TechSpot

dllhost.exe

By LisaLash
Apr 9, 2007
  1. Hello,
    I downloaded some sort of virus(from a file off Limewire), that formed under Startup/dllhost.exe, (prevented me from viewing my Task Manager and Registry Editor). Anyway, I've removed it, and completed the following instructions from a previous post:

    http://www.techspot.com/vb/all/windows/t-72494-Any-suggestions-for-the-CTRLALTDELETE-hijack.html

    but I just need to make sure it's completely removed, and so would really appreciate it if anyone could help me in any way.

    I've attached my HijackThis log.
    Plus, I know the file C:\WINDOWS\system32\dllhost.exe is legit, but I've also found C:\I386\dllhost.exe... is this legit too??

    Anyway, I'm a bit concerned that changes have been made to the Registry, although everything looks ok, so I would be incredibly grateful if anyone could help me out on this...
    I'm new here, and I know this isn't anything serious but PLEASE let me know if you have any kind of idea, everyone seems to be ignoring me.

    Thank you so much for your time, these forums are such a great help.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your HJT log shows signs of infection.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of LisaLash only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. LisaLash

    LisaLash TS Rookie Topic Starter

    Thanks Howard!
    So C:\I386\DLLHOST.EXE is a legit file?
    And is there anyway I can find out if any changes have been made to my Registy?
    Thanks again
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    C:\I386\DLLHOST.EXE is not legit as far as I can tell, but I`m not sure..

    Therefore, it`s worth checking out.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\I386\DLLHOST.EXE
    * Click Open
    * Please let me know the results, when you post the rest of the requested logfiles.

    Regards Howard :)

    This thread is for the use of LisaLash only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. LisaLash

    LisaLash TS Rookie Topic Starter

    Ok, thank you... I've followed all the instructions and dowloaded everything.
    I have attached fresh HJT, AVG Antispyware and Combofix logs...
    The AVG Anti-Rootkit found nothing.
    Also, the http://virusscan.jotti.org/ results for the file C:\I386\DLLHOST.EXE found nothing...
    So things look ok... I hope!
    Thanks for all this!
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All items in your AVG Antispyware log say "No Action Taken". That`s because you didn`t tell AVG Antispyware to quarantine the results. See HERE for instructions.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    WSBar

    Close control panel.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: (no name) - {8F59C25C-7775-4108-A7A1-5B6B7B0F0259} - (no file)

    O2 - BHO: (no name) - {A89109C5-B09A-4993-89A5-4AD4FAEFD16E} - C:\WINDOWS\Web\PRINTERS\niettuil.dll (file missing)

    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

    O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{DF56897E-8B11-4C9A-BF65-DC4258FAB9C2}: NameServer = 195.92.195.94 195.92.195.95<Only fix this if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\PROGRA~1\Wanadoo\WSBar<Delete the entire folder.

    Reboot your system.

    Post a fresh HJT log as well as another AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of LisaLash only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. LisaLash

    LisaLash TS Rookie Topic Starter

    Thank you.
    I did quarantine the results found in the AVG Antispyware search, but I saved the log before I did so, to show you the results. I was going to attach a fresh log but I obviously forgot, sorry... Anyway, I just did another AVG Antispyware search and it found nothing this time (I deleted my cookies before searching).
    Completed the instructions above, thank you, my fresh HJT log is attached.
    I think everything's removed now.
    Thanks for your help :grinthumb
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix the following.

    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)

    Other than that your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of LisaLash only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...