welchia worm

My NAV auto protect is popinng up saying i have welchia on my pc. One file it was able to remove, the other says access to file was denied. Full scans and the welchia fix tool do not find it. The file log says its in a temp file. How do i delete all my temp files (both internet and windows temp)? Would disk cleanup do it?

 

What OS are you using please?

 

do you know the name of the file its trying to delete

edit:sorry kodo didnt see you there

 

Im using Windows XP..Im sorry i do not have the file right here (im at work), but its something like../temp internet file/wks ptch

 

easy enough to clean internet files
yes disk clean up would do the job
or click tools in top toolbar-select internet options and you will see a tab to delete temporary internet files

strange how access is denied though unless you have a running process using that file at the time

 

in your browser select TOOLS--> INTERNET OPTIONS

In the center hit the button that says DELETE FILES, then check the box off in the next prompt to delete all offline files too and hit ok.

That will delete your internet cache.

 

yeah just like that lol

 

If you're still having problems after deleting your temp internet files look here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.d.worm.html

Go to "Removal Instructions" and do the "Disabling System Restore" procedure.

 

ok guys..im really confused..i got the message again tonight...
here is the file NAv could not access
Source: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WFK4CFNO\WksPatch[1].exe
Click for more information about this threat : W32.Welchia.B.Worm

Here is the one it fixed

Source: C:\WINDOWS\SYSTEM32\drivers\svchost.exe

what can i do to stop getting this? Remember my auto protect will get it, but full scans or fix wont see it

 

make sure you have the latest XP updates.. there's a patch in it that prevents this virus from reinfecting

 

ok...right now i cane get to update site..do you know which patch it is? am i deleting the worm by emptying my temp internet folders?

 

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp

 

confused again..i installed that patch last week, the first time i igot the welchia.b...it does say there is a more recent patch, but it directs me to windows update which i cant get too...frustrating...can anyone tell me what is happening? my auto protect is getting one of them, but not the internet temp file one? is it a site im going to?

 

no, here's a more direct location,.. you didn't scroll down and read

http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=en


also , have you tried this?
http://sarc.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

 

i have this patch, but to see if i need more recent updates, it refers me to windows update link, which isnt working for me at the moment

 

Install the patch again. then use the second tool. Disconnect from your network, Turn off system restore and run the tool in the second link I provided.

 

ok...i downloaded the patch again...ran the removal tool withh system restore off..it says welchia not found on your computer..this is what happened last week..the tool doesnt find it, full scan doesnt find it, but every few days my auto protect will delete the one, but not the temp internet folder one...am i getting reinfected or never getting rid of it in the first place? is it harmfull? or is it ok if i delete it from temp everytime?

 

I'm not satisfied with that..
try this
http://www.majorgeeks.com/download4063.html

 

From Kodo's last link:

 

virus help please

If anyone can be of assistance, I'd really appreciate it. My NAV aoto protect will periodically give me the following messages: "Welchia.32.B" was found and automatically deleted from /windows/system32/drivers/svchost.exe...i then get two more messages, the first saying welchia.b found and access to the file was denied, the second saying the repair failed...the file for both of those messages is /windows/system32/config/localsettings/temp internet files/ie5/GD3456/wkspatch(1)... well, this file is hidden, so i unhide it and scan that file with norton..no threats found..In fact if i do full scan or run the welchia fix, no threats are found..Any input as to what is happening. Am i infected? It seems like NAV is catching the worm and deleting it from the one file, but can from the second cause its hidden. Does this make sense? My pc seeems to be running ok.. The only thing is that if i get this auto protect message and then try to go to NAV reports,,NAV doesnt respond. I must reboot..everything else seems to work ok..My auto protect bloodhound heuristics is set to the recommened level (the middle one)..What should I do?

Thanks gang

 

never recieved an answer as to if you used my last suggestion in this post

http://www.majorgeeks.com/vb/showthread.php?t=28730

 

sorry..stinger found nothing

 

Mike, you say the file is located here
windows/system32/config/localsettings/temp internet files/ie5/GD3456/

Find the directory GD3456 and see if you can delete it. make sure your browser is closed.

 

yes, i can delete it and i have..but sure enough within a few days, ill get the auto protect warning again..ive applied all windowspatches listed on the NAV welchia virus page, but have been ubable to do a total update as i cant get the windows update patch to cooperate..it will run and i go through the 0% complete, 33, 66, then 100..it will sometiumes show the critical updates, but when i click on that..it fails...time of day?...i do have XP service pack 1

 

ok looking through this thread and at the link provided by alanc
this worm creates a running service with a whole variety of possible names so maybe its something to do with that
anyway norton reccomends running the scan in safe mode have you tried that

somehow you must be getting reinfected have you cleaned out all your old e-mail folders just a thought

looking on the bright side according to symantec this worm is due to self terminate on the 1st of june 2004 so i suppose you could just wait till then or reset your date on your machine

 

thanks..i tried switching my date to june 1..i started my machine...left windows run for a couple hours..turned it off..the next time i logged on, i switched it back to the current date..this did not help...do i have to leave it at june 1?

 

dont know man i was just throwing ideas up in the air

but if it works.......LOL

 

Have you tried deleting the windows\system32\drivers\svchost.exe file in safe mode?

There is a valid svchost.exe in the system32 directory, but the one in system32\drivers is bogus and safe to delete.