Replace virus infected files from installation CD

chausan · Sep 16, 2003

Hi,

My brother's PC (installed with XP Home) was suspected infected from
virus. After updating the norton anti-virus and re-scan the HD, I
found below files reported infected from virus.

Norton reported to me that those infected files couldn't be repaired.
I would like to isolate them but I'm afraid that after such action,
these files will be unavailable for windows use and make some critical
windows function unavailable.

I want to overwrite those files from copy of XP installation CD.
However, I couldn't find them by find command nor SFC command as I
tried to pick them up from CD put into my windows 98 notebook.

I would like to ask where XP home store those files in installation CD
? What utility could be used to extract them then ?

1. File DLLHOST.EXE reported infected by W32.Welchia.WORM

C:\WINDOWS\system32

17/09/2001 21:00 4,608 dllhost.exe
1 file(s) 4,608 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 4,608 dllhost.exe
1 files(s) 4,608 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 10,240 DLLHOST.EXE
1 files(s) 10,240 bytes

2. down.exe infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,091 down.com
1 files(s) 14,091 bytes

3. GLOBALC.DLL infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 122,880 globalc.dll
1 file(s) 122,880 bytes

4. ntcs.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 47,616 ntcs.dll
1 file(s) 47,616 bytes

5. packet.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 40,960 packet.dll
1 file(s) 40,960 bytes

6. rtkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 128,000 rtkit.exe
1 file(s) 128,000 bytes

7. SVCHOST.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system

14/09/2003 18:54 14,368 svchost.exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 19,728 SVCHOST.EXE
1 file(s) 19,728 bytes

8. SVCHOST32.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,368 svchost32.exe
1 file(s) 14,368 bytes

9. SVCHOST[1].EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\O47L1YUU

14/09/2003 18:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\POKR9HPF

01/09/2003 11:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

10. ntrootkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32

14/09/2003 18:54 128,000 ntrootkit.exe
1 file(s) 128,000 bytes

11. ntrootkit[1].exe infected by BackdoorRtkit

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\0HMJS9QB

14/09/2003 18:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\KHANKH6F

01/09/2003 11:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

Martin Van Dyke · Sep 16, 2003

Run the installation again as an upgrade. All system files will be replaced.
If you have service pack 1, you'll have to update again because installation
will set back to primary package.

chausan said:
Hi,

My brother's PC (installed with XP Home) was suspected infected from
virus. After updating the norton anti-virus and re-scan the HD, I
found below files reported infected from virus.

Norton reported to me that those infected files couldn't be repaired.
I would like to isolate them but I'm afraid that after such action,
these files will be unavailable for windows use and make some critical
windows function unavailable.

I want to overwrite those files from copy of XP installation CD.
However, I couldn't find them by find command nor SFC command as I
tried to pick them up from CD put into my windows 98 notebook.

I would like to ask where XP home store those files in installation CD
? What utility could be used to extract them then ?

1. File DLLHOST.EXE reported infected by W32.Welchia.WORM

C:\WINDOWS\system32

17/09/2001 21:00 4,608 dllhost.exe
1 file(s) 4,608 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 4,608 dllhost.exe
1 files(s) 4,608 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 10,240 DLLHOST.EXE
1 files(s) 10,240 bytes

2. down.exe infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,091 down.com
1 files(s) 14,091 bytes

3. GLOBALC.DLL infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 122,880 globalc.dll
1 file(s) 122,880 bytes

4. ntcs.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 47,616 ntcs.dll
1 file(s) 47,616 bytes

5. packet.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 40,960 packet.dll
1 file(s) 40,960 bytes

6. rtkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 128,000 rtkit.exe
1 file(s) 128,000 bytes

7. SVCHOST.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system

14/09/2003 18:54 14,368 svchost.exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 19,728 SVCHOST.EXE
1 file(s) 19,728 bytes

8. SVCHOST32.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,368 svchost32.exe
1 file(s) 14,368 bytes

9. SVCHOST[1].EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\O47L1YUU

14/09/2003 18:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\POKR9HPF

01/09/2003 11:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

10. ntrootkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32

14/09/2003 18:54 128,000 ntrootkit.exe
1 file(s) 128,000 bytes

11. ntrootkit[1].exe infected by BackdoorRtkit

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\0HMJS9QB

14/09/2003 18:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\KHANKH6F

01/09/2003 11:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

Patrick · Sep 16, 2003

WXHOEM_EN (XP-HE-CD)

D:\I386\dllhost.ex_

Note the '_' instead of 'E' Thus indicateing that the file is compressed

Not sure, but as far as I know the file is to be extracted with the
'extract' command.
type extract /? at a command prompt for help/parameters for 'extract'
command.

