for you too)

Answer by Lola
Submitted on 3/10/2004
Rating: Not yet rated	Rate this answer:
Norton just gave me the notification once again, i'm this <> close to giving up, its been 3 days now. I can't find the svchost file in my system32/drivers but there's the "good" one in system32. I've started my computer in safe mode, turned off the restore, ran the symantec tool a billion times with the same result...NOTHING FOUND. but yet the notification comes up minutes later, and norton quarentines it, i delete it. check the 4 folders in content IE5, find nothing in all 4 of them. come here and try EVERY suggestion given by you guys, and still the notice comes. I don't know what else to do. I've downloaded the patches but, i don't know if they've installed because the comp freezes. Does anyone else have an suggestions for me? i'm really desperate. but please don't tell me to use the symantec tool again b/c that doesn't work for my system. because i have the welchia.b.worm but it only searches for the welchia.worm. But that's about it. Thanks for reading ):/:)

Answer by mortisha
Submitted on 3/12/2004
Rating:	Rate this answer:
Just Like To say a big thank you to YK for his posting , I followed his advise and it got rid of the NASTY virus first time round.I made sure i downloaded all the links turned off system restore and started in safe mode removed the virus ,ran the virus prog, ran adaware etc .then rebooted and ran norton {updated Definitions} HAY PRESTO no more nasty virus .I think a lot of you are failing to go into safe mode when searching for the virus,which will obviously cause you problems .Make sure your in safe mode and do all of YK's advice in there{F8 at bootup = safemode} Cant Thank YK Enough for the advice .Cheers your a Very Nice Person.To all you virus writers out there why dont you all get together and do something constructive with your computer skills like write a virus proof operating system instead of causing the rest of the population so much hassle ??????

Answer by mebl
Submitted on 3/17/2004
Rating: Not yet rated	Rate this answer:
Well, I finally got rid of the virus. However, I didn't have any wkspatch files. I deleted the all the files and folders in the C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\ folder as suggested by YK and did it in safe mode. Also, I already had the patches installed. If u get the NT/Auth shutdown dialog, just click Start > Run > cmd > Enter key and type shutdown -a to stop the shutdown. After deleting the files I fdisked the drive again and reformatted my partitions. This time I noticed that I was unable to delete the extended partition for some odd reason, but after created the new partitions, everything was fine. One thing I noticed when I first installed XP is that the install was different then the normal install and asked different questions. I think this was due to the virus already being there when the drive had win98se. This virus doesn't do anything on win98se. After getting rid of the virus, the install went normal without the different question screens. People having problems with the Nachi.B virus should follow YK's suggestion. Make sure the patch is installed and u r in safemode with the system restore turned off. Press F8 while booting to get to safemode. r-click My Computer > properties > System Restore Tab > put a check in Turn off Sytem Restore on all drives. (don't forget to turn restore back on after the reboot once the virus is for sure gone.

Answer by YK
Submitted on 3/26/2004
Rating:	Rate this answer:
Hi all, I'm glad my advice worked for alot of you (: snail, to download the patches go to the websites I mentioned, and then under "General Information" click "Patch availability", then choose your operating system, see Dany's answer about whether you have a 32 or 64 bit system, and download the patch. Then run the patches and follow the instructions to apply them. FedUp, you should delete all the files in all of the folders that are in Temporary Internet Files. I'm not sure if they are all related to the worm, but they are all "temporary" internet files that the computer doesn't need, so it would be safer to delete them all, just in case they are related. About the svchost file that's located in the Windows/system32 folder- it's not related to the worm (only the one in Windows\system32\drivers) and it's a process that Windows needs, so it shouldn't be deleted. Hope this helps! YK