mgross333
asked on
How to get rid of the Welcha virus under XP
Virus symptoms under XP Pro upgraded to SP2, 2.6 Ghz Celeron, 512 MB, 96 GB free is, is 100% of CPU is in use per Windows Task Manager (WTM). So Macafee won't run at reboot with error that it cannot get enough resources to run. System Restore will not run giving empty white window. System Information starts but then says it cannot give any statistics. PC operation is generally very slow but internet access via IE browser is possible. Results in Safe Mode with Networking are the same, no better.
WTM, process tab, shows svchost.exe is the culprit and one instance of it has about 50% of the CPU and the System Idle process has the other 50%. There are also other instances of svchost.exe that have 0% cpu usage. But these are averages, the CPU usage graph shows big fluctuations. I assume that this lack of CPU resources is what the Macafee error message is referring to and is the reason System Restore and System Information (effectively) will not run. WHY IS THIS IMPORTANT. Because if I could get the CPU back I could system restore to the day before the problem began which is a known date and all would be well again. Or I could run a virus full system scan in Macafee or Norton or some other virus remover especially good at removing the Welcha virus.
Why do I think this is the Welcha virus. Go to http://forum.pcvsconsole.com/viewthread.php?tid=8191 and scan down to the 3rd post by Trunks007. A complete match to my symptoms plus if you read the first few pages of this thread others confirm this. The initial post in this thread is for Windows 2000 Pro but if you read on you see this post expands quickly to include XP too.
Well if I have read this non-EE thread WHY AM I POSTING HERE ??
The reason is that the thread consists of, problem, then solution, then "I tried that and it failed", then, "no try my solution" and again (from a new person) "no, I tried that one too and it failed" and so on.
Hence my request here is provide a STEP BY STEP detailed procedure to get rid of the Welcha virus under XP Pro that WORKS. Don't skip a step because you assume any security expert would know to do that. I am not a security expert. Also be aware that if Macafee won't run (it starts but then we get the error message and the Macafee icon in the lower right taskbar turns from red to black) that other programs may not run too. So if you tell me to do a Norton AV full system scan, well that may or may not run too. I don't know for sure. Also doing things in Safe mode does not solve the CPU usage problem here because svchost.exe is on the short list of processes that are allowed in Safe mode so the CPU usage is 100% there too. Very inconvenient isn't it.
Now for one ray of hope. From the various posts at http://forum.pcvsconsole.com/viewthread.php?tid=8191 , I see some posters think that his whole thing only happens if the PC has internet access. And I'm not 100% sure that my claims of 100% CPU usage were with Safe Mode vs Safe Mode with Networking. I think I saw that System Restore would not come up in Safe Mode but it may have been Safe Mode with networking.
Please note I am NOT asking for information on the Welcha virus or on svchost.exe, I am asking for one thing only. A step by step instruction set for removing it under Windows XP Pro that works. If you can not provide that or a link to such a step by step set, then do NOT respond to this question.
WTM, process tab, shows svchost.exe is the culprit and one instance of it has about 50% of the CPU and the System Idle process has the other 50%. There are also other instances of svchost.exe that have 0% cpu usage. But these are averages, the CPU usage graph shows big fluctuations. I assume that this lack of CPU resources is what the Macafee error message is referring to and is the reason System Restore and System Information (effectively) will not run. WHY IS THIS IMPORTANT. Because if I could get the CPU back I could system restore to the day before the problem began which is a known date and all would be well again. Or I could run a virus full system scan in Macafee or Norton or some other virus remover especially good at removing the Welcha virus.
Why do I think this is the Welcha virus. Go to http://forum.pcvsconsole.com/viewthread.php?tid=8191 and scan down to the 3rd post by Trunks007. A complete match to my symptoms plus if you read the first few pages of this thread others confirm this. The initial post in this thread is for Windows 2000 Pro but if you read on you see this post expands quickly to include XP too.
Well if I have read this non-EE thread WHY AM I POSTING HERE ??
The reason is that the thread consists of, problem, then solution, then "I tried that and it failed", then, "no try my solution" and again (from a new person) "no, I tried that one too and it failed" and so on.
