J
JohnP725
A very strange thing happened while I was updating my
Windows XP Home system after just having had to reload it.
My machine had a Virus which Commandcom detection had not
caught (the virus changed and commandeered my Internet
Homepage) and I had to clean the disk and reload the
entire system.
I reloaded Windows during the night of 11/11/2003 and
then was using Windows Update to get the system up to
date. I had loaded successfully the
update "f25c5481655b15f5ea6f3e4187bfa64a" (creation time
Tuesday, November 11, 2003, 5:08:46 AM) and started
loading "45975d5efc3ef49c53f2c37479222d16" (creation time
Tuesday, November 11, 2003, 6:34:32 AM). It appears
that, at the start of 45975d5efc3ef49c53f2c37479222d16,
something infected my system again and loaded and
modified a version of DLLHOST.EXE(and perhaps
SVCHOST.EXE) in the WINDOWS\SYSTEM32\WINS\ directory.
Details of the DLLHOST.EXE are:
Description: DLLHOST.EXE (note the uppercase filename)
(Copyright: no information)
Size: 10,240 bytes
Size on disk 12,288 bytes
Created: Tuesday, November 11, 2003, 6:33:21 AM
Modified: Tuesday, November 11, 2003, 6:33:40 AM
Details of the SVCHOST.EXE are:
Description: TCP/IP Trivial file transfer daemon
Version 5.0.2134.1
Copyright (C) Microsoft Corp. 1981-1999
Size: 19,728 bytes
Size on disk 24,080 bytes
Created: Tuesday, November 11, 2003, 6:32:12 AM
Modified: Tuesday, November 11, 2003, 6:33:22 AM
There are other versions of dllhost.exe (lowercase
filenames), one in the WINDOWS\SYSTEM32 directory
(Description COM Surrogate Version 5.1.2600, Copyright (C)
Microsoft Corp., Size: 4,608 bytes) and one in the
WINDOWS\OPTIONS\CABS\WIN98_45.CAB Folder.
I mentioned SVCHOST.EXE because it too had an uppercase
filename and, also, it was modified one minute after
having been created - and a millisecond after DLLHOST.EXE
was Created - too much of a coincidence.
According to Commandcom (which I didn't reload until
AFTER all this had happened), the DLLHOST.EXE loaded into
the WINDOWS/SYSTEM32/WINS/ directory is infected with
the "W32.NACHI.A" virus, but SVCHOST.EXE is virus free.
Can I do anything to avoid reloading the whole system yet
again ?? What other action should I take (apart from
reloading the Virus detection system BEFORE anything else
after the basic Windows XP load !)?
Windows XP Home system after just having had to reload it.
My machine had a Virus which Commandcom detection had not
caught (the virus changed and commandeered my Internet
Homepage) and I had to clean the disk and reload the
entire system.
I reloaded Windows during the night of 11/11/2003 and
then was using Windows Update to get the system up to
date. I had loaded successfully the
update "f25c5481655b15f5ea6f3e4187bfa64a" (creation time
Tuesday, November 11, 2003, 5:08:46 AM) and started
loading "45975d5efc3ef49c53f2c37479222d16" (creation time
Tuesday, November 11, 2003, 6:34:32 AM). It appears
that, at the start of 45975d5efc3ef49c53f2c37479222d16,
something infected my system again and loaded and
modified a version of DLLHOST.EXE(and perhaps
SVCHOST.EXE) in the WINDOWS\SYSTEM32\WINS\ directory.
Details of the DLLHOST.EXE are:
Description: DLLHOST.EXE (note the uppercase filename)
(Copyright: no information)
Size: 10,240 bytes
Size on disk 12,288 bytes
Created: Tuesday, November 11, 2003, 6:33:21 AM
Modified: Tuesday, November 11, 2003, 6:33:40 AM
Details of the SVCHOST.EXE are:
Description: TCP/IP Trivial file transfer daemon
Version 5.0.2134.1
Copyright (C) Microsoft Corp. 1981-1999
Size: 19,728 bytes
Size on disk 24,080 bytes
Created: Tuesday, November 11, 2003, 6:32:12 AM
Modified: Tuesday, November 11, 2003, 6:33:22 AM
There are other versions of dllhost.exe (lowercase
filenames), one in the WINDOWS\SYSTEM32 directory
(Description COM Surrogate Version 5.1.2600, Copyright (C)
Microsoft Corp., Size: 4,608 bytes) and one in the
WINDOWS\OPTIONS\CABS\WIN98_45.CAB Folder.
I mentioned SVCHOST.EXE because it too had an uppercase
filename and, also, it was modified one minute after
having been created - and a millisecond after DLLHOST.EXE
was Created - too much of a coincidence.
According to Commandcom (which I didn't reload until
AFTER all this had happened), the DLLHOST.EXE loaded into
the WINDOWS/SYSTEM32/WINS/ directory is infected with
the "W32.NACHI.A" virus, but SVCHOST.EXE is virus free.
Can I do anything to avoid reloading the whole system yet
again ?? What other action should I take (apart from
reloading the Virus detection system BEFORE anything else
after the basic Windows XP load !)?