Solve : I am having trouble deleting dllhost.exe!?

1.	Solve : I am having trouble deleting dllhost.exe!?
Answer» I connected to the Internet through the MetroFi-Free wireless network (Cupertino, CA), and, according to the Windows timestamp, dllhost.exe was created on my computer just a few minutes later, or maybe even instantly. I found it in the list of processes in the Windows Task Manager after noticing some programs started closing 1-3 seconds after I opened them (including the NTVDM DOS emulator). These programs were placed on my PC (Windows 2000) without my knowledge of them: (The "Modified" dates are the same as the "Created Dates") (If you cannot see the full image above with the file sizes and times, it is here: http://www.geocities.com/tzmne/restricted/badprogs.gif) I found http://www.pchell.com/virus/welchia.shtml, which correctly identified the dllhost.exe I have. I was able to stop dllhost.exe as mentioned in Step 2, but I cannot do Step 3. Everytime I open REGEDIT, it closes almost instantly. I THINK this is because of dllhost.exe. So, I think I will have to do more than simply delete these NEW programs. How can I continue without being able to run REGEDIT? Thank You. I believe if you do find a way to turn those services off you will no longer have access to the internet...they are being used for your connection. patio. 8-)I have to delete them. They cause the DOS emulator to crash every 1-3 seconds, and that is one of the main things I do on my computer. I was just trying MetroFi-Free for a day, but not that I am home, I do not need or want anything to do with it. Obviously my current WIFI connection does not need these things (which were defined as worms) because they were just created yesturday. I just want my laptop to be fully functioning again! Are you certain they cause your emulator to crash? Quote Recommendation for dllhost.exe: Should not be disabled, required for essential applications to work properly. SourceDo you have any spyware removal tools installed on your computer? Which ones? Have you run them since this problem started? Ever use CCleaner? If not, might be a good idea to get it. Be sure to run the Issues scan. When prompted to back up your registry before making the changes recommended by the scan, do so. By the way, your avatar is 69,384 bytes. By comparison, the ones used by the other three posters so far is this thread, including me, are less than 2,000 bytes. Here's one for your that's less than 2Kbytes: Use it, if you like, but please move it to your own image hosting location.The version of dllhost.exe I have is a worm of the same name as a legitamate program. That's what it says at the link in my first post. I don't have any spyware/virus removers. I could try that, but can I fix this without getting any other programs? If that works, it would remove all the new evil programs, and then I could run "the patches for the DCOM RPC Exploit or WebDAV exploit" (link in my first post)? I changed my avatar so it's work 30K now. The full size version of my previous avatar was 8,000 * 8,000 pixels (64MP)! The PSD was 160MB! If 30K is still too big, I can just remove my picture. The problem with trying to get rid of it manually is some are sophisticated enough to replicate themselves over and over....this is why tools are needed. I would try the following in no PARTICULAR order. They are free dloads. Stinger Ewido aswclnr Run them in safe mode with system restore turned off. patio. 8-)Use AVG Free and Adaware SE. Quote I don't have any spyware/virus removers. I could try that, but can I fix this without getting any other programs? Yes, unless your OS has been damaged due to the virus.I would do as patio suggested in reply #6 and then see whether you can run regedit. Your avatar file size now is not too bad for an animated image. If you decide to go back to your former image, just grab the one I posted. If you're using Internet Explorer, right click on the image and select Save Picture As. ewido might help too Quote I would try the following in no particular order. They are free dloads. Stinger Ewido aswclnr You don't think one is enough? I'll try them. But is safe mode necessary? BTW, here is a list of the processes running now. I have Opera and Explorer open, and have stopped dllhost.exe: Quote If you're using Internet Explorer... Ha ha Yes more than one may be necessary... Yes safemode is necessary or i wouldn't have mentioned it once and asked about it another time... Yes you should turn off system restore prior to this... Let us know, patio. 8-) Quote Yes you should turn off system restore prior to this. FYI, that is for XP and ME, not Windows 200. Stinger worked!! Everything works well now. Code: [Select]McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006 Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved. Virus DATA file v1000 created on Feb 2 2006. Ready to scan for 55 viruses, trojans and variants. Scan initiated on Wed Sep 20 21:55:38 2006 C:\WINNT\system32\cool.exe Found the W32/Sdbot.worm.gen.j virus !!! C:\WINNT\system32\cool.exe has been deleted. C:\WINNT\system32\f.exe Found the W32/Sdbot.worm.gen.j virus !!! C:\WINNT\system32\f.exe has been deleted. C:\WINNT\system32\i Found the W32/Sdbot.worm!ftp virus !!! C:\WINNT\system32\i has been deleted. C:\WINNT\system32\libsys32.exe Found the W32/Sdbot.worm.gen.j virus !!! C:\WINNT\system32\libsys32.exe has been deleted. C:\WINNT\system32\msconfg.exe Found the W32/Sdbot.worm.gen.i virus !!! C:\WINNT\system32\msconfg.exe has been deleted. C:\WINNT\system32\wins\DLLHOST.EXE Found the W32/Nachi.worm.a virus !!! C:\WINNT\system32\wins\DLLHOST.EXE has been deleted. C:\WINNT\system32\wins\SVCHOST.EXE Found the W32/Nachi!tftpd virus !!! C:\WINNT\system32\wins\SVCHOST.EXE has been deleted. Number of clean files: 284466 Number of infected files: 7 Number of files deleted: 7 All of these things it deleted are new, I am sure. I suppose they all were installed by the same thing. But one thing I do not see is the registry entries these programs were supposed to leave. I looked for them before running Stringer. The link in my first post (http://www.pchell.com/virus/welchia.shtml) says to install patches. Is this to fix my computer, or prevent future worms? I installed Ewido (which wouldn't run in Safe Mode, BTW), and it is scanning now. Thanks, guys. It's good that I know about Safe Mode and my registry now. Also, Ewido is finding many trackingcookies that I don't want. Quote ewido might help too Was already listed... Kristopher, glad to hear you got it solved...BTW for future reference Stinger is updated daily so i usually DLoad a new one when it is needed... patio. 8-) Quote Quote ewido might help too Was already listed... patio. 8-) may bad

