[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to get rid of the Welcha virus under XP

Posted on 2005-04-24
15
Medium Priority
?
559 Views
Last Modified: 2013-12-04
Virus symptoms under XP Pro upgraded to SP2, 2.6 Ghz Celeron, 512 MB, 96 GB free is, is 100% of CPU is in use per Windows Task Manager (WTM). So Macafee won't run at reboot with error that it cannot get enough resources to run. System Restore will not run giving empty white window. System Information starts but then says it cannot give any statistics. PC operation is generally very slow but internet access via IE browser is possible. Results in Safe Mode with Networking are the same, no better.

WTM, process tab, shows svchost.exe is the culprit and one instance of it has about 50% of the CPU and the System Idle process has the other 50%. There are also other instances of svchost.exe that have 0% cpu usage. But these are averages, the CPU usage graph shows big fluctuations. I assume that this lack of CPU resources is what the Macafee error message is referring to and is the reason System Restore and System Information (effectively) will not run. WHY IS THIS IMPORTANT. Because if I could get the CPU back I could system restore to the day before the problem began which is a known date and all would be well again. Or I could run a virus full system scan in Macafee or Norton or some other virus remover especially good at removing the Welcha virus.

Why do I think this is the Welcha virus. Go to http://forum.pcvsconsole.com/viewthread.php?tid=8191 and scan down to the 3rd post by Trunks007. A complete match to my symptoms plus if you read the first few pages of this thread others confirm this. The initial post in this thread is for Windows 2000 Pro but if you read on you see this post expands quickly to include XP too.

Well if I have read this non-EE thread WHY AM I POSTING HERE ??

The reason is that the thread consists of, problem, then solution, then "I tried that and it failed", then, "no try my solution" and again (from a new person) "no, I tried that one too and it failed" and so on.

Hence my request here is provide a STEP BY STEP detailed procedure to get rid of the Welcha virus under XP Pro that WORKS. Don't skip a step because you assume any security expert would know to do that. I am not a security expert. Also be aware that if Macafee won't run (it starts but then we get the error message and the Macafee icon in the lower right taskbar turns from red to black) that other programs may not run too. So if you tell me to do a Norton AV full system scan, well that may or may not run too. I don't know for sure. Also doing things in Safe mode does not solve the CPU usage problem here because svchost.exe is on the short list of processes that are allowed in Safe mode so the CPU usage is 100% there too. Very inconvenient isn't it.

Now for one ray of hope. From the various posts at http://forum.pcvsconsole.com/viewthread.php?tid=8191 , I see some posters think that his whole thing only happens if the PC has internet access. And I'm not 100% sure that my claims of 100% CPU usage were with Safe Mode vs Safe Mode with Networking. I think I saw that System Restore would not come up in Safe Mode but it may have been Safe Mode with networking.

Please note I am NOT asking for information on the Welcha virus or on svchost.exe, I am asking for one thing only. A step by step instruction set for removing it under Windows XP Pro that works. If you can not provide that or a link to such a step by step set, then do NOT respond to this question.
0
Comment
Question by:mgross333
  • 7
  • 3
  • 3
  • +1
15 Comments
 
LVL 9

Expert Comment

by:imnajam
ID: 13854486
Hi mgross333,
http://www.symantec.com/avcenter/FixWelch.exe

Download the FixWelch.exe file from: http://www.symantec.com/avcenter/FixWelch.exe.
Save the file to a convenient location, such as your downloads folder or the Windows desktop (or removable media known to be uninfected).
To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.
Close all the running programs before running the tool.
If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
If you are running Windows Me or XP, then disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for further details.


--------------------------------------------------------------------------------
WARNING: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.
--------------------------------------------------------------------------------


Double-click the FixWelch.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.



Cheers!
0
 
LVL 9

Expert Comment

by:imnajam
ID: 13854492
0
 
LVL 9

Expert Comment

by:imnajam
ID: 13854510
you must have
disabled/disconnected network/internet connection
disabled Windows XP System Restore

if you still fail to remove welchia try running the removal tool in safe mode!