Hi,

My brother's PC (installed with XP Home) was suspected infected from
virus. After updating the norton anti-virus and re-scan the HD, I
found below files reported infected from virus.

Norton reported to me that those infected files couldn't be repaired.
I would like to isolate them but I'm afraid that after such action,
these files will be unavailable for windows use and make some critical
windows function unavailable.

I want to overwrite those files from copy of XP installation CD.
However, I couldn't find them by find command nor SFC command as I
tried to pick them up from CD put into my windows 98 notebook.

I would like to ask where XP home store those files in installation CD
? What utility could be used to extract them then ?

1. File DLLHOST.EXE reported infected by W32.Welchia.WORM

C:\WINDOWS\system32

17/09/2001 21:00 4,608 dllhost.exe
1 file(s) 4,608 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 4,608 dllhost.exe
1 files(s) 4,608 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 10,240 DLLHOST.EXE
1 files(s) 10,240 bytes

2. down.exe infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,091 down.com
1 files(s) 14,091 bytes

3. GLOBALC.DLL infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 122,880 globalc.dll
1 file(s) 122,880 bytes

4. ntcs.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 47,616 ntcs.dll
1 file(s) 47,616 bytes

5. packet.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 40,960 packet.dll
1 file(s) 40,960 bytes

6. rtkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 128,000 rtkit.exe
1 file(s) 128,000 bytes

7. SVCHOST.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system

14/09/2003 18:54 14,368 svchost.exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 19,728 SVCHOST.EXE
1 file(s) 19,728 bytes

8. SVCHOST32.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,368 svchost32.exe
1 file(s) 14,368 bytes

9. SVCHOST[1].EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\O47L1YUU

14/09/2003 18:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\POKR9HPF

01/09/2003 11:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

10. ntrootkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32

14/09/2003 18:54 128,000 ntrootkit.exe
1 file(s) 128,000 bytes

11. ntrootkit[1].exe infected by BackdoorRtkit

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\0HMJS9QB

14/09/2003 18:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\KHANKH6F

01/09/2003 11:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

chausan · Sep 17, 2003

Patrick said:
WXHOEM_EN (XP-HE-CD)

D:\I386\dllhost.ex_

Note the '_' instead of 'E' Thus indicateing that the file is compressed

Not sure, but as far as I know the file is to be extracted with the
'extract' command.
type extract /? at a command prompt for help/parameters for 'extract'
command.

One limitation of extract command is it requires user to specify the
cabinet file where the actual file being stored but I don't know which
file actually stored the files I required. There are too many files to
be search from the installation CD.

Hi,

My brother's PC (installed with XP Home) was suspected infected from
virus. After updating the norton anti-virus and re-scan the HD, I
found below files reported infected from virus.

Norton reported to me that those infected files couldn't be repaired.
I would like to isolate them but I'm afraid that after such action,
these files will be unavailable for windows use and make some critical
windows function unavailable.

I want to overwrite those files from copy of XP installation CD.
However, I couldn't find them by find command nor SFC command as I
tried to pick them up from CD put into my windows 98 notebook.

I would like to ask where XP home store those files in installation CD
? What utility could be used to extract them then ?

1. File DLLHOST.EXE reported infected by W32.Welchia.WORM

C:\WINDOWS\system32

17/09/2001 21:00 4,608 dllhost.exe
1 file(s) 4,608 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 4,608 dllhost.exe
1 files(s) 4,608 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 10,240 DLLHOST.EXE
1 files(s) 10,240 bytes

2. down.exe infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,091 down.com
1 files(s) 14,091 bytes

3. GLOBALC.DLL infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 122,880 globalc.dll
1 file(s) 122,880 bytes

4. ntcs.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 47,616 ntcs.dll
1 file(s) 47,616 bytes

5. packet.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 40,960 packet.dll
1 file(s) 40,960 bytes

6. rtkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 128,000 rtkit.exe
1 file(s) 128,000 bytes

7. SVCHOST.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system

14/09/2003 18:54 14,368 svchost.exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 19,728 SVCHOST.EXE
1 file(s) 19,728 bytes

8. SVCHOST32.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,368 svchost32.exe
1 file(s) 14,368 bytes

9. SVCHOST[1].EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\O47L1YUU

14/09/2003 18:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\POKR9HPF

01/09/2003 11:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

10. ntrootkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32

14/09/2003 18:54 128,000 ntrootkit.exe
1 file(s) 128,000 bytes

11. ntrootkit[1].exe infected by BackdoorRtkit

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\0HMJS9QB

14/09/2003 18:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\KHANKH6F

01/09/2003 11:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

Click to expand...

Patrick · Sep 17, 2003

chausan said:
One limitation of extract command is it requires user to specify the
cabinet file where the actual file being stored but I don't know which
file actually stored the files I required. There are too many files to
be search from the installation CD.

I said 'I wasn't sure', anyway *expand* is the command required.
'extract' dosen't even exist on XP
type expand /? at command prompt.

Hi,

My brother's PC (installed with XP Home) was suspected infected from
virus. After updating the norton anti-virus and re-scan the HD, I
found below files reported infected from virus.

Norton reported to me that those infected files couldn't be
repaired. I would like to isolate them but I'm afraid that after
such action, these files will be unavailable for windows use and
make some critical windows function unavailable.

I want to overwrite those files from copy of XP installation CD.
However, I couldn't find them by find command nor SFC command as I
tried to pick them up from CD put into my windows 98 notebook.

I would like to ask where XP home store those files in installation
CD ? What utility could be used to extract them then ?

1. File DLLHOST.EXE reported infected by W32.Welchia.WORM

C:\WINDOWS\system32

17/09/2001 21:00 4,608 dllhost.exe
1 file(s) 4,608 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 4,608 dllhost.exe
1 files(s) 4,608 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 10,240 DLLHOST.EXE
1 files(s) 10,240 bytes

2. down.exe infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,091 down.com
1 files(s) 14,091 bytes

3. GLOBALC.DLL infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 122,880 globalc.dll
1 file(s) 122,880 bytes

4. ntcs.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 47,616 ntcs.dll
1 file(s) 47,616 bytes

5. packet.dll infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 40,960 packet.dll
1 file(s) 40,960 bytes

6. rtkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32\RtKit

14/09/2003 18:54 128,000 rtkit.exe
1 file(s) 128,000 bytes

7. SVCHOST.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system

14/09/2003 18:54 14,368 svchost.exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\dllcache

17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes

C:\WINDOWS\system32\wins

01/09/2003 10:47 19,728 SVCHOST.EXE
1 file(s) 19,728 bytes

8. SVCHOST32.EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32

14/09/2003 18:54 14,368 svchost32.exe
1 file(s) 14,368 bytes

9. SVCHOST[1].EXE infected by W32.HLLW.Raleka

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\O47L1YUU

14/09/2003 18:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\POKR9HPF

01/09/2003 11:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes

10. ntrootkit.exe infected by BackdoorRtkit

C:\WINDOWS\system32

14/09/2003 18:54 128,000 ntrootkit.exe
1 file(s) 128,000 bytes

11. ntrootkit[1].exe infected by BackdoorRtkit

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\0HMJS9QB

14/09/2003 18:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\KHANKH6F

01/09/2003 11:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes

Click to expand...

Click to expand...

DVD Error & Broadband Problem	3	Apr 6, 2007
Help with windows XP big problem	1	Jan 13, 2009
Cannot do anything until drives spin	1	Jan 12, 2009
PC Infected Full of TROJANS......Can’t Delete & Keep Coming Back!!	1	Mar 31, 2010
Virus Infected..plz help	1	Dec 17, 2007
Trying to recreate bootable CD from zipped files	14	Oct 17, 2012
How best to deal w/ master boot record virus	6	Jan 16, 2012
Unknown Icon Update Tasks List + Picture of Icon	7	May 22, 2006

Replace virus infected files from installation CD

chausan

Martin Van Dyke

Patrick

chausan

Patrick

Ask a Question

Similar Threads