Dismiss Notice

Welcome To CK5!

Registering is free and easy! Hope to see you on the forums soon.

Score a FREE t-shirt and membership sticker when you sign up for a Premium Membership and choose the recurring plan.

dllhost.exe running on windows XP problem

Discussion in 'The Lounge' started by R72K5, Aug 31, 2003.

  1. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    when i was reinstalling windows XP on my machine there was an error: something about some COM+ component wouldnt install, so i stopepd and deleted the partition and created a nw one and started reinstalling windows XP again and it still gave me the COM+ component error,
    now some program called dllhost.exe keeps running and i tried to find out about it and all i can find out is that its tied to ASP and COM somehow, what ever those are, if i try to end the dllhost.exe process tree in task manager then it will just start right back up and put itself somewhere else in the processes list

    what is this COM error when installing WIN XP system ? ive never seen or heardof dllhost before replacingmy OS this last time, i take it that i have either a motherboard or HDD issue ? isnt COM communications of some sort ? but what exactly ?




    thanks for anything
     
  2. jakeslim

    jakeslim 1/2 ton status

    Joined:
    Sep 18, 2002
    Posts:
    2,686
    Likes Received:
    0
    Location:
    Napa, CA
    i remember the days of reloading windows.....the secret to avoid crashes is to use a regestry cleaner regularly.

    Anyways, try pulling your sound card and modem then try installing.
     
  3. newyorkin

    newyorkin 1 ton status

    Joined:
    May 8, 2001
    Posts:
    16,555
    Likes Received:
    157
    Location:
    Los Estados Unitos
    COM is component object model, a programming thing.

    dllhost.exe in winXP is part of a recent virus, although I believe t's a valid windows file in earlier versions of windows. Download and run this tool. Welchia Removal . If you have the virus, that'll clean it out. If you don't, it wont' hurt. And be sure to take the computer off the network during the install until you're ready to run windows update on it. Many modern viruses can spread simply by finding an unprotected computer on a network, and it's very likely you'll be unprotected during install.
     
  4. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    cool thanks,

    i recently moved my computer from a router controlled DSL LAN to a non router controlled single DSL connection all by itself and that is when troubles began, i have tried and tried to install fresh new XP- even after deleting and creating new partition 100%- and even after running GWSCAN test and writing zeros to the HDD and everything- the GWSCAN test says HDD is fine with no errors at all,

    when i am in setup of WIN XP system and with around 29 minutes left of that- and right after entering the product key- is when a gray error box window pops up saying that `COM+ event classes can not be registered' and a bunch of info listed below that, it does this every single time and the frickin dllhost.exe is always running now and will pop back up in the task manager processes list in a new spot in the list when you end its process tree


    what should i do ?
    i guess im gonna go ahead and get XP setup and running and see about going with the welchia worm tool and modify my registry keys that need to be modified per symantec info, and add the DSL router to my setup to use as a firewall likehow it was before when the puter was on the DSL LAN


    what do you think ? am i on the right track ?

    thanks
     
  5. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    [ QUOTE ]
    i remember the days of reloading windows.....the secret to avoid crashes is to use a regestry cleaner regularly.

    Anyways, try pulling your sound card and modem then try installing.

    [/ QUOTE ]

    i can find info i need in online searches enough to find out what keys are created by worms and trojans and need to be deleted, have never had a problem before, it used ot be just gain and gator keys that were needed to be found and deleted, but now its more than that

    dont have a modem, am running DSL, cat5 network card

    is dllhost.exe a legitimate windows xp program ? or do i need to delete it and its keys ?



    thanks
     
  6. jjlaughner

    jjlaughner 3/4 ton status

    Joined:
    Jan 12, 2001
    Posts:
    7,406
    Likes Received:
    0
    Location:
    Indiana
    [ QUOTE ]
    i remember the days of reloading windows.....the secret to avoid crashes is to use a regestry cleaner regularly.

    Anyways, try pulling your sound card and modem then try installing.

    [/ QUOTE ]

    I just worked on a windows 98 machine that had 1899 days on the scan disk clock. I HAVE NEVER SEEN a windows 98 machine run for 6 years without being reloaded! SO I cleaned up the registry, ran a couple virus checkers and ad-ware and took it into safe mode and ran scan disk and disk defrag its up and running again! Crazy stuff.

    Randy, since you have several machines around you pull the HD out and stick it in another machine and have that machine format it in the windows environment then try a fresh/new install of XP with all of the add-ons in your machine.
     