How to turn off or turn on Windows XP System Restore
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
or

http://www.iamnotageek.com/a/438-p1.php


GOOD LUCK
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 9

Expert Comment

by:imnajam
ID: 13854546
Essential Steps for Cleaning and Securing Your Computer - MSBlaster and Welchia worms

http://www.columbia.edu/acis/security/howto/remove/welch.html
0
 

Author Comment

by:mgross333
ID: 13854948
Thanks for all the replies. Regarding turning System Restore off, my post above said I could not get any System Restore window to come up (it comes up as a blank white empty window and remains that way) even in Safe mode. So that is not so easy.

IS your link above "http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405" an exceutable? Because if it merely brings up the Window where I turn off System Restore, I don't think this will work per the above; I'll just get an empty white window. Note: This is for someone else's PC, not mine. And I don't want to try the link on my own PC as it deletes all the previous restore points and I do not want to do that on my PC. So I have to ask you the question versus clicking the link.

Same question about http://www.iamnotageek.com/a/438-p1.php 

2nd question, if I cannot disable System restore, how important is that if that infected restore point file is never restored from? i.e Can the welcha virus do damage even if it is only in the System restore files?

Regards,
  Mike
0
 
LVL 9

Assisted Solution

by:imnajam
imnajam earned 1200 total points
ID: 13855028
I am not sure what you are asking about the link being executable! do u mean u can't find/view the above page?

I would suggest you to study the links below for in-depth and detailed information

W32.Welchia.Worm Removal Tool
[ http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html ]

W32.Welchia.Worm <detail about the worm>
[ http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html ]


now answers to your questions are :-

1-if you mean that you will lose your previous backup if you turn off system restore than yes you will lose all restore points

Caution When you turn off System Restore, all existing restore points are removed, and you are no longer able to track or undo changes to your computer. To continue to use System Restore to restore your computer to a previous state, do not turn off System Restore.
<<< Snippest from http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405 >>>
if you want to continue having the backup(s) than you would have to create the new one after removing the worm you can safely turn on the system restore and create the restore point after you run the removal tool.


2-
<<< snippest from http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html >>>
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

Hope it helps!
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 13856303
Since the FixWelch tool does not work, I did another search and found some other trojan/worm that might be related to that Welcha worm.  If you have time, take a look at this site to see if any of the symptoms/files are the same in the PC you are fixing:

http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.af@mm.html

Also, if you want, run this scan:

Let's use a program to scan for any trojans that may exist.  Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download.  Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse.  Make sure to update it after you installed it.  You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update.  When you launch the program, it will scan your memory for running processes.  This will take less than 30 seconds.  Next go to 'System Testing' on the menu and choose 'Full System Scan'.  After that's finished, post the log file by selecting everything on the top pane (select from bottom to top).  If any alarms are found, it will be listed in the bottom window.  Please copy and paste that here also if it applies.  If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

If you know what to delete in that log, you may delete it without posting the log here.
0
 

Author Comment

by:mgross333
ID: 13857556
To experts  greyknight17 and inmajam,

First for greyknight17 ONLY,

Who says the FixWelch tool does not work. How do you know that?
And how sure are you that your fix above will work on a Windows XP Pro PC. Please state your estimated % chance that it will work.

To expert inmajam,
What is the % chance that the links above to symantec in yoru post will fix this problem (as described in my Question) on an XP Pro PC. Please state a % chance. And also your claim above that the original page at Symantec seems to be unavailable is incorrect for me. I can see the page.

