C:\program files\common files\dllhost.exe infrected with Win32/Hupigon.MN trojan

Ancodi · #1 17th Nov 2007, 00:37

How do I remove it? Is DLLhost an important file? I have Eset Nod32 2.7.

**evilfantasy** · #2 17th Nov 2007, 00:43

Welcome to TCF.

Lets have a closer look.

Download HijackThis to your desktop.
Double-click on the file you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.
Upon install, HijackThis should open for you.

Next click on the "Do a system scan and save a log file" button.
HijackThis will scan and then a log will open in notepad.
In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop.
Please save the log as a text (.txt) file or .log
Do NOT attach MS-Word .DOC files, they will NOT be looked at!
In your post, add the log as an Attachment.
* Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
** Don't use the Analyse This button. It's findings are dangerous if misinterpreted.

Guide for attaching logs to a post

Ancodi · #3 17th Nov 2007, 00:51

is it safe to post this file? I will if you say it is. =] thanks for the help, i just need to save it all. =]

**evilfantasy** · #4 17th Nov 2007, 00:55

There is no personal information in any log I will ask for. We have to be able to see what all is running on the PC to know the right steps to remove it.

Also what program reported the infection?

Ancodi · #5 17th Nov 2007, 00:57

When I booted up the computer, Ashampoo FIrewall said that a filter thing hadn't worked or something.
Nod 32 2.7 said I had the virus.

**evilfantasy** · #6 17th Nov 2007, 01:09

Open HijackThis and select "Do a system scan only"

Place a check mark next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - S-1-5-21-299502267-839522115-854245398-1003 Startup: PowerReg Scheduler.exe (User '?')
O4 - Startup: PowerReg Scheduler.exe
O23 - Service: Windows Display Driver - Unknown owner - C:\Program Files\Common Files\Dllhost.exe
O24 - Desktop Component 1: (no name) - http://en.wikipedia.org/

Close all windows and click "Fix checked"

==========

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter at the prompt)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Ancodi · #7 17th Nov 2007, 01:36

Just to let you kno, I hate the program, I don't trust it xD. It kinda delete sys32, which I thought you kinda needed. I probably hate it because it's not GUI, which I trust xD.

Ancodi · #8 17th Nov 2007, 01:56

Hello? I am desperate...

**evilfantasy** · #9 17th Nov 2007, 01:58

Takes a minute to look through the logs mate...

Run HijackThis and post a fresh log please.

Ancodi · #10 17th Nov 2007, 02:06

Ah, sorry. ^^;
What my dad's telling me to do is just scan nod, if it isn't in the system32 folder, which I thought that combofix deleted, I'll delete it, he said. But, we think it's gone.