Hello, While searching for information on another file (DLLHost.exe) I came across links to a virus called winkiller. I ran a search for winkiller in "C"files and found a folder in C\windows\temperary internet files\content.ie5\erptug2r. I ran McAffee on the folder and found no corupted files. Is this a concern?

<font color=green>Bob</font color=green>

I think DLL Host is part of IE6 SP1 normal operation but I can't be sure. I didn't have it with IE 6.2600 but now with 6.2800 it is running all the time

Thanks gangsta, It's good to hear that others are experiencing the same thing. I've never seen DLLHost run all the time. I actually have a post on DLLHost in Windows Operating systems-95,98,Me. Take a look.

Did you check for removal instructions, or how is it you came up with that file? If in doubt, run a scan at Trend Micro Housecall.

http://www.pchell.com/virus/winkiller.shtml (http://www.housecall.antivirus.com>http://www.housecall.antivirus.com</a>

<a)

Dllhost.exe is a DCOM file, which included in a complete IE install.

Many bona fide applications need it.

And probably also some not so bona fide..

Here is some info about *a* WinKiller trjan: http://www.lurkhere.com/~nicefiles/index.html (http://www.pchell.com/virus/winkiller.shtml>http://www.pchell.com/virus/winkiller.shtml</a>

I)

Doubleclick it, and it will generate a text file that will list all running processes, and all applications that are loaded automatically when you start Windows.

Go to Edit &gt; select all, copy it and please post the contents here.

Thanks for looking Tony, I actually already made a startup list. I don't totally understand what it is I'm looking at. Here it is;

StartupList report, 9/13/02, 8:10:26 PM
Detected: Windows 98 SE (Win9x 4.10.2222A)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
A:\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

VsStatEXE = C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
Vshwin32EXE = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
ScanRegistry = c:\windows\scanregw.exe /autorun
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
SystemTray = SysTray.Exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
USBMMKBD = usbmmkbd.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

McAfeeVirusScanService = C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components

[{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[&gt;PerUser_MSN_Clean]
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs]
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[&gt;IEPerUser]
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Shell key & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:

[rename]
C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\SCA N.DAT=C:\WINDOWS\TEMP\SCAN.DAT
C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\CLE AN.DAT=C:\WINDOWS\TEMP\CLEAN.DAT
C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\NAM ES.DAT=C:\WINDOWS\TEMP\NAMES.DAT

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@echo off
path C:\WINDOWS;C:\WINDOWS\COMMAND
@REM SetPower.exe will initialize the USB Keyboard.
@c:\windows\system\setpower.exe

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@echo off
set path=c:\windows\command
mscdex.exe /d:IDECD000 /L:M
SET PROMPT=$p$g
SET TEMP=C:\windows\TEMP
SET TMP=C:\windows\TEMP
call c:\dosboot\mousie.bat
c:\windows\smartdrv /q
cd \windows

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------
End of report, 6732 bytes

StartupList version: 1.23.500
Started from: A:\STARTUPLIST.EXE

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Well, were looking for signs of any malware, but I'm happy to say there's none visible.

No trojan or anything else of a dubious nature in startup, which is a good thing.

If McAfee pronounced you clean, you can therefore asume you are.

No need for concern!

Thank you, I always appreciate your help. Can the folders in Temp Int Files\content.ie5 be deleted or are these nessessary files?

Usually you clean out your temporary internet files by going to Internet Options &gt; delete files:

<a target="_blank" href=http://support.microsoft.com/default.aspx?scid=kb;NL;q260897>How to Delete the Contents of the Temporary Internet Files Folder</a>

Theseodd-named folders are just Windows' little way of organizing things.
However, no matter which folder you look at you're presented with the same bunch of files.
Basically, you have to detach yourself from thinking of files and folders in the normal sense, and think of it as Explorer's best attempt to display the cache. You don't have duplicates littering your drive - there is only one copy of every file you see.

Every so often you could clean them up really well by rebooting into MS-DOS, and successively running the following commands from the C:\ prompt, every line followed bij clicking 'enter':

cd windows
smartdrv
deltree tempor~1
exit (or win)(in order to return to Windows)

Your entire TIF folder will be recreated on reboot, and it will be slimmed down a lot.

There's also a great number of utilities available allowing you to clean your tifs and other temporary stuff.

I don't use them myself, but a lot of people really seem to enjoy them...

Good luck, Tony

Tony, the content.ie5 isn't in the TIF folder so it doesn't clean with the conventional methods. It's in a drop file under TIF if you use explore. I tried to find it in My Computer C\windows\TIF and can't locate it there.

Tony,

I know, and I remember I had to download that in order to install a Wsock2 update. I wasn't speaking of that file, though.

I was wondering how he managed to locate that folder searching for Winkiller.

Anyway....later,
Carol