dllhost.exe virus welcha worm

[chaim79]

I have a win2k server box that is infected with the welcha worm. I don't know how I got infected but this virus is sending out pings to every possable IP address (sequentialy even) The only way I've been able to temporaroly stop this virus is to instal "Tiny Personal Firewall" and have it block all ICMP packets to and from that box. I have norten antivirus corperate edition running and updated but it can't get at the virus for some reason. It will detect the virus in DLLHOST.EXE but even when I'm logged in as administrator it doesn't have the privilages to remove the virus. Right now I'm up a creek. The only option that I can see that will actually work is to format and reinstall the server, but I really don't want to do that. (to lazy). I have IIS running and serving web pages and I've heard that is done through DLLHOST.EXE, is there any way that the virus could be hidden in one of those files?

If anyone has ideas on how to get rid of "Welcha worm" without killing the system please let me know! PLEASE!!!

Erik of Ekedahl

 

[powerme]

try to scan your virus in a SAFE MODE because no file is used here.

it should be fine when you scan in SAFE MODE

 

[srs]

Norton has a specific tool for the removal of that particular virus. Do a search for it on their website and put the tool on a floppy. It does a nice job. I've used it in the past.

 

[jajmon]

The tool from Symantec is here

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

 

[chaim79]

Thanks guys! The virus is gone! WOOT! that virus had been giveing me a pain for a couple months.

BTW. Shouldn't there be a "hard-to-kill Virus" sticky? Just a simple thread that is just for how to get rid of viruses that need special attention to kill. (so there isn't anyone like me posting "how do I" all the time).

Thanks again.