For both experts,

The summary here is that I have two other non-EE forum threads about svchost.exe taking over the CPU and the net net is that for some reason no one solution works for everyone, even when on the same OS. Which also means the same symptom may correspond to two or even three different virus's or problems. (One of the forum threads is in the link in my Question above which begins this thread). Plus System Restore can NOT be turned off on this PC because svchost.exe has so much of the CPU that System restore will not run; it will not start and there is no interface to turn System restore off. But on the other hand, that is no problem. Because if you never restore from the infected restore point there is no problem at all. So I could
(1) Run a fix
(2) The check if it works (svchost no longer takes over CPU and Macafee now starts)
(3) Now I immediately go into System Restore as the cpu is availalbe and now I turn System Restore off, thus deleting the infected Restore point file.
(4) And then I turn System Restore back on.

The problem is that no one fix works.

TO expert inmajam and greyknight17.

Also, although I do not have time at the moment to provide details, the problem seems to be that the virus infected svchost constantly accesses the internet using up the CPU. I have found two people with fixes that worked. One said to go into Macafee Firewall (that apparently comes with the normal Macafee Antivirus SW package) and turn off the ability for svchost to access the internet. The other said to use Start/run/services.msc and in the RPC line change the settings in a certain way to not allow internet access of a certain sort (I don't have the details availalbe right now). You will note these two solutions that worked for two people did not delete the virus from the PC, yet they got rid of the sysmptoms by preventing the virus svchost.exe from accessing the internet.
 
 Do you think these are worth trying or do you think leaving the virus on the PC will eventually lead to svchost taking over the CPU again?
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 13861911
I thought that it didn't work since you didn't say that the welch tool removed it.  If it's the Welcha virus that tool "should" have removed it since Symantec made it specifically for this trojan.

Same again.  I thought that the tool didn't remove welcha so did a little searching online and the link I provided might be a related/similar trojan.  I just want to see if that might have the same symptoms and perhaps the same files.  So I can't give any % chance of success there.  If it is Welcha, that FxWelch tool should fix it up for you.  If you have other viruses, you might need other tools to fix it up if the antivirus can't find and delete it.

Did you run the TDS-3 and see if that picked anything up?
0
 
LVL 9

Accepted Solution

by:
imnajam earned 1200 total points
ID: 13862110
if you have identified the promblem correctly and it's welchia than there is both 99% chances and 50% chances

99% chances if you run the tool after turning off the system restore
50% chances if you run the tool without turning off the system restore (it will remove) but there would be a chance to get re infected sooner or laters!

according to your question my comments are answers for you.furthermore, if you are not sure that it's welchia or something else than I would recommend you to read the PAQregarding "SVCHOST.EXE EATING UP SYSTEM RESOURCES"
[ http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21021550.html ]

My final words for you would be,"always keep your windows updated (patch & service packs)via windows update [ http://windowsupdate.microsoft.com/ ]

for recovering a system from such disaster there are some steps that are considered to be necessary!
1-remove un-necessary services/softwares & application
2-update & run a full system virus scan
3-run windows update, download & install the patches available/suitable for your system

you may wish to run the removal tool after step 2 if needed!

GOOD LUCK:) I think you are ready to try now! hope you would be successfull:)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13862496
You can try to turn off system restore with this wmi script, just copy it to a text file, save it, then rename the .txt extention to .vbs then double click it
http://www.microsoft.com/technet/scriptcenter/scripts/desktop/restore/dmsrvb03.mspx

After that, you can try the removal tools, and patch your system. McAfee's Stinger should find and remove it after system restore is off
http://vil.nai.com/vil/stinger/
-rich
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 300 total points
ID: 13862530
Also, forget the restore points, if you don't turn off system restore, you cannot remove the viri entirely- you can thank M$ for that. I never had any sucess with them, and the corporations I work for all turn it off first thing. You can re-enable it after you've cleaned the viri and spy-ware off the machine, but each time you get spy-ware and viri you'll have to turn it off again :(
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=&docid=2002051411085406&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=
If you needed convincing.... the above should indicate this is the only way.
-rich
0
 

Author Comment

by:mgross333
ID: 13875923
THANKS for all your replies. Now to clarify a few things
(1) This is not my PC, so long term GOOD advice like "keep your PC updated" is not very relevant. And this particular PC owner is likely to have already done that. For one thing they have SP2 which very few of my customers have.