Answer»

I connected to the Internet through the MetroFi-Free wireless network (Cupertino, CA), and, according to the Windows timestamp, dllhost.exe was created on my computer just a few minutes later, or maybe even instantly. I found it in the list of processes in the Windows Task Manager after noticing some programs started closing 1-3 seconds after I opened them (including the NTVDM DOS emulator).

These programs were placed on my PC (Windows 2000) without my knowledge of them:

(The "Modified" dates are the same as the "Created Dates")

(If you cannot see the full image above with the file sizes and times, it is here:
http://www.geocities.com/tzmne/restricted/badprogs.gif)

I found http://www.pchell.com/virus/welchia.shtml, which correctly identified the dllhost.exe I have. I was able to stop dllhost.exe as mentioned in Step 2, but I cannot do Step 3. Everytime I open REGEDIT, it closes almost instantly. I THINK this is because of dllhost.exe.
So, I think I will have to do more than simply delete these NEW programs. How can I continue without being able to run REGEDIT?
Thank You. I believe if you do find a way to turn those services off you will no longer have access to the internet...they are being used for your connection.

patio. 8-)I have to delete them. They cause the DOS emulator to crash every 1-3 seconds, and that is one of the main things I do on my computer. I was just trying MetroFi-Free for a day, but not that I am home, I do not need or want anything to do with it. Obviously my current WIFI connection does not need these things (which were defined as worms) because they were just created yesturday. I just want my laptop to be fully functioning again! Are you certain they cause your emulator to crash?

Quote

Recommendation for dllhost.exe:
Should not be disabled, required for essential applications to work properly.

SourceDo you have any spyware removal tools installed on your computer? Which ones? Have you run them since this problem started? Ever use CCleaner? If not, might be a good idea to get it. Be sure to run the Issues scan. When prompted to back up your registry before making the changes recommended by the scan, do so.

By the way, your avatar is 69,384 bytes. By comparison, the ones used by the other three posters so far is this thread, including me, are less than 2,000 bytes. Here's one for your that's less than 2Kbytes:

Use it, if you like, but please move it to your own image hosting location.The version of dllhost.exe I have is a worm of the same name as a legitamate program. That's what it says at the link in my first post.

