dllhost.exe + Norton antivirus

[nifsmith]

I have just bought and installed Norton Internet Security and the NAV
that comes with it has found a virus in the
C:\Windows\System32\wins\dllhost.exe file. I find this suprising as I
carried out a complete re-install before putting it on my machine.

Install as follows.
XP
MSI drivers
LG monitor drivers
IIS
Vis studio.net 2003
MSDE
NIS
Downloaded updated virus definitions and registered NIS
Full System Scan

These are all OEM disks, how the hell can I have got this virus or can
this be a spurious call on behalf of NAV. NAV deleted this file and I
cant get IIS to display or VS to create a web project.

What is dllhost and what program would install it.

Any help appreciated.

Cheers

Hawklord451

 

[Rick \Nutcase\ Rogers]

Hi,

Dllhost.exe in that folder is the Welchia worm, not the WinXP file that
should be under %windir%\system32. Norton was correct, the file needs to be
removed, see this link:

http://www.pchell.com/virus/welchia.shtml

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Bruce Chambers]

Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Alex Nichol]

These are all OEM disks, how the hell can I have got this virus or can
this be a spurious call on behalf of NAV. NAV deleted this file and I
cant get IIS to display or VS to create a web project.

What is dllhost and what program would install it.

A malevolent file gets installed under a different folder from the
standard one, by IIRC the Welchia worm. So you need to clean house,
then you should be left (on a search) with a 'good' copy in
windows\system32\dllcache. You will need to have Folder Options - View
set to show Hidden files, and *not* Hide Protected mode ones to see them
all. There ought also to be one of the same size - only 5K - in
Windows\system32 - any that is larger (usually 14K - should be deleted.

If the one in System32 is the wrong size, rename it with a different
extension (eg .dlx). A fresh clean copy will be almost instantly
restored from the dllcache, and will com into use on a reboot, when you
can delete the 'bad one'