PDA

View Full Version : Virus troubles



Erdrick Holmes
11-29-2003, 06:14 PM
C:\WINDOWS\SYSTEM32\WINS\DLLHOST.EXE Is this file important?

I found this file to be infected with worm/nachi when I ran AVG. The oly way to kill the virus is to delete the file, is it safe to delete?

Rainecloud
11-29-2003, 07:01 PM
Surely you can find some sort of Virus Scanning program that can simply clean the file? I would assume that the file you've quoted there is very important (as most DLL files are). CL will probably be along to correct me very shortly, but I seriously wouldn't consider deleting the file just yet.

As I said, there must be some sort of Worm-Remover tool you can use.

Advent Child
11-29-2003, 07:03 PM
I don't know, but it looks pretty important.

You could try to download the file and replace it with a clean one.

crono_logical
11-30-2003, 12:00 AM
It's part of Windows, yes. Assuming you haven't disabled stuff like System Restore etc., I'd guess Windows would restore a clean copy from it's own backup or ask you for the CD if you just randomly deleted it.

EDIT: dllhost is in a different location on both my computers to the location you mentioned.

Erdrick Holmes
11-30-2003, 12:04 AM
It's still on my system but I have the worm protection patch from the microsoft site, and it hasnt done anything yet. Can I download it anywhere?

crono_logical
11-30-2003, 12:21 AM
Your Windows CD, yes :p

Erdrick Holmes
11-30-2003, 12:23 AM
Ok somebody guide me throught the process please.

Rostum
11-30-2003, 01:47 AM
I have that file too, I've checked and my dad's computer doesn't have it, neither do my friends. What it does to me is it keeps signing my out of MSN messenger and slowing down my internet explorer even though I'm only loading one page and not downloading anything. Also when it's in my processes and I open up ZoneAlarm I get heaps and heaps of people being bloced from hacking me.

I don't know how to delete it, I just end the task every time I load my computer and it stops all of the above.

Erdrick Holmes
11-30-2003, 05:19 AM
Ok now it's getting annoying, I keep getting a virus that is making my computer do everything but be able to go on the internet, seriously I cant go on the internet unless I format my HD and reinstall windows. I think it might have something to do with a virus that has the word "Worm" in its name its second part of it's name starts with an 'N' I think its 'Nicha' or something. Is there a security patch for it?

Erdrick Holmes
11-30-2003, 06:35 AM
Ok full problem in this order.

1. I turn my system off and go to sleep
2. Wake up and turn it on and Adaware starts running all y itself
3. I try to connect to the internet, my modem dials up to my ISP and after it connects no data packets go in or out.
4. I do a system restore but then AVG says that a file in the System volume information folder is infected with worm/nachi and because its in that folder I cant get to it

How exactly do I deal with worm/nachi. I think it might have to do with my connection not accepting packets and the only way I can deal with it is to wipe out my HD completly.

Rostum
11-30-2003, 07:35 AM
Try this, I don't know if it will work, but I've been having similar troubles.

When you load up your computer, before you dial up to the internet, press CTRL+ALT+DEL to bring up the task manager and end the "DLLHOST" process. It helps me a lot. Otherwise, I don't know.

Erdrick Holmes
11-30-2003, 05:58 PM
This a new variaton of the worm virus, it's pretty deadly too.

http://www.microsoft.com/downloads/details.aspx?FamilyId=9F81E615-3DEC-4A4B-826A-4E0FEAB42323&displaylang=en
everyone go here and get the patch for it if you are running XP. I cannot stress how important this is.

crono_logical
11-30-2003, 07:12 PM
Actually, the Nachi (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100559) worm isn't deadly at all, all it does is patch the OS from that rather large exploit recently (which I posted an announcement about here some time ago), then it deletes itself come the new year :p

You can't stress how important the patch on the link you posted is, because that patch is rather out of date, which is even mentioned on the page you linked to, so it's rather not very important at all and you should be looking for later patches :p

Erdrick Holmes
11-30-2003, 08:13 PM
Well that nachi keeps data packets from going in or out of my computer when I dial up to my isp or any of my other ISPs for that matter. So this patch is nessisary.

crono_logical
11-30-2003, 08:55 PM
You clearly didn't read the payload for nachi, nor what the patch does then, since they're completely seperate form each other. I'd consider your PC has another virus on it then which hasn't been detected, if it's doing other stuff it shouldn't.

