Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unexpected dllhost.exe process running


  • Please log in to reply
7 replies to this topic

#1 Muas

Muas

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 25 March 2012 - 10:52 AM

Hello everybody.

It's the first time I post here, and I took a look at the Welcome Guide and some sticky posts about what one should as first time users.
I also search this forums about the problem I seek to solve.

I'm a bit conscious about what's going on on my PC when it's running, so I usually take a look a task manager to check if there is anything "abnormal".

Recently I found this dllhost.exe running (I'm on XP Home, SP3) which I haven't seen before, and tried to discover what is it, and what it is doing.

Let's put it simple:

I usualy have about 34 processes running.
I don't feel any performance hit when running the machine.
I checked my 7 svchost.exe's running and they all seem "harmless".
This dllhost.exe always run at system start and never stops, unless I stop DCOM process first.
This is not a problem with the process itself, as dllhost.exe seem to be where is meant to be (..\Windows\System32\).
The problem is what is dllhost.exe doing, and what makes it running on windows startup.
I found no related sartup calls on the registry.
I found there is a file named DLLHOST.EXE-5353C76C.pf, located on ..\Windows\Prefetch\, and this is the one that keeps dllhost.exe running.
I try to delete DLLHOST.EXE-5353C76C.pf, and it comes back to life again.

Of course I'm sure this ins't a good thing, and as I searched the internet, I found this might be virus related, but I couldn't solve it.

I have mysystem updated, and I have MS Securty Essentials running.

Now, can anyone please help me to sort the problem out.
I'd be appreciated, thanks.

Edited by Muas, 25 March 2012 - 10:52 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 25 March 2012 - 12:11 PM

Hello. The dllhost.exe file is located in the folder C:\Windows\System32. In other cases, dllhost.exe is a virus, spyware, trojan or worm!

Oddly,DLLHOST.EXE-5353C76C.pf looks like a clean file
DLLHOST.EXE-5353C76C.pf

DCOM DLL host process
The COM+ hosting process controls processes in Internet Information Services (IIS) and is used by many programs. For example, it loads the .NET runtime. There can be multiple instances of the DLLhost.exe process running.

You should install this patch Windows XP: DCOM/RPC Exploit patch


As there is some conflicting info on the files validity lets scan.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


[color="#8B0000"]NOTE: In some instances if no malware is found there will be no log produced.[/color
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Muas

Muas
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 27 March 2012 - 01:36 PM

Thank you for your answer.

1) Windows XP: DCOM/RPC Exploit patch

I'm on Win XP SP3; this patch is only applyable to SP1 (and SP2?), so I believe my system is already patched to this exploit, as it dosn't accept this install.

2) Here is the Malware Bytes log

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Versão da base de dados: v2012.03.27.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
João :: AGUDELA [administrador]

27-03-2012 10:33:15
mbam-log-2012-03-27 (10-33-15).txt

Tipo de pesquisa: Rápida
Opções de pesquisa activadas: Memoria | Arranque | Registo | Sistema de Ficheiros | Heurísticos/Extra | Heurísticos/Shuriken | PPI | MPI
Opções de pesquisa desactivadas: P2P
Objectos verificados: 418101
Tempo decorrido: 10 minuto(s), 12 segundo(s)

Processos de memória Detectados: 0
(Nenhum item malicioso detectado)

Módulos de Memória Detectados: 0
(Nenhum item malicioso detectado)

Chaves do Registo Detectadas: 0
(Nenhum item malicioso detectado)

Valores do Registo Detectados: 0
(Nenhum item malicioso detectado)

Itens de dados do Registo Detectados: 0
(Nenhum item malicioso detectado)

Pastas Detectadas: 0
(Nenhum item malicioso detectado)

Ficheiros Detectados: 0
(Nenhum item malicioso detectado)

(fim)

3) ESET OnlineScan

I tried to run this scan, but the system crashed during the process. There were 5 threats detected, but I believed they were not cleaned.
I' ll try to run it again tonight, and I'll include it in the next post, if I manage to get it to run without crashing.

Cheers.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 27 March 2012 - 02:21 PM

Ok, the patch is oK. You can try this also for ESET
Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


OR an alternate.
Please run the F-Secure Online Scanner
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Muas

Muas
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 28 March 2012 - 06:29 AM

Here's de ESET safe mode scan result

G:\Pessoal\conteudo.exe	a variant of Win32/Packed.ExeScript.D trojan	cleaned by deleting - quarantined
G:\System Volume Information\_restore{1DAF4B4C-18F8-4C05-8364-FB27F7ABE46F}\RP474\A0295286.exe	a variant of Win32/SoftonicDownloader.A application	cleaned by deleting - quarantined
G:\System Volume Information\_restore{1DAF4B4C-18F8-4C05-8364-FB27F7ABE46F}\RP474\A0295287.exe	a variant of Win32/Keygen.AD application	cleaned by deleting - quarantined
G:\System Volume Information\_restore{1DAF4B4C-18F8-4C05-8364-FB27F7ABE46F}\RP474\A0295288.exe	a variant of Win32/Packed.ExeScript.D trojan	cleaned by deleting - quarantined
G:\System Volume Information\_restore{1DAF4B4C-18F8-4C05-8364-FB27F7ABE46F}\RP474\A0296329.exe	Win32/Hoax.ArchSMS.KC application	deleted - quarantined
G:\System Volume Information\_restore{1DAF4B4C-18F8-4C05-8364-FB27F7ABE46F}\RP474\A0296330.exe	a variant of Win32/Packed.ExeScript.D trojan	cleaned by deleting - quarantined

dllhost.exe is still there, running.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 28 March 2012 - 02:49 PM

How much CPU is it using?..

Those ESET items are in the restore points. you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Muas

Muas
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 29 March 2012 - 09:53 AM

How much CPU is it using?..


Percentage of CPU usage is very low, barely 00%-01%, 6 276K memory.

I'll clean my system restore files then.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 29 March 2012 - 10:09 AM

I think you are oK. The process will kick up eveytime you use images ,like thumbnails and pictures.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users