dllhost.exe virus
 

Anyone know what this virus all about ?if I try to delete it says access denide, it's located in windows/system32/wins/dllhost.exe (win XP os).. It always uses 9-15kb/s upload speed, even when I blocked it with firewall, it still uses upload speed.

Anyone know how to get rid of it ?

Thanks..:BangBang:

It's NOT a virus!

Before you jump to conclusion why don't you open up google and paste the file name into a search - here's a result from the second-from-top google result http://www.iea-software.com/lists/00...p/00000064.htm
:1orglaugh

why the hell it uses 10 kb/s of upload speed and norton antivirus says it's a virus?

That file has been hit by the WELCHIA virus most likely , as i have heard of it doing that lately..

do a search for dllhost.exe and you will find a few other versions of it prob as well. chances are you also have an infected svchost.exe also..

Look for a folder called wins or read this

When W32.Welchia.Worm is executed, it performs the following actions:


Copies itself to:

%System%\Wins\Dllhost.exe

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Makes a copy of %System%\Dllcache\Tftpd.exe, as %System%\Wins\svchost.exe.

NOTE: Tftpd is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it.


Adds the subkeys:

RpcPatch

and:

RpcTftpd

to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es


Creates the following services:

Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe

This service will be set to start automatically.


Ends the process, Msblast, and delete the file %System%\msblast.exe which is dropped by the worm, W32.Blaster.Worm.


The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255.


The worm will send an ICMP echo request, or PING, to check if the IP address constructed is an active machine on the network.


Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.


Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.


Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.


Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.


Once the update has been download and executed, the worm will restart the computer so that the patch is installed.


Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.