Citizen Bleys
11-30-2003, 10:04 PM
dllhost.exe IS a system file, yes, but I can pretty much guarantee that your infected file is <i>not</i> dllhost.exe. The virus writer simply got the virus to write itself to a file with the same name as a system file.

Look for dllhost.exe elsewhere on your computer. You will find it, and the filesize will be different from the infected file.

Just trash it.

Why am I so sure? Easy. I know that you run Windows XP. Furthermore, I know you are running Windows XP as a home computer. Therefore you are not using WINS.

The only time a Windows XP computer would have to be a WINS client is if it is a member of a Windows NT domain--Even if it's a member of a Windows 2000 domain which has a WINS server in it, there's no need for the XP machine to be a WINS client, since it can use DNS, which must be present in a Windows 2000 domain.

WINS stands for Windows Internet Naming Service, and it acts in a similar manner to DNS, except that instead of resolving DNS names to IP addresses, it resolves NetBIOS names to IP addresses--which is nice if you're using NetBIOS, but totally redundant if you are using TCP/IP. Which you are, otherwise you wouldn't be able to access the internet.

NetBIOS is a depreciated protocol that was used back in the days of MS-DOS Lan Manager and Windows 3.11. It gives each computer a "friendly" name (maxiumum 15 characters), and when computers need to communicate with each other, it finds a computer's friendly name by broadcasting. (Computers ultimately reach each other by their MAC addresses, and broadcasting resolves NetBIOS names to MAC addresses).

Think of it as one big street. When you want to find Frank, you go to the end of your driveway and scream "WHERE ARE YOU, FRANK?" at the top of your lungs, and then Frank comes out and screams "I AM FRANK, AND MY PHONE NUMBER IS..." And then you go back into your house and call Frank, since you probably don't want to shout intimate hemorrhoidal details at the top of your lungs for the whole street to hear.

That's fine if there's only a couple of people on your network (street), but what happens when there's hundreds, and you can't communicate at all through all the shouting? That's where WINS comes in. WINS is like Directory Assistance. You contact the WINS server (dial 411) and ask what Frank's IP address is, and the operator (WINS server) tells you. All of your communication is two-way--no shouting.

After Windows 2000, though, TCP/IP became the preferred protocol of communication (No broadcasting! Yay!) and name-to-address resolution is provided by the more robust Domain Name Service (DNS)

Even if you use NetBIOS names on a local workgroup (i.e., a peer-to-peer network within your house), you probably have only two or three computers, not 500, which is how many you'd need before NetBIOS broadcasts slowed your network noticeably.

WINS is useful for centralizing NetBIOS name to IP address mappings (Everybody uses the same WINS server, so if a machine changes its name or IP address, the change only has to be made on the WINS server, not everybody's lmhosts file...not that you have to use an lmhosts file either, if you're on a small network using broadcasting), and it allows down-level clients to locate a domain controller on a Windows 2000 domain, which you don't have.

The obligatory user-education speech done with, I can also simply tell that you are not running the WINS server because Windows XP is not a server operating system. In order to install the WINS service, you must be running Windows 2000 Server, Windows NT Server, or Windows Server 2003. (Linux may be able to act as a WINS server, but I doubt it, since Linux has never used NetBIOS)

crono_logical
11-30-2003, 11:08 PM
His dllhost.exe isn't a system file though, since he told us where it is, and that's the location the nachi "virus" puts it's own dllhost.exe (as I found out after I bothered reading what the virus is about, unlike someone in here that should have done :p ) - the real one is in the system32 folder and not a subfolder of it.

As Bley's said, delete it :p (Not the real one, the one you said was detected as a virus :p )

Citizen Bleys
11-30-2003, 11:35 PM
Just delete the whole flaming WINS directory. Like I said, you are NOT running WINS.