Worm_msblaster.d

Discussion in 'Windows Desktop Systems' started by dadecamp, Sep 7, 2003.

  1. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    My virus scanner, PC-Cillin, has found this in:
    C:\WINDOWS\system32\wins\DLLHOST.EXE

    How do I get rid of it? Virus scanner can't delete it.
     
  2. Enyo

    Enyo Moderator

    Messages:
    1,338
  3. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    I ran the newest ver. 1.0.6.1 but it didn't detect or clean it. What command line tool do i use?
     
  4. Enyo

    Enyo Moderator

    Messages:
    1,338
    Edited my post, i spotted the process name ;) Run the commands above and see how you do.
     
  5. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    I didn't see your edit. Be right back after doing as told.
     
  6. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    Nothing found :
    W32.Blaster.Worm has not been found on your computer.

    My virus scanner still says its there.
    What next?
     
  7. Enyo

    Enyo Moderator

    Messages:
    1,338
    Run "TASKKILL /IM dllhost.exe" (or open the task manager and kill the process) then open up C:\WINDOWS\system32\wins\ and delete the file.

    Its not Blaster, its welchia :)
     
  8. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    It won't let me delete it, says access denied
     
  9. Enyo

    Enyo Moderator

    Messages:
    1,338
    Open task manager and on the process tab find dllhost.exe, right click and hit end process (that may come back access denied to but try ir) then delete it.

    Can't belive PC-Cillin wont remove it for you.
     
  10. dubstar

    dubstar format c:

    Messages:
    1,357
    Location:
    Southern California
    try using something like "sure delete" that program somehow overrides problems like "cant delete because its locked" its just the school bully of deleters, and its free. google it, i dont remember the site.
     
  11. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    how do i open task manager? me stupid or something!
     
  12. Enyo

    Enyo Moderator

    Messages:
    1,338
    CTRL+ALT+DELETE will open task manager.
     
  13. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    doh...
    After I ended task it just disappeared from C:\WINDOWS\system32\wins\
    Where did it go and do i need to find it and delete it?
     
  14. Enyo

    Enyo Moderator

    Messages:
    1,338
    Ensure any svchost.exe and dllhost.exe are not in C:\WINDOWS\system32\wins\ and your done for removing it.

    Full details are on:

    http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html

    The removal tool will remove the registry entires for you, now the files are gone you should be fine.

    You need to install a firewall on your system asap to prevent further problems. Also you need the security patch from windows update however w32.welchia will probably have already applied this patch for you (it does that, how nice).
     
  15. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    I do have a svchost.exe in that folder but there are about 8 instances of a file with the same name in task manager. How do i get rid of it or will the removel tool take care of it?

    By the way, thanks for all your help.. Its been invaluble.

    Dave
     
  16. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    Is the firewall in PC-cillin any good?
     
  17. Enyo

    Enyo Moderator

    Messages:
    1,338
    Regarding svchost.exe now the main process has gone this one should just be deleteable, the virus does not run it. Yes the removal tool will take care of it.

    Regarding the firewall in PCC, no its not that good, very basic. I did not think much of it.

    Checkout "Kerio 2.1.5". See the firewall poll and related theads in this section, have a dig around and a read :)
     
  18. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    Here is the results. Thanks again.

    The service "RpcPatch" is viral. It is deleted.

    The service "RpcTftpd" is viral. It is deleted.

    The file "C:\WINDOWS\System32\wins\svchost.exe" is deleted.

    W32.Welchia.Worm has been successfully removed
    from your computer!

    Here is the report:

    The total number of the scanned files: 110517
    The number of deleted files: 1
    The number of repaired files: 0
    The number of viral processes terminated: 0
    The number of viral services deleted: 2
    The number of registry entries fixed: 0
     
  19. Enyo

    Enyo Moderator

    Messages:
    1,338
    Good stuff :) Now get patched and firewalled!