Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe using lots of CPU


  • Please log in to reply
8 replies to this topic

#1 wings515

wings515

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 04 September 2014 - 02:39 PM

I have been on this problem for about 2 weeks.  Ran almost every antivirus app I could find.  Even went so far as formatted the C: drive and re-installed 7 from a know good CD.  The install went fine until after the second round of MS updates.  Usinf the Task Manager and enabling All Users the dllhost.exe*32 starts out with about 7M of Ram use and then climbs to over 500M.  At the same time the CPU % utiliztion climbs to close to 90%. Below is acopy of the Process Monitor.

 

 

Process CPU Private Bytes Working Set PID Description Company Name
System Idle Process 98.49 0 K 24 K 0  
System 0.08 164 K 992 K 4  
 Interrupts 0.22 0 K 0 K n/a Hardware Interrupts and DPCs 
 smss.exe  368 K 1,032 K 248 Windows Session Manager Microsoft Corporation
csrss.exe < 0.01 1,788 K 4,492 K 336 Client Server Runtime Process Microsoft Corporation
wininit.exe  1,324 K 4,260 K 372 Windows Start-Up Application Microsoft Corporation
 services.exe 0.01 3,192 K 6,544 K 424 Services and Controller app Microsoft Corporation
  svchost.exe  3,224 K 8,536 K 592 Host Process for Windows Services Microsoft Corporation
   dllhost.exe 0.01 9,512 K 12,044 K 1532 COM Surrogate Microsoft Corporation
   WmiPrvSE.exe  2,476 K 6,524 K 2396 WMI Provider Host Microsoft Corporation
  svchost.exe < 0.01 3,076 K 7,008 K 668 Host Process for Windows Services Microsoft Corporation
  svchost.exe < 0.01 8,484 K 11,888 K 752 Host Process for Windows Services Microsoft Corporation
  svchost.exe  13,220 K 22,352 K 804 Host Process for Windows Services Microsoft Corporation
   dllhost.exe 0.01 17,044 K 31,796 K 2952 COM Surrogate Microsoft Corporation
    ctfmon.exe  1,568 K 3,432 K 2288 CTF Loader Microsoft Corporation
  svchost.exe  3,244 K 7,572 K 880 Host Process for Windows Services Microsoft Corporation
  svchost.exe 0.01 11,104 K 14,572 K 920 Host Process for Windows Services Microsoft Corporation
  svchost.exe  6,964 K 14,496 K 960 Host Process for Windows Services Microsoft Corporation
  svchost.exe  7,612 K 13,060 K 232 Host Process for Windows Services Microsoft Corporation
  svchost.exe  39,596 K 20,832 K 364 Host Process for Windows Services Microsoft Corporation
 lsass.exe  4,256 K 11,040 K 484 Local Security Authority Process Microsoft Corporation
 lsm.exe  2,132 K 3,920 K 492 Local Session Manager Service Microsoft Corporation
csrss.exe 0.15 1,756 K 5,344 K 384 Client Server Runtime Process Microsoft Corporation
winlogon.exe  1,500 K 4,948 K 456 Windows Logon Application Microsoft Corporation
 taskmgr.exe 0.14 2,348 K 7,824 K 1052 Windows Task Manager Microsoft Corporation
explorer.exe 0.09 40,240 K 47,648 K 1108 Windows Explorer Microsoft Corporation
 ctfmon.exe  1,628 K 3,320 K 1252 CTF Loader Microsoft Corporation
 ProcExp.exe  2,512 K 6,560 K 3052 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
  ProcExp64.exe 0.63 21,020 K 37,484 K 3068 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
iexplore.exe 0.01 13,616 K 31,772 K 852 Internet Explorer Microsoft Corporation
 iexplore.exe 0.15 45,380 K 70,796 K 1208 Internet Explorer Microsoft Corporation

 

The Bold Underlined file is the culprit.

