The "normal" DLLHOST.EXE application usually sits in <SYSTEM DRIVE>:\WINNT\System32 and is roughly 6k. The "Infected" DLLHOST.EXE from Nachi et al. is in <SYSTEM DRIVE>:\WINNT\System32\Wins\ and is about 10k. DLLHOST.EXE is used to run COM+ components. You may want to check the location and size of your DLLHOST.EXE file to see if you're infected or not. Chris. -----Original Message----- From: Hery [mailto:hery@xxxxxxxxxxxxxx] Sent: 01 September 2003 09:25 To: [ExchangeList] Cc: Exchange2000@xxxxxxxxxxxxxxx Subject: [exchangelist] strange dllhost and email http://www.MSExchange.org/ hi guys, check at my task manager, and found DLLHOST.EXE entry at "processes", Is this infected by welchia or sobig.f ? i try to terminate it using some removal tools (doing in safe mode) but after restart and already running in normal mode, it will exist again. fyi, i'm using windows 2000 advance server +sp3, and exchange 2000 + sp3. i have apply the rpc dcom vulnerability patch. and sometimes at the queue viewer, i can see email to domain that not listed at my company with size 1.002 KB. what's this ? rgds, hery ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: chris.adams@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')