Hi Hery, I am almost certain you have w32.blaster.d check in c:\windows\system32\wins\ as suggested by chris, although you can't be sure of which varient of blaster it is so can't be sure where it puts it - could try searching whole c: for dllhost.exe. Also check the usual run/runonce key in the registry (/HKLM/software/microsoft/current version/run). This variant was released only a couple (maybe 3) days ago, update your virus defs again or try trend housecall to be sure there is no virus there. Jamie. -----Original Message----- From: Hery [mailto:hery@xxxxxxxxxxxxxx] Sent: Tuesday, 2 September 2003 11:30 AM To: [ExchangeList] Subject: [exchangelist] RE: strange dllhost and email http://www.MSExchange.org/ hi Chris, the file is located at \winnt\system32. and the size is 5.76 KB. i've scan for the virus, but found nothing. so if this dllhost.exe is really windows program, i think it safe to run. nothing to worried. i also have patch the rpc dcom. many thank's for your help. rgds, hery ----- Original Message ----- From: Chris Adams <mailto:Chris.Adams@xxxxxxxxxxxxxxxx> To: [ExchangeList] <mailto:exchangelist@xxxxxxxxxxxxx> Sent: Monday, September 01, 2003 21:20 PM Subject: [exchangelist] RE: strange dllhost and email http://www.MSExchange.org/ The "normal" DLLHOST.EXE application usually sits in <SYSTEM DRIVE>:\WINNT\System32 and is roughly 6k. The "Infected" DLLHOST.EXE from Nachi et al. is in <SYSTEM DRIVE>:\WINNT\System32\Wins\ and is about 10k. DLLHOST.EXE is used to run COM+ components. You may want to check the location and size of your DLLHOST.EXE file to see if you're infected or not. Chris. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jabyrnes@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')