I have run CCleaner, Malwarebyter, Combo Fix

Adwcleaner.  Changed the permissions and deleted the file, restored the file from anothe PC all with the same result.  I would like to fix this for my own education.

 

Thanks,

Regards,

Wings515

 



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:08 PM

Posted 04 September 2014 - 02:41 PM

Please download MiniToolBox  , save it to your desktop and run it.
 
Checkmark the following checkboxes:
  List last 10 Event Viewer log
  List Installed Programs
  List Users, Partitions and Memory size.
 
Click Go and paste the content into your next post.
 
Also...please Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792 , taking care to post the link of the snapshot in your next post.
 
Louis



#3 wings515

wings515
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 05 September 2014 - 11:29 AM

Looking at another post I ran FRST. Attached are the two files.   Mod Edit:  Deleted FRST, not requested...not used in this forum - Hamluis.

I'll run the Toolbox and re-post 

 

Thanks


Edited by hamluis, 05 September 2014 - 01:06 PM.


#4 wings515

wings515
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 05 September 2014 - 11:34 AM

Here are the results from Minitoolbox.

 

MiniToolBox by Farbar  Version: 21-07-2014
Ran by William (administrator) on 05-09-2014 at 12:30:26
Running from "C:\Users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BXJEWQ47"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

 

========================= Event log errors: ===============================

 

Application errors:
==================
Error: (09/05/2014 00:03:51 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/05/2014 11:21:46 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/05/2014 11:16:26 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/04/2014 09:53:37 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/04/2014 09:21:08 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:  The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.

Details:  The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:  The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:  The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:  Element not found.  (HRESULT : 0x80070490) (0x80070490)

System errors:
=============
Error: (09/05/2014 11:49:40 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Windows 7 for x64-based Systems (KB2515325).

 

Error: (09/05/2014 11:49:38 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Windows 7 for x64-based Systems (KB2913152).

 

Error: (09/05/2014 11:36:37 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 for x64-based Systems (KB2912390).

 

Error: (09/05/2014 11:36:37 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Windows 7 for x64-based Systems (KB982018).

 

Error: (09/05/2014 11:36:37 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2976627).

 

Error: (09/05/2014 11:18:40 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

 

Error: (09/05/2014 11:18:40 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

 

Error: (09/05/2014 11:18:40 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

 

Error: (09/05/2014 11:18:28 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

 

Error: (09/05/2014 11:18:28 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Microsoft Office Sessions:
=========================
Error: (09/05/2014 00:03:51 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/05/2014 11:21:46 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/05/2014 11:16:26 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/04/2014 09:53:37 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/04/2014 09:21:08 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service)(User: )
Description:
Details:   The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
The catalog is corrupt

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service)(User: )
Description:
Details:  The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:   The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:   The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

Error: (09/04/2014 09:20:43 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:  Element not found.  (HRESULT : 0x80070490) (0x80070490)
Search.TripoliIndexer

 

=========================== Installed Programs ============================
avast! Free Antivirus (HKLM-x32\...\Avast) (Version: 9.0.2021 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 4.17 - Piriform)
ContentExplorer (HKLM-x32\...\ContentExplorer) (Version: 8.4 - ContentExplorer.net)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Severe Weather Alerts (HKCU\...\Severe Weather Alerts) (Version: 1.26.0.0 - Weather Notifications, LLC)

========================= Devices: ================================

========================= Memory info: ===================================

Percentage of memory in use: 68%
Total physical RAM: 1978.92 MB
Available physical RAM: 623.79 MB
Total Pagefile: 3957.84 MB
Available Pagefile: 2370.36 MB
Total Virtual: 4095.88 MB
Available Virtual: 3992.59 MB

 

========================= Partitions: =====================================

1 Drive c: (New Volume) (Fixed) (Total:232.79 GB) (Free:209.11 GB) NTFS

 

========================= Users: ========================================

User accounts for \\WILLIAM-PC

Administrator            Guest                    William                 

 

========================= Minidump Files ==================================

No minidump file found

 

========================= Restore Points ==================================

31-08-2014 14:28:15 Windows Update
31-08-2014 14:34:38 avast! antivirus system restore point
31-08-2014 14:40:53 Windows Update
31-08-2014 15:30:49 Windows Update
31-08-2014 18:19:37 Windows Update
31-08-2014 23:53:43 Windows Update
04-09-2014 13:20:42 avast! antivirus system restore point
04-09-2014 13:27:38 Windows Update
05-09-2014 15:24:22 Windows Update
05-09-2014 15:52:44 Windows Update

 

**** End of log ****

Attached Files


Edited by hamluis, 05 September 2014 - 01:22 PM.


#5 wings515

wings515
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 05 September 2014 - 12:36 PM

And the last request.

http://speccy.piriform.com/results/UxpOQQ3D1RpvznqeNeL7lyP



#6 hamluis

hamluis

    Moderator


  • Moderator
  • 56,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:08 PM

Posted 05 September 2014 - 01:08 PM

Please...I'd appreciate if you follow directions and do not submit data which is not requested.  The files you submitted on your own are not allowed/used in this forum.

 

Thanks :).

 

Please allow me a few minutes to review the data which I requested...and you submitted :).

 

Louis

 

Looking at the data submitted...I don't see "the problem" that you see.  I see (on my system) at least 6 different processes that are employing more resources than the one you chose to highlight...and there's nothing wrong with my system.

 

You assert that all these excess usages occur...but your submittal from Process Monitor...doesn't reflect a problem, IMO.

 

Neither do your Event Viewer errrors...the errors reflected are what I consider "common" and just administrative errors that can be easily corrected, if that's what we want to do.

 

I suggest that you run the chkdsk /r command...followed by running the sfc /scannow command...to try to eliminate the nuisance errors.

 

Chkdsk From Command Prompt, Win 7 - http://www.bleepingcomputer.com/forums/t/496613/contextmenu-is-causing-explorerexe-to-crash/?p=3067880

 

SFC -SCANNOW Run in Command Prompt at Boot - Windows 7 Forums - http://www.sevenforums.com/tutorials/139810-sfc-scannow-run-command-prompt-boot.html

 

FWIW:  Often...members look at someone else's topic for clues to their own problems.  That would be fine...if the problems were the same (note that I said "problems", not "symptoms").  If you read up on just about any file which seems to be a problem...you will see that there are multiple causes for what might appear to be similar effects.  Things go wrong with Windows every day...it's not always malware :).


Edited by hamluis, 05 September 2014 - 01:58 PM.


#7 wings515

wings515
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 05 September 2014 - 01:29 PM

So sorry, I got confused as to which person was requesting what app to run.  I will be more attentive to the individual post.

Regards.

BTW I have removed all instances of Severe Weather.

 

Thanks,

wings515



#8 wings515

wings515
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 05 September 2014 - 03:06 PM

Thank you for the reply.  During the past hour, while using the 'infected' laptop, I got a Crash Dump. I shut it down and I am using another machine.

The file or process that I suspect is in C:/Windows/sysWOW64.  The task manager, all users show dllhost.exe*32 using at one point 330 MB of RAM.

I know I am very lite on understanding the internals of the OS but this just seems odd.

The first indication of a problem was when Avast picked it up as a MALware It was trying to open 75.126.131.230.

This notification from Avast repeatedly popped up. Overall the PC just runs very slow while the dllhost.exe is using lots of CPU.

I will run the two suggestions again since I ran them once before and things have changed.

Thanks again



#9 hamluis

hamluis

    Moderator


  • Moderator
  • 56,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:08 PM

Posted 05 September 2014 - 04:41 PM

Please explain "Avast picked it up as malware".

 

Did Avast remove it?  Quarantine it?  Please post the exact Avast message/alert.

 

There's no need to rerun anything...as I said...just post the requested information.

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users