  7. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    what do you mean by in the windows environment ? is that possible to do in XP ?
    sometimes a HDD out of one machine wont run in another machine, different motherboards sometimes dont mix with others, IE windows on a HDD installed using one machine wont boot up in another machine, IE another motherboard,.
    or do you mean something else ?

    thanks
    R
     
  8. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    fixed it, took my HDD out and hooked it up to another machine and formattedit with win xp cd and then brought it back over here and formattedit again on my system and xp installed with no com+ error

    so far so good,

    now i needot get the router connected so i have a firewall again- like the old days
    anyone know of a good dealon a linksys DSL router anywhere or got an extra one they might sell or trade to me ?


    thanks
     
  9. jjlaughner

    jjlaughner 3/4 ton status

    Joined:
    Jan 12, 2001
    Posts:
    7,406
    Likes Received:
    0
    Location:
    Indiana
    Well that I meant was shut down both machines, install your hard drive as a slave in the other machine. Boot it back up and that computer will see the drive as a secondary hard drive. Go to administrative tools/computer management to disk managment and click on your hard drive and then click format. It will format the drive totally blank with no boot sector (since its thinks its going to be a slave drive). When you put it back in your computer and boot from the xp disk to reinstall the OS it creates everything new. Only hard part is swapping the jumpers around for slave and master settings on the hard drive.
     
  10. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    oh

    gotcha now

    hmm ill remember that
    il ike that one

    i had it fixed after what i did but well the damn worm found its way right back ontomy HDd before i could even get MS patches d/l'd and installed,


    cant win either way.....


    i highly recommend that no one reinstall their OS currently for a while til this worm is taken care of- the welchia and blaster worms that is....

    im currently stilldownloading and installing patches and such from Ms update site, and then when i get all that done i gotta restart in safemode and delete the DLLHOST and SVCHOST in C:\WINDOWS\system32\wins folder and find registry keys dropped by the worms:

    What is the Welchia worm aka MSBlast.D, LoveSan.D or Nachia?
    The Welchia (MSBLAST.D) worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. Similar to the original MSBlast worm it exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity. It uses TFTP (Trivial File Transfer Protocol) to download its files into a system. It also exploits one more vulnerability known as the WebDAV exploit to travel from system to system.

    Ironically, this worm attempts to patch the RPC DCOM Buffer Overflow. It first checks for the running Windows version and then downloads a patch from Microsoft. In essence this worm patches your computer against the MSBlast.A worm. When the current system year is 2004, the worm removes itself from the system.

    Download the Windows patches for these vulnerabilities by clicking on the links below:

    Windows XP: DCOM/RPC Exploit patch

    Windows 2000: DCOM/RPC Exploit patch

    Windows XP: WebDAV Exploit patch (IIS Remote Exploit from ntdll.dll)

    Windows 2000: WebDAV Exploit patch (IIS Remote Exploit from ntdll.dll)

    What are the DCOM Vulnerability and WebDAV Exploits?

    The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

    The WebDAV exploit is a security issue identified in Microsoft® Windows XP, 2000, and NT running IIS 5.0 that could allow an attacker to take control of your computer. This issue is most likely to affect computers used as Web servers.

    How Does the Welchia Worm Infect My Computer?

    Copies itself to the Wins directory in the System or System32 folder in Windows usually

    C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
    C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000

    There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.

    Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.

    C:\Windows\System32\Wins\svchost.exe for Windows XP or
    C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000

    NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory

    Creates the following services:

    Service Name: RpcTftpd
    Display Name: Network Connections Sharing
    File: %System%\wins\svchost.exe

    This service will be set to start manually.

    Service Name: RpcPatch
    Display Name: WINS Client
    File: %System%\wins\dllhost.exe

    This service will be set to start automatically.


    Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.
    Some of the patches it downloads into the system are as follows:

    http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
    http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
    http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
    http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
    http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
    http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
    http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
    http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
    The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.

    Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.

    The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

    Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

    Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.


    How Can I Remove the Welchia or MSBLAST.D worm?

    Follow these steps in removing the Welchia or MSBLAST.D worm.

    1) Disconnect your computer from the local area network or Internet

    2) Terminate the running program

    Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.
    At the command prompt, type the following:
    NET STOP "Network Connections Sharing"
    Press the Enter key. A message should indicate that the service has been stopped successfully.
    Do the same to stop the following service:
    NET STOP "WINS Client"
    Close the command prompt window.
    3) Remove the Registry Entries

    Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>
    In the left panel, delete the subkeys:
    RpcPatch
    RpcTftpd
    Close Registry Editor.
    3) Install the patches for the DCOM RPC Exploit or WebDAV exploit, you can download the patches from the links below before disconnecting

    thanks
     

Share This Page