Help need to fight against virus w32.welchia.gen and w32.gaobot.gen

Dear All,

I am Dominic from Hong Kong.
I had been using WinXP Home for a long time.

In this 2 weeks, I am having great trouble against the captioned virus. i.e. W32.Welchia.gen and W32.HLLW.Gaobot.gen

I had done the following in order to remove and prevent the captioned virsus but still failed.

About my configuration , I am using Win XP Home in my Notebook with 256M ram and a 30G HD. My HD had 4 partitions. ( C , D ,E and F Drive)

First, I had try to format and re-install WinXP on my C drive ( I had not format my other drive D/E/F as they are having a lot of important data.

Then I reinstall the Norton Anti-Virus and a Personal Firewall .

After doing all the above and do a full scan uing the latest virus definition which said that my computer is virus free.

But everytime I connected to the internet around 30min to 60 min.
My NAV real time file protector will warn me that my computer is infected and a new file wkspatch[1].exe and C:\Windows\SYstem32\driver\svchost.exe had been infected.

Also the real time protector also warned me that the Gaobot is found in a exe file in C:\System Volume Information folder.

I had downloaded the Welchia and Gaobot remover tools from Norton and used them which said that the two virsus are not found in my computer.

Can anyone please kindly tell me how I can remove the virus and at the same time prevent them from attacking my computer again ?

Please contact me at DominicMok@nwtbb.com Thanks

I do not want to format all of my partition as they contain a lot of useful and valuable data.

Thanks.

Dominic

:-[

Hi,

a) your firewall obviously is not configured properly, but never mind
b) you didn’t read/follow the info on Welchia & GaoBot on Symantec’s website

  1. apply All windowsupdates, download those mentioned on the Welchia infopage (Symantec) first, and install them OFFLINE (without inet, best in SafeMode=F8-Boot)

  2. disable system restore (see symantec Info on gaobot) and reboot; change ALL your passwords to something more secure, including the sometimes hidden REAL “Administrator”-account

reboot, and rerun tools in safeMode again

:wink: