w32.welchia.worm question

[John Galt]

I'm helping a friend who has this on her PC. Norton AV has cleaned up
everything except it says it can't fix or delete dllhost.exe, which I
believe is a system file. I can delete the file, but I'm not sure how to
replace it (I assume it has to be replaced...). It's running XP -- can I
just copy dllhost.exe from another XP machine?

 

[graham]

Did U run The Norton AV cleanup in 'Safe Mode' I had to do
this recently as Norton was unable to clean all files in
normal mode
Graham

 

[Rick]

i had the same problem just go to www.norton.com and get
the removal tool for this worm works great.

 

[John Galt]

thanks for the quick, helpful answers

 

[Alex Nichol]

I'm helping a friend who has this on her PC. Norton AV has cleaned up
everything except it says it can't fix or delete dllhost.exe, which I
believe is a system file. I can delete the file, but I'm not sure how to
replace it (I assume it has to be replaced...). It's running XP -- can I
just copy dllhost.exe from another XP machine?

The welchia worm adds an extra copy, in a different folder. The safest
thing is to do a search, and rename any copies you find with a different
extension (say dlx), *except* for the backup one in
Windows\system32\dllcache,

Then reboot. The rename will result in the proper one in system32
(which is only 5K in size, as a check) being replaced almost immediately
by the one from dllcache, and will come into use after the reboot; you
can then delete the renamed versions