I don't have any spyware/virus removers. I could try that, but can I fix this without getting any other programs?
If that works, it would remove all the new evil programs, and then I could run "the patches for the DCOM RPC Exploit or WebDAV exploit" (link in my first post)?

I changed my avatar so it's work 30K now. The full size version of my previous avatar was 8,000 * 8,000 pixels (64MP)! The PSD was 160MB! If 30K is still too big, I can just remove my picture. The problem with trying to get rid of it manually is some are sophisticated enough to replicate themselves over and over....this is why tools are needed.

I would try the following in no PARTICULAR order. They are free dloads.

Stinger
Ewido
aswclnr

Run them in safe mode with system restore turned off.

patio. 8-)Use AVG Free and Adaware SE.

Quote

I don't have any spyware/virus removers. I could try that, but can I fix this without getting any other programs?

Yes, unless your OS has been damaged due to the virus.I would do as patio suggested in reply #6 and then see whether you can run regedit.

Your avatar file size now is not too bad for an animated image. If you decide to go back to your former image, just grab the one I posted. If you're using Internet Explorer, right click on the image and select Save Picture As. ewido might help too Quote

I would try the following in no particular order. They are free dloads.

Stinger
Ewido
aswclnr

You don't think one is enough? I'll try them. But is safe mode necessary?

BTW, here is a list of the processes running now. I have Opera and Explorer open, and have stopped dllhost.exe:

Quote

If you're using Internet Explorer...

Ha ha Yes more than one may be necessary...
Yes safemode is necessary or i wouldn't have mentioned it once and asked about it another time...
Yes you should turn off system restore prior to this...

Let us know,

patio. 8-) Quote

Yes you should turn off system restore prior to this.

FYI, that is for XP and ME, not Windows 200.

Stinger worked!! Everything works well now.

Code: [Select]McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus DATA file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.

Scan initiated on Wed Sep 20 21:55:38 2006

C:\WINNT\system32\cool.exe

   Found the W32/Sdbot.worm.gen.j virus !!!

C:\WINNT\system32\cool.exe has been deleted.

C:\WINNT\system32\f.exe

   Found the W32/Sdbot.worm.gen.j virus !!!

C:\WINNT\system32\f.exe has been deleted.

C:\WINNT\system32\i

   Found the W32/Sdbot.worm!ftp virus !!!

C:\WINNT\system32\i has been deleted.

C:\WINNT\system32\libsys32.exe

   Found the W32/Sdbot.worm.gen.j virus !!!

C:\WINNT\system32\libsys32.exe has been deleted.

C:\WINNT\system32\msconfg.exe

   Found the W32/Sdbot.worm.gen.i virus !!!

C:\WINNT\system32\msconfg.exe has been deleted.

C:\WINNT\system32\wins\DLLHOST.EXE

   Found the W32/Nachi.worm.a virus !!!

C:\WINNT\system32\wins\DLLHOST.EXE has been deleted.

C:\WINNT\system32\wins\SVCHOST.EXE

   Found the W32/Nachi!tftpd virus !!!

C:\WINNT\system32\wins\SVCHOST.EXE has been deleted.

  Number of clean files: 284466

  Number of infected files: 7

  Number of files deleted: 7

All of these things it deleted are new, I am sure. I suppose they all were installed by the same thing. But one thing I do not see is the registry entries these programs were supposed to leave. I looked for them before running Stringer.

The link in my first post (http://www.pchell.com/virus/welchia.shtml) says to install patches. Is this to fix my computer, or prevent future worms?

I installed Ewido (which wouldn't run in Safe Mode, BTW), and it is scanning now.

Thanks, guys. It's good that I know about Safe Mode and my registry now. Also, Ewido is finding many trackingcookies that I don't want. Quote

ewido might help too

Was already listed...

Kristopher, glad to hear you got it solved...BTW for future reference Stinger is updated daily so i usually DLoad a new one when it is needed...

patio. 8-) Quote

Solve : I am having trouble deleting dllhost.exe!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment