Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple dllhost.exe running in windows 7


  • Please log in to reply
6 replies to this topic

#1 nomadsam

nomadsam

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 February 2014 - 02:38 PM

I am not especially tech savvy so please keep answers simple.   :)

 

I have already used kaspersky (ran from flash drive...took HOURS) and it caught some things.  I also have run a few things over the last few days, but not sure where to go now as it the computer is running at 100% CPU Usage unless I go in and "stop" some of them, but that is clearly time consuming.

 

Currently backing up files just in case (I have an Iomega that doesn't like windows 7 restore and backup program manually, so I am having to back up documents, etc manually.  Of course this is taking forever with multiple dllhost running).  Currently using a secondary computer to post as I cannot do anything without EXTREMELY slow processing.

 

Please help? I am not sure what to do now!!

 

Thanks in advance!

 

ETA:  I opened file location on a few of the dllhost.exe files that are running and all of them seem to be in the folder "SysWOW64".  Not sure if that makes a difference.


Edited by nomadsam, 17 February 2014 - 02:43 PM.


BC AdBot (Login to Remove)

 


#2 jomill

jomill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 February 2014 - 04:03 PM

Boot to safe mode.

C:\Users\{name}\APPDATA\Local\Temp\(RandomName)\(RandomName)\wow.dll

It's a hidden, system file. Take ownership and delete it. Refresh and make sure it didn't come back.  If it did, you have to be quick. Make a dummy text file called wow.dll and copy it immediately after you delete the file.  The excessive running processes actually work to your advantage here, slowing the system long enough for you to sawp the file.

 

If dllhost.exe builds up, launch an admin control panel and use:

 

Taskkill /im dllhost.exe /f

 

I'm batteling a new varient of this one now.  It comes back very fast, no evident malware processes (probably assumed a windows service name).  If I find a solution for the new varient, I'll update this.



#3 nomadsam

nomadsam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 February 2014 - 04:57 PM

Sorry...I am not sure I understand.  

So restart computer in safe mode...I know how to do that part....I think.

 

But not sure how to do the other things you listed? I am guessing that {name} would be whatever my computer user name is (where the file is located), but "random name"...not sure what that means.

 

This won't delete anything I need?

 

Thank you for the quick reply



#4 jomill

jomill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 February 2014 - 05:22 PM

Yes, name is the Windows User Name.

The RandomName indicates that the folder will be names some random set of letters and numbers (not consistant between two different machines).  You really need to know what belongs in that folder to know what stands out as malicious.

 

Go to folder options in control panel.  Turn on "Show Hidden Files" and uncheck "Hide System Files". That is the only way you will be able to see the file.



#5 nomadsam

nomadsam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 February 2014 - 05:31 PM

That is already checked in my folder options. I can see the files fine.  I just am trying to understand what you mean by needing to know what belongs in the folder.  I can see the items in the folder, I can go into task manager and right click on the process when it runs and go right to the folder it's located.  

 

So I am still not sure what you are telling me to do?  Sorry if I am missing something simple.  



#6 jomill

jomill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 February 2014 - 05:50 PM

Go to c:\Users\YourName\Appdata\Local\Temp\

In there you will see a hidden, system folder with a random name. Ex: sjtwrakl

In the folder properties change the permissions so you have full access to it, or ownerwhip of the folder.

Then simply delete the folder.

Give it a few seconds and refresh the window.  If the folder doesn't come back, you're all good!

If it does come back, something else is installing it. That part I'm still working on. 



#7 nomadsam

nomadsam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 February 2014 - 06:33 PM

I guess that is the problem....most of the files have "random" names....I have no way of knowing which one is to be deleted.  






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users