Hence my request here is provide a STEP BY STEP detailed procedure to get rid of the Welcha virus under XP Pro that WORKS. Don't skip a step because you assume any security expert would know to do that. I am not a security expert. Also be aware that if Macafee won't run (it starts but then we get the error message and the Macafee icon in the lower right taskbar turns from red to black) that other programs may not run too. So if you tell me to do a Norton AV full system scan, well that may or may not run too. I don't know for sure. Also doing things in Safe mode does not solve the CPU usage problem here because svchost.exe is on the short list of processes that are allowed in Safe mode so the CPU usage is 100% there too. Very inconvenient isn't it.
Now for one ray of hope. From the various posts at http://forum.pcvsconsole.com/viewthread.php?tid=8191 , I see some posters think that his whole thing only happens if the PC has internet access. And I'm not 100% sure that my claims of 100% CPU usage were with Safe Mode vs Safe Mode with Networking. I think I saw that System Restore would not come up in Safe Mode but it may have been Safe Mode with networking.
Please note I am NOT asking for information on the Welcha virus or on svchost.exe, I am asking for one thing only. A step by step instruction set for removing it under Windows XP Pro that works. If you can not provide that or a link to such a step by step set, then do NOT respond to this question.
The orignal page located @ symantec seems to be unavailable
[ http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html ]
however you can still use n read the cached copy of the page by Google @
[ http://66.102.7.104/search?q=cache:b4W3e7W4f1cJ:securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html+welchia+virus&hl=en ]
[ http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html ]
however you can still use n read the cached copy of the page by Google @
[ http://66.102.7.104/search?q=cache:b4W3e7W4f1cJ:securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html+welchia+virus&hl=en ]
you must have
disabled/disconnected network/internet connection
disabled Windows XP System Restore
if you still fail to remove welchia try running the removal tool in safe mode!
How to turn off or turn on Windows XP System Restore
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
or
http://www.iamnotageek.com/a/438-p1.php
GOOD LUCK
disabled/disconnected network/internet connection
disabled Windows XP System Restore
if you still fail to remove welchia try running the removal tool in safe mode!
How to turn off or turn on Windows XP System Restore
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
or
http://www.iamnotageek.com/a/438-p1.php
GOOD LUCK
Essential Steps for Cleaning and Securing Your Computer - MSBlaster and Welchia worms
http://www.columbia.edu/acis/security/howto/remove/welch.html
http://www.columbia.edu/acis/security/howto/remove/welch.html
ASKER
Thanks for all the replies. Regarding turning System Restore off, my post above said I could not get any System Restore window to come up (it comes up as a blank white empty window and remains that way) even in Safe mode. So that is not so easy.
IS your link above "http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405" an exceutable? Because if it merely brings up the Window where I turn off System Restore, I don't think this will work per the above; I'll just get an empty white window. Note: This is for someone else's PC, not mine. And I don't want to try the link on my own PC as it deletes all the previous restore points and I do not want to do that on my PC. So I have to ask you the question versus clicking the link.
Same question about http://www.iamnotageek.com/a/438-p1.php
2nd question, if I cannot disable System restore, how important is that if that infected restore point file is never restored from? i.e Can the welcha virus do damage even if it is only in the System restore files?
Regards,
Mike
IS your link above "http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405" an exceutable? Because if it merely brings up the Window where I turn off System Restore, I don't think this will work per the above; I'll just get an empty white window. Note: This is for someone else's PC, not mine. And I don't want to try the link on my own PC as it deletes all the previous restore points and I do not want to do that on my PC. So I have to ask you the question versus clicking the link.
Same question about http://www.iamnotageek.com/a/438-p1.php
2nd question, if I cannot disable System restore, how important is that if that infected restore point file is never restored from? i.e Can the welcha virus do damage even if it is only in the System restore files?
Regards,
Mike
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Since the FixWelch tool does not work, I did another search and found some other trojan/worm that might be related to that Welcha worm. If you have time, take a look at this site to see if any of the symptoms/files are the same in the PC you are fixing:
http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.af@mm.html
Also, if you want, run this scan:
Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
If you know what to delete in that log, you may delete it without posting the log here.
http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.af@mm.html
Also, if you want, run this scan:
Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
If you know what to delete in that log, you may delete it without posting the log here.
ASKER
To experts greyknight17 and inmajam,
First for greyknight17 ONLY,
Who says the FixWelch tool does not work. How do you know that?
And how sure are you that your fix above will work on a Windows XP Pro PC. Please state your estimated % chance that it will work.
To expert inmajam,
What is the % chance that the links above to symantec in yoru post will fix this problem (as described in my Question) on an XP Pro PC. Please state a % chance. And also your claim above that the original page at Symantec seems to be unavailable is incorrect for me. I can see the page.
