Anti-Spyware Forums


Reply
Thread Tools Display Modes

Re: How to Get Rid of DLLHOST.EXE (Welchia)

 
 
taff
Guest
Posts: n/a

 
      23-01-2004, 02:56 AM
On Thu, 22 Jan 2004 21:48:23 -0800, Steve Sr. <(E-Mail Removed)>
wrote:

>This is a new box and I managed to catch both Blaster and Welchia
>before I could get the system updates and AV installed and updated.
>
>I used the Symantec tool to remove both worms but it the tool left
>behind the infected DLLHOST.EXE. Kaspersky now complains about this
>file every time the scanner runs.
>
>How can I get rid of the infected file and put the original
>DLLHOST.EXE back where it belongs. Since it resides in a system
>directory I am assuming that Windows won't allow manual access.
>
>Thanks,
>
>Steve


Where is the file dllhost.exe. if it in
C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000
then that is the file that is dropped by the virus
There is a legitimate file called Dllhost.exe (about 5-6K) in the
System32 directory.

Taff..............



www.sounds-pa.com | www.thecomputerworkshop.com
 
Reply With Quote
 
 
 
 
taff
Guest
Posts: n/a

 
      23-01-2004, 06:30 PM
On Fri, 23 Jan 2004 10:04:13 -0800, Steve Sr. <(E-Mail Removed)>
wrote:

>On Fri, 23 Jan 2004 02:56:01 +0000, taff <(E-Mail Removed)> wrote:
>
>>On Thu, 22 Jan 2004 21:48:23 -0800, Steve Sr. <(E-Mail Removed)>
>>wrote:
>>
>>>This is a new box and I managed to catch both Blaster and Welchia
>>>before I could get the system updates and AV installed and updated.
>>>
>>>I used the Symantec tool to remove both worms but it the tool left
>>>behind the infected DLLHOST.EXE. Kaspersky now complains about this
>>>file every time the scanner runs.
>>>
>>>How can I get rid of the infected file and put the original
>>>DLLHOST.EXE back where it belongs. Since it resides in a system
>>>directory I am assuming that Windows won't allow manual access.
>>>
>>>Thanks,
>>>
>>>Steve

>>
>>Where is the file dllhost.exe. if it in
>>C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
>>C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000
>>then that is the file that is dropped by the virus
>>There is a legitimate file called Dllhost.exe (about 5-6K) in the
>>System32 directory.
>>
>>Taff..............
>>

>Taff,
>
>You got it. The infected one is in the Wins directory (about 10K) and
>the uninfected one is in System32. So how do I get rid of (or) replace
>the infected one?
>
>Steve
>

Restart in safe mode ( F8 on startup ) and you should be able to
delete the virus file, possibly with your AV, if not just delete the
infected file.
When you have finished you need a good firewall, that is why your
machine was infected.
When you do a fresh install, ALWAYS install and enable a firewall
before plugging your modem in. It takes only 1 or 2 seconds for the
Blaster and Welchia worms to get in.

Taff.............



www.sounds-pa.com | www.thecomputerworkshop.com
 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a

 
      24-01-2004, 12:01 AM
Taff:

He should use the AV software to remove the worm becuase it should also correct the
Registery. Just deleting the file does not correct the Registry.

Dave



"taff" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
| On Fri, 23 Jan 2004 10:04:13 -0800, Steve Sr. <(E-Mail Removed)>
| wrote:
|
| >On Fri, 23 Jan 2004 02:56:01 +0000, taff <(E-Mail Removed)> wrote:
| >
| >>On Thu, 22 Jan 2004 21:48:23 -0800, Steve Sr. <(E-Mail Removed)>
| >>wrote:
| >>
| >>>This is a new box and I managed to catch both Blaster and Welchia
| >>>before I could get the system updates and AV installed and updated.
| >>>
| >>>I used the Symantec tool to remove both worms but it the tool left
| >>>behind the infected DLLHOST.EXE. Kaspersky now complains about this
| >>>file every time the scanner runs.
| >>>
| >>>How can I get rid of the infected file and put the original
| >>>DLLHOST.EXE back where it belongs. Since it resides in a system
| >>>directory I am assuming that Windows won't allow manual access.
| >>>
| >>>Thanks,
| >>>
| >>>Steve
| >>
| >>Where is the file dllhost.exe. if it in
| >>C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
| >>C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000
| >>then that is the file that is dropped by the virus
| >>There is a legitimate file called Dllhost.exe (about 5-6K) in the
| >>System32 directory.
| >>
| >>Taff..............
| >>
| >Taff,
| >
| >You got it. The infected one is in the Wins directory (about 10K) and
| >the uninfected one is in System32. So how do I get rid of (or) replace
| >the infected one?
| >
| >Steve
| >
| Restart in safe mode ( F8 on startup ) and you should be able to
| delete the virus file, possibly with your AV, if not just delete the
| infected file.
| When you have finished you need a good firewall, that is why your
| machine was infected.
| When you do a fresh install, ALWAYS install and enable a firewall
| before plugging your modem in. It takes only 1 or 2 seconds for the
| Blaster and Welchia worms to get in.
|
| Taff.............
|
|
|
| www.sounds-pa.com | www.thecomputerworkshop.com


