Re: cure for W32.Welchia.Worm virus

From: Jay Nichols (jaynichols99_at_hotmail.com)
Date: 08/31/03 

Date: Sun, 31 Aug 2003 08:03:58 -0700

Symantec has a long disertation on how to deal with this
worm.

Basically you have to bring up the computer in safe mode,
find the file DLLHOST.EXE which should be in your %system%
\wins folder. You have to be in safe mode otherwise the
file cannot be deleted, renamed, etc. Once you find it,
delete it! Then go to your registery
HKey_Local_Machine\System\CurrentControl....\Services and
delete the two keys: RPCPATCH & RPCTFTPD. Before you
delete them, note that they refer to the program
HOSTDLL.EXE in the wins directory. This is proof positive
the worm has infected your machine. Then find SVSHOST.exe
and delete it. Then you are safe if you are sure you have
823980 patch from MS installed on you machine.

I found the worm after setting my entire disk to binary
zeroes, loading W2K server followed by downloading the
various patches, service packs, etc. from MS. Then
running NAV scan I found 6 instances of the worm. Sounds
like the MS download site is infected.

I've talked w/MS this morning and they assure me they will
scan their download sites for the presence of this worm in
their downloads. So, be careful about the MS downloads.
Try to download them in their complete binary form and
load them off-line followed by the virus scan procedu re
to be sure you are safe.

>-----Original Message-----
>Since NAVE was able to detect then it's probably able to
quarantine it too.
>You should tell it to do just that.
>
>"Ajai Singh" <ajaisingh81@yahoo.com> wrote in message
>news:036201c36f0e$4c190800$a001280a@phx.gbl...
>> My computer has been infected with the W32.Welchia.Worm
>> virus. This has been detected by Norton anti virus as
>> being in C:\WINNT\SYSTEM32\TFTP420
>> Domain Name : WORKGROUP
>> System Name : AJAI-FUS9FOF7FK
>> User Name : System
>>
>> The NAV has been unable to repair the virus and I shall
be
>> grateful if anyone could help me in clearing the virus
and
>> checking for damage done / repairing the same.
>>
>> Thank you.
>
>
>.
>

Relevant Pages

  • Re: hacktool.rootkit
    ... mode virus scanning, registry entry purging, etc.). ... and Micro Trend online scans, safe mode virus scanning, system restore ... > Line Scanners to remove viruses, ... > download the files and perform a scan in Normal Mode. ...
    (microsoft.public.security.virus)
  • Re: Virus cant be removed!
    ... | have executed just about every virus, malware, adware removal program that I ... | I have started in Safe Mode With Command Prompt. ... There are anti virus News Groups specifically for this type of discussion. ... FireWall to allow it to download the needed AV vendor related files. ...
    (microsoft.public.windowsxp.general)
  • Re: Blaster Worm Help-URGENT
    ... Can you boot to safe mode? ... because when windows starts up, immediately a window opens up with RPC ... > How do you know that you have the Lovsan/Blaster worm? ... > This will halt the shutdown and give you a chance to Download the McAfee ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Problems with RPC, networks and possible virus
    ... Scanned a downloaded file and no virus ... | works fine but if i try the modem with ethernet, the connections still ... I suggest scanning the system in Safe Mode. ... FireWall to allow it to download the needed AV vendor related files. ...
    (microsoft.public.security.virus)
  • Re: svchost.exe is a virus! HELP!
    ... I was being sarcastic when I said that svchost.exe is itself becoming a virus ... I have updates all the recomended Windows Update fixes, patches, windows ... AV & A-S scan in safe mode. ... Download David H. Lipman's MULTI_AV.EXE from the URL ...
    (microsoft.public.windowsxp.general)