For both experts,
The summary here is that I have two other non-EE forum threads about svchost.exe taking over the CPU and the net net is that for some reason no one solution works for everyone, even when on the same OS. Which also means the same symptom may correspond to two or even three different virus's or problems. (One of the forum threads is in the link in my Question above which begins this thread). Plus System Restore can NOT be turned off on this PC because svchost.exe has so much of the CPU that System restore will not run; it will not start and there is no interface to turn System restore off. But on the other hand, that is no problem. Because if you never restore from the infected restore point there is no problem at all. So I could
(1) Run a fix
(2) The check if it works (svchost no longer takes over CPU and Macafee now starts)
(3) Now I immediately go into System Restore as the cpu is availalbe and now I turn System Restore off, thus deleting the infected Restore point file.
(4) And then I turn System Restore back on.
The problem is that no one fix works.
TO expert inmajam and greyknight17.
Also, although I do not have time at the moment to provide details, the problem seems to be that the virus infected svchost constantly accesses the internet using up the CPU. I have found two people with fixes that worked. One said to go into Macafee Firewall (that apparently comes with the normal Macafee Antivirus SW package) and turn off the ability for svchost to access the internet. The other said to use Start/run/services.msc and in the RPC line change the settings in a certain way to not allow internet access of a certain sort (I don't have the details availalbe right now). You will note these two solutions that worked for two people did not delete the virus from the PC, yet they got rid of the sysmptoms by preventing the virus svchost.exe from accessing the internet.
Do you think these are worth trying or do you think leaving the virus on the PC will eventually lead to svchost taking over the CPU again?
First for greyknight17 ONLY,
Who says the FixWelch tool does not work. How do you know that?
And how sure are you that your fix above will work on a Windows XP Pro PC. Please state your estimated % chance that it will work.
To expert inmajam,
What is the % chance that the links above to symantec in yoru post will fix this problem (as described in my Question) on an XP Pro PC. Please state a % chance. And also your claim above that the original page at Symantec seems to be unavailable is incorrect for me. I can see the page.
For both experts,
The summary here is that I have two other non-EE forum threads about svchost.exe taking over the CPU and the net net is that for some reason no one solution works for everyone, even when on the same OS. Which also means the same symptom may correspond to two or even three different virus's or problems. (One of the forum threads is in the link in my Question above which begins this thread). Plus System Restore can NOT be turned off on this PC because svchost.exe has so much of the CPU that System restore will not run; it will not start and there is no interface to turn System restore off. But on the other hand, that is no problem. Because if you never restore from the infected restore point there is no problem at all. So I could
(1) Run a fix
(2) The check if it works (svchost no longer takes over CPU and Macafee now starts)
(3) Now I immediately go into System Restore as the cpu is availalbe and now I turn System Restore off, thus deleting the infected Restore point file.
(4) And then I turn System Restore back on.
The problem is that no one fix works.
TO expert inmajam and greyknight17.
Also, although I do not have time at the moment to provide details, the problem seems to be that the virus infected svchost constantly accesses the internet using up the CPU. I have found two people with fixes that worked. One said to go into Macafee Firewall (that apparently comes with the normal Macafee Antivirus SW package) and turn off the ability for svchost to access the internet. The other said to use Start/run/services.msc and in the RPC line change the settings in a certain way to not allow internet access of a certain sort (I don't have the details availalbe right now). You will note these two solutions that worked for two people did not delete the virus from the PC, yet they got rid of the sysmptoms by preventing the virus svchost.exe from accessing the internet.
Do you think these are worth trying or do you think leaving the virus on the PC will eventually lead to svchost taking over the CPU again?
I thought that it didn't work since you didn't say that the welch tool removed it. If it's the Welcha virus that tool "should" have removed it since Symantec made it specifically for this trojan.
Same again. I thought that the tool didn't remove welcha so did a little searching online and the link I provided might be a related/similar trojan. I just want to see if that might have the same symptoms and perhaps the same files. So I can't give any % chance of success there. If it is Welcha, that FxWelch tool should fix it up for you. If you have other viruses, you might need other tools to fix it up if the antivirus can't find and delete it.
Did you run the TDS-3 and see if that picked anything up?
