I've had this virus for quite a while DLLHOST.exe when i had it stuffed my antivirus programs and wouldn't let me reinstall it. I checked my registry it can't be found. But it kept blocking my in internet. So I reinstalled Windows xp and deleted my old windows folder (I don't wan't to format over my files). After install I get on the internet and my computer restarts for no reason, checked nothing in the registry still but I checked Windows Task Manager and DLLHOST.exe is in the process. Odd I have a clean windows install but the virus is still there. Why?

Try downloading a patch to get rid of it. I don't think you needed to do a clean install of Windows. I just got rid of this worm a couple days ago. I downloaded the removal tool Symantec provides and I got rid of it perfectly. I provided a link for more information about this worm. There is a link to the removal tool download somewere on that page, just try looking for it.

http://securityresponse.symantec.com/avcen...lchia.worm.html (http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html)

This might help (http://www.pchell.com/virus/welchia.shtml)

Hello all

I too am trying to remove the same virus from my system. I did the search and found the files to be removed but i also discovered that there r 4 links for ControlSet. Should there be that many ControlSets in my registry?

+ControlSet001
+ControlSet002
+ControlSet003
+ControlSet(without any numbers)

the question is do I remove "rpcpatch & tft pd" from 001 -003 as well or will it be removed automatically when done from ControlSet (without the numbers)

- sorry still cannot copy the screen to give a better explanation
Is this time for me to format my HDDm or is there an option before doing so

Lanni

Originally posted by KILskOOL@20 October 2003 - 18:52
I've had this virus for quite a while DLLHOST.exe when i had it stuffed my antivirus programs and wouldn't let me reinstall it. I checked my registry it can't be found. But it kept blocking my in internet. So I reinstalled Windows xp and deleted my old windows folder (I don't wan't to format over my files). After install I get on the internet and my computer restarts for no reason, checked nothing in the registry still but I checked Windows Task Manager and DLLHOST.exe is in the process. Odd I have a clean windows install but the virus is still there. Why?
Virus is in there because you didnt do a clean install.

You did a dirty install. :P

Originally posted by lanni@21 October 2003 - 02:42
Hello all

I too am trying to remove the same virus from my system. I did the search and found the files to be removed but i also discovered that there r 4 links for ControlSet. Should there be that many ControlSets in my registry?

+ControlSet001
+ControlSet002
+ControlSet003
+ControlSet(without any numbers)

the question is do I remove "rpcpatch & tft pd" from 001 -003 as well or will it be removed automatically when done from ControlSet (without the numbers)

- sorry still cannot copy the screen to give a better explanation
Is this time for me to format my HDDm or is there an option before doing so

Lanni
If you really do have the same virus it can only be detected by this tool:-

http://www.symantec.com/avcenter/FixWelch.exe

checking again right now - any thoughts on Controlset001-003

lanni

Using that fix tool it deleted 2 viral services files

Just backup your files on CD or something, and reformat.
's what I'd do.

If you read the page I gave everyone before, you wouldn't have to ask anymore questions.

http://securityresponse.symantec.com/avcen...lchia.worm.html (http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html)

It was supposed to delete 2 viral services files.



Creates the following services:

Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe

This service will be set to start automatically.

The worm creates these who services.