Virus w32/Nachi.A

[Lionel David]

My anti virus program flags dllhost.exe file in
directory ../windows/system32/wins as infected with the
above virus. From where can get a new copy of dllhost.exe
that can replace the existing file. How does deleting this
file affect the functions of the computer.

 

[Colin M. McGroarty]

I'd do a search of the hard drive to see if you have more than one instance
of the file. I can't think of a valid reason that a copy of dllhost.exe
would be in the sys32/wins folder. There should be a valid copy in the
system32 folder. If you still need a copy of it then send me an email and
I'll be happy to forward it to you.

Hope this helps,

--
Colin M. McGroarty
MCP+I, MCSE, NT-CIP

(e-mail address removed)
www.McGroarty.org

 

[Lindsay]

I had the same. Just delete it. It's not the real dllhost.exe and the wins
folder shouldn't exist.

 

[Rory]

How Does the Welchia Worm Infect My Computer?

1.. Copies itself to the Wins directory in the System or System32 folder
in Windows usually

C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000

There is a legitimate file called Dllhost.exe (about 5-6K) in the System32
directory.
http://www.pchell.com/virus/welchia.shtml

 

[Lionel David]

Thank you so much for your help!!

 

[Jim Eshelman]

My anti virus program flags dllhost.exe file in
directory ../windows/system32/wins as infected with the
above virus. From where can get a new copy of dllhost.exe
that can replace the existing file. How does deleting this
file affect the functions of the computer.

The particular DLLHOST. host that is infected is only a copy. You can delete
it safely. If you do a Search for this filename you will probably find
multiple copies. The original is 5 or 6 KB, the virus infested one is much
larger and is in you \Wins folder. Here is more information on the virus:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp

 

[sli]

My anti virus program flags dllhost.exe file in
directory ../windows/system32/wins as infected with the
above virus. From where can get a new copy of dllhost.exe
that can replace the existing file. How does deleting this
file affect the functions of the computer.

If it's in the sub-folder \wins, it's a fake dllhost file. Get thr free,
standalone tool Stinger from http://vil.nai.com/vil/stinger/ to remove the
worm.

 

[R. C. White]

Hi, Lionel.

I know nothing about that virus or how to recover from it. As for replacing
the dllhost.exe file, though, the System File Checker should do it nicely.
Just type at a Run prompt: sfc /scannow

SFC will compare each of your WinXP operating system files with the "known
good" copies held in your on-disk cache and replace any missing or damaged
ones. Have your WinXP CD-ROM handy; SFC probably will need to see that.

RC

 

[Bruce Chambers]

Greetings --

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger



Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Alex Nichol]

My anti virus program flags dllhost.exe file in
directory ../windows/system32/wins as infected with the
above virus.

That *is* the virus and you do not want a new copy. You need to delete
it and uncheck any line in a run of MSConfig.exe - Startup that is
trying to run it