(2) I chose the WRONG title for this question and that (until the last four posts) has confused things for Experts responding. I do NOT know the problem is the Welchia virus. What happened is I did a Yahoo search on svchost.exe and the 4th post was a forum thread saying that, if svchost.exe is eating up your CPU, it is the Welchia virus. Then I posted here under the "Welchia virus" question because the solutions in the other forum did not fix the problem. Next I read more pages in the other forum thread and in a 3rd forum thread on this same problem and discovered that the Welchia Virus is NOT the only cause of svchost.exe using up the CPU.

So my NEW request is what will fix the problem, not what will get rid of the Welchia virus.

Richrumble, thanks for the script to (maybe) turn off System restore since the usual approaches do not work on this PC as too much of the CPU is being used. Regarding running Macafee Stinger and the removal tools, Macafee won't run on this PC because so much of the CPU is used up. I'm not sure the removal tools will run either for the same reason.

Also no one has responded to my claim that it is 100% unnecessary to turn off system restore (when it is hard to do that) because the following four steps (copied and pasted from my post 5 above this) will work just as well:
(1) Run a fix
(2) The check if it works (svchost no longer takes over CPU and Macafee now starts)
(3) Now I immediately go into System Restore as the cpu is available and now I turn System Restore off, thus deleting the infected Restore point file (or files).
(4) And then I turn System Restore back on.

Won't that work just as well? So if it is hard to turn off System Restore, why even try, given the 4 steps above?

Regarding Expert Inmajam's suggestion to go to
> PAQregarding "SVCHOST.EXE EATING UP SYSTEM RESOURCES" if I am not sure what the cause is
this is a bit difficult. I am NOT sure what the cause is and it may not be the Welchia virus. However the PAQ you refer me to has an incredible number of links and is not really to the point. I need instructions to do this, then do this, and finally do this. I realize that that is hard to do when we have not defined the problem source yet. But unfortunately there is more than one cause for svchost.exe using up most (or all) or the CPU.

Regards,
  Mike


0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13876039
My latest post should of addressed the System Restore issue...
You can re-enable it after you've cleaned the viri and spy-ware off the machine, but each time you get spy-ware and viri you'll have to turn it off again :(
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=&docid=2002051411085406&nsf=nav.nsf&view=docid&dtype=∏=&ver=&osv=&osv_lvl=
If you needed convincing.... the above should indicate this is the only way.

Another solution you should try if you can is to remove the HD and place it in another PC with AV that is up2date. System restore will still have to be turned off as M$ uses a propriatary encryption method for storing data in the restore folder. Once system restore is off, turn off your pc, and remove the HD, place it in another pc as a secondary drive, or if you want you can buy a USB "sled" to put the HD in and then plug the HD in the second pc with the USB and scan it with AV, and even spy-ware programs. The registry however will not be cleaned in this situation as the registry is not active when the drive is secondary. Again, the top 2 AV providers (in my opinion, McAfee and Symantec) state that system restore must be turned off in the two links above.
-rich
0
 
LVL 9

Expert Comment

by:imnajam
ID: 13877870
I would suggest you to search the infected computer for the filename "svchost.exe".

also try in task manager sort by CPU and select "svchost.exe" which is taking the most of cpu than "END PROCESS" it may give you error something like access denied or something else if the file is leggit to ms and is service....you may notice more than 1 process with the name of "svchost.exe" try to end process all of them one by one and hopefully only one of them will be ended after which you may have some resources available to you.

include your search result of svchost.exe when posting back..... it should be founded in more than 1 location. the location would help us to identify they problem you are facing.

Good Luck...

P.S:if richrumble's comments suits you than try to do that first hopefully it will solve the problem aswell:)

0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month18 days, 1 hour left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question