 
Reply With Quote
 
Snowsquall
Guest
Posts: n/a

 
      24-01-2004, 12:41 AM

"taff" > wrote:
>
> >

.. <(E-Mail Removed)>> >>wrote:
> >>
> >>>This is a new box and I managed to catch both Blaster and Welchia
> >>>before I could get the system updates and AV installed and updated.


Someone was trying to sell me a lap top and had it reinstalled fresh and
gave it to me to try out. Since I am on dial-up figured I did not need XP's
built-in firewall. Big mistake.!! While installing Norton, the machine
rebooted (suspected Blaster) and sure enought it was BlasterF that paid me a
visit. Got rid of it with a removal tool from Symantec, then a full system
scan turned up Welchia in the form of DLLHOST.EXE. (But this time no
entries in the registry)

> >>>
> >>>I used the Symantec tool to remove both worms but it the tool left
> >>>behind the infected DLLHOST.EXE. Kaspersky now complains about this
> >>>file every time the scanner runs.
> >>>
> >>>How can I get rid of the infected file and put the original
> >>>DLLHOST.EXE back where it belongs. Since it resides in a system
> >>>directory I am assuming that Windows won't allow manual access.
> >>>
> >>>Thanks,
> >>>
> >>>Steve
> >>



How I knew what DLLHOST.EXE and for that matter which svshost file to get
rid of as I went into file search --that one with the puppy dog --he's so
cute! -- and checked the properties of the files. The files with the
latest date stamps where the files that got in with Blaster.


I might be lucky because the person that had tried to sell it to me will
just simply reformat it again --no big deal---
But for someone with a lot of files emails, pictures etc., it would be a big
deal. See below:

> >>Where is the file dllhost.exe. if it in
> >>C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
> >>C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000
> >>then that is the file that is dropped by the virus
> >>There is a legitimate file called Dllhost.exe (about 5-6K) in the
> >>System32 directory.
> >>
> >>Taff..............
> >>

> >Taff,
> >
> >You got it. The infected one is in the Wins directory (about 10K) and
> >the uninfected one is in System32. So how do I get rid of (or) replace
> >the infected one?
> >
> >Steve
> >

> Restart in safe mode ( F8 on startup ) and you should be able to
> delete the virus file, possibly with your AV, if not just delete the
> infected file.
> When you have finished you need a good firewall, that is why your
> machine was infected.
> When you do a fresh install, ALWAYS install and enable a firewall
> before plugging your modem in.



I will tell my friend that the next person or if she is to use it herself to
make sure the firewall is enabled at least until all the patches and
antivirus is installed.


> It takes only 1 or 2 seconds for the
> Blaster and Welchia worms to get in.



It seems that the Blaster and Welchia worms are roaming the ether world and
now will always be there to pounce on unprotected XP / 2000 computers.



 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Get ubuntu ! Get ubuntu ! Get ubuntu ! Get ubuntu ! Getubuntu Virus Information 4 02-06-2009 04:58 AM
Get ubuntu ! Get ubuntu ! Get ubuntu ! Get ubuntu ! Getubuntu Security Software 0 31-05-2009 09:02 PM
I have a virus and cannot get rid of it! HELP! Sheila Virus Information 9 27-06-2004 09:12 PM
LdPinch (system.exe) how can i get rid of this roger Virus Information 1 27-06-2004 04:48 AM
Trying to get rid of searchpage.cc spyware flamin Virus Information 1 19-06-2004 07:43 PM


All times are GMT. The time now is 12:23 AM.