Same again. I thought that the tool didn't remove welcha so did a little searching online and the link I provided might be a related/similar trojan. I just want to see if that might have the same symptoms and perhaps the same files. So I can't give any % chance of success there. If it is Welcha, that FxWelch tool should fix it up for you. If you have other viruses, you might need other tools to fix it up if the antivirus can't find and delete it.
Did you run the TDS-3 and see if that picked anything up?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can try to turn off system restore with this wmi script, just copy it to a text file, save it, then rename the .txt extention to .vbs then double click it
http://www.microsoft.com/technet/scriptcenter/scripts/desktop/restore/dmsrvb03.mspx
After that, you can try the removal tools, and patch your system. McAfee's Stinger should find and remove it after system restore is off
http://vil.nai.com/vil/stinger/
-rich
http://www.microsoft.com/technet/scriptcenter/scripts/desktop/restore/dmsrvb03.mspx
After that, you can try the removal tools, and patch your system. McAfee's Stinger should find and remove it after system restore is off
http://vil.nai.com/vil/stinger/
-rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
THANKS for all your replies. Now to clarify a few things
(1) This is not my PC, so long term GOOD advice like "keep your PC updated" is not very relevant. And this particular PC owner is likely to have already done that. For one thing they have SP2 which very few of my customers have.
(2) I chose the WRONG title for this question and that (until the last four posts) has confused things for Experts responding. I do NOT know the problem is the Welchia virus. What happened is I did a Yahoo search on svchost.exe and the 4th post was a forum thread saying that, if svchost.exe is eating up your CPU, it is the Welchia virus. Then I posted here under the "Welchia virus" question because the solutions in the other forum did not fix the problem. Next I read more pages in the other forum thread and in a 3rd forum thread on this same problem and discovered that the Welchia Virus is NOT the only cause of svchost.exe using up the CPU.
So my NEW request is what will fix the problem, not what will get rid of the Welchia virus.
Richrumble, thanks for the script to (maybe) turn off System restore since the usual approaches do not work on this PC as too much of the CPU is being used. Regarding running Macafee Stinger and the removal tools, Macafee won't run on this PC because so much of the CPU is used up. I'm not sure the removal tools will run either for the same reason.
Also no one has responded to my claim that it is 100% unnecessary to turn off system restore (when it is hard to do that) because the following four steps (copied and pasted from my post 5 above this) will work just as well:
(1) Run a fix
(2) The check if it works (svchost no longer takes over CPU and Macafee now starts)
(3) Now I immediately go into System Restore as the cpu is available and now I turn System Restore off, thus deleting the infected Restore point file (or files).
(4) And then I turn System Restore back on.
Won't that work just as well? So if it is hard to turn off System Restore, why even try, given the 4 steps above?
Regarding Expert Inmajam's suggestion to go to
> PAQregarding "SVCHOST.EXE EATING UP SYSTEM RESOURCES" if I am not sure what the cause is
this is a bit difficult. I am NOT sure what the cause is and it may not be the Welchia virus. However the PAQ you refer me to has an incredible number of links and is not really to the point. I need instructions to do this, then do this, and finally do this. I realize that that is hard to do when we have not defined the problem source yet. But unfortunately there is more than one cause for svchost.exe using up most (or all) or the CPU.
Regards,
Mike
(1) This is not my PC, so long term GOOD advice like "keep your PC updated" is not very relevant. And this particular PC owner is likely to have already done that. For one thing they have SP2 which very few of my customers have.
(2) I chose the WRONG title for this question and that (until the last four posts) has confused things for Experts responding. I do NOT know the problem is the Welchia virus. What happened is I did a Yahoo search on svchost.exe and the 4th post was a forum thread saying that, if svchost.exe is eating up your CPU, it is the Welchia virus. Then I posted here under the "Welchia virus" question because the solutions in the other forum did not fix the problem. Next I read more pages in the other forum thread and in a 3rd forum thread on this same problem and discovered that the Welchia Virus is NOT the only cause of svchost.exe using up the CPU.
So my NEW request is what will fix the problem, not what will get rid of the Welchia virus.
Richrumble, thanks for the script to (maybe) turn off System restore since the usual approaches do not work on this PC as too much of the CPU is being used. Regarding running Macafee Stinger and the removal tools, Macafee won't run on this PC because so much of the CPU is used up. I'm not sure the removal tools will run either for the same reason.
Also no one has responded to my claim that it is 100% unnecessary to turn off system restore (when it is hard to do that) because the following four steps (copied and pasted from my post 5 above this) will work just as well:
(1) Run a fix
(2) The check if it works (svchost no longer takes over CPU and Macafee now starts)
(3) Now I immediately go into System Restore as the cpu is available and now I turn System Restore off, thus deleting the infected Restore point file (or files).
