Powerful & Persistent Intruder

  1. 16-02-2005  #1
    gitano
    gitano is offline Newbie

    Powerful & Persistent Intruder

    Without using some antivirus/antispyware, few seconds after each Internet connection (dailup standalone home pc using W2K), some pest takes control of the traffic. It quickly increases the sent information making it many times the size of the received information with rapidly accelerating difference (even when nothing is open except a download from Windows Update or Download.com).

    When using Norton Inernet Security it frequently asking confirmation to block something like "Welchia..."; when using Avast antivirus it tells of "DCOM" being stopped by its Networkshield.

    Spybot, Ad-Aware,... and now Microsoft Antispyware fail to detect, let alone eliminate, the pest. Tried Microsoft's and others' (Welchia, DCOM, DSO, Scvchost.exe,...) patches/programs but to no avail. Finally even many times of reinitializing the entire hard disk, varying the number and sizes of the partions, and reinstalling windows (2K pro) didnt catch the pest.

    I have been facing this problem for many months now, which made me so curious to know the causes as interested to get it the cure.

    All replies will be appreciated.

  3. 19-02-2005  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    First of all, heres a description of the Welchia Worm. Welchia tries to spread through a network you may be connected to (your Internet Connection counts), usually hitting people with the same IP range as you, so people with the same ISP. This explains the outgoing amount of data.

    Your alert from Avast about DCOM is alerting you that Welchia is exploiting a vulnerability. DCOM is part of Windows and had quite a few vulnerabilities a while ago which Worms exploited. You obviously haven't applyed the patches needed, so this let Welchia in. Welchia will keep returning until its way in is patched up. Wiping your system will do nothing because your just reinstalling Windows and despite when you reinstall the Worm is not there, it still has the way in because you have the vulnerabilities in your system.

    What you need to do is get to http://windowsupdate.microsoft.com and download ALL Critical Updates and Service Packs. This is a lot to ask when your on Dial Up. Could you possibly go to Start> Run and type winver and tell you what Service Pack you are. Should say Windows 2000 Service Pack # or just Windows 2000 with no service packs. That way I know where you are with updates. So give me that information and install the specific patches for Welchia:

    The specific patches for the vulnerabilities Welchia exploits (for Windows 2000) are:
    KB823980
    KB824146
    KB815021

    After you've applied them patches, go to this page and follow the instructions to remove Welchia using the Removal Tool.
+ Reply to Thread
« help!!!!!!!!!!!!!!!!!!!!! screen freezing | help required.hickjacked homepage. »