(4) And then I turn System Restore back on.
Won't that work just as well? So if it is hard to turn off System Restore, why even try, given the 4 steps above?
Regarding Expert Inmajam's suggestion to go to
> PAQregarding "SVCHOST.EXE EATING UP SYSTEM RESOURCES" if I am not sure what the cause is
this is a bit difficult. I am NOT sure what the cause is and it may not be the Welchia virus. However the PAQ you refer me to has an incredible number of links and is not really to the point. I need instructions to do this, then do this, and finally do this. I realize that that is hard to do when we have not defined the problem source yet. But unfortunately there is more than one cause for svchost.exe using up most (or all) or the CPU.
Regards,
Mike
My latest post should of addressed the System Restore issue...
You can re-enable it after you've cleaned the viri and spy-ware off the machine, but each time you get spy-ware and viri you'll have to turn it off again :(
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=&docid=2002051411085406&nsf=nav.nsf&view=docid&dtype=∏=&ver=&osv=&osv_lvl=
If you needed convincing.... the above should indicate this is the only way.
Another solution you should try if you can is to remove the HD and place it in another PC with AV that is up2date. System restore will still have to be turned off as M$ uses a propriatary encryption method for storing data in the restore folder. Once system restore is off, turn off your pc, and remove the HD, place it in another pc as a secondary drive, or if you want you can buy a USB "sled" to put the HD in and then plug the HD in the second pc with the USB and scan it with AV, and even spy-ware programs. The registry however will not be cleaned in this situation as the registry is not active when the drive is secondary. Again, the top 2 AV providers (in my opinion, McAfee and Symantec) state that system restore must be turned off in the two links above.
-rich
You can re-enable it after you've cleaned the viri and spy-ware off the machine, but each time you get spy-ware and viri you'll have to turn it off again :(
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=&docid=2002051411085406&nsf=nav.nsf&view=docid&dtype=∏=&ver=&osv=&osv_lvl=
If you needed convincing.... the above should indicate this is the only way.
Another solution you should try if you can is to remove the HD and place it in another PC with AV that is up2date. System restore will still have to be turned off as M$ uses a propriatary encryption method for storing data in the restore folder. Once system restore is off, turn off your pc, and remove the HD, place it in another pc as a secondary drive, or if you want you can buy a USB "sled" to put the HD in and then plug the HD in the second pc with the USB and scan it with AV, and even spy-ware programs. The registry however will not be cleaned in this situation as the registry is not active when the drive is secondary. Again, the top 2 AV providers (in my opinion, McAfee and Symantec) state that system restore must be turned off in the two links above.
-rich
I would suggest you to search the infected computer for the filename "svchost.exe".
also try in task manager sort by CPU and select "svchost.exe" which is taking the most of cpu than "END PROCESS" it may give you error something like access denied or something else if the file is leggit to ms and is service....you may notice more than 1 process with the name of "svchost.exe" try to end process all of them one by one and hopefully only one of them will be ended after which you may have some resources available to you.
include your search result of svchost.exe when posting back..... it should be founded in more than 1 location. the location would help us to identify they problem you are facing.
Good Luck...
P.S:if richrumble's comments suits you than try to do that first hopefully it will solve the problem aswell:)
also try in task manager sort by CPU and select "svchost.exe" which is taking the most of cpu than "END PROCESS" it may give you error something like access denied or something else if the file is leggit to ms and is service....you may notice more than 1 process with the name of "svchost.exe" try to end process all of them one by one and hopefully only one of them will be ended after which you may have some resources available to you.
include your search result of svchost.exe when posting back..... it should be founded in more than 1 location. the location would help us to identify they problem you are facing.
Good Luck...
P.S:if richrumble's comments suits you than try to do that first hopefully it will solve the problem aswell:)
http://www.symantec.com/avcenter/FixWelch.exe
Download the FixWelch.exe file from: http://www.symantec.com/avcenter/FixWelch.exe.
Save the file to a convenient location, such as your downloads folder or the Windows desktop (or removable media known to be uninfected).
To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.
Close all the running programs before running the tool.
If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
If you are running Windows Me or XP, then disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for further details.
--------------------------
WARNING: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.
--------------------------
Double-click the FixWelch.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Cheers!