Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CPU being maxed out, dllhost.exe and internet explorer


  • This topic is locked This topic is locked
10 replies to this topic

#1 btsquared

btsquared

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 15 October 2014 - 10:02 PM

Sometime after starting my computer it becomes extremely slow and the CPU maxes out and stays there until I restart the computer. The task manager shows multiple instances of internet explorer running but none are visible in the task bar and I did not open any IE windows. These instances of IE are connected to dllhost.exe because when I end a dllhost.exe one of the IE instances will end. However, dllhost.exe keeps restating and can not be removed permanently. I have looked through other instances of this and have attached the tdsskiller and frst reports. I am running Vista Home Premium 64bit. Thank you in advance for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:25 PM

Posted 20 October 2014 - 09:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

() C:\Windows\System32\RunFDS.exe
HKU\S-1-5-21-3090190035-4030179846-3314137925-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [3080704 2008-10-28] (Microsoft Corporation) <==== ATTENTION
FF SearchPlugin: C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\7esrjq5x.default\searchplugins\yahoo_ff.xml
FF Extension: XULRunner - C:\Users\Brian\AppData\Local\{0A7222E7-7196-46CE-A6C6-DD18322412A1} [2011-05-12]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
C:\Windows\System32\RunFDS.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#3 btsquared

btsquared
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 20 October 2014 - 07:36 PM

Thank you for your help.
 
I have attached the files from running FRST and Security Check.
 
After running the programs there are still many instances of dllhost.exe running and now they use ten times (10x) more memory than before. (40,000kb vs 4000kb)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-10-2014 01
Ran by Brian at 2014-10-20 16:54:23 Run:1
Running from C:\Users\Brian\Pictures\backgrounds
Loaded Profile: Brian (Available profiles: Brian)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

() C:\Windows\System32\RunFDS.exe
HKU\S-1-5-21-3090190035-4030179846-3314137925-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [3080704 2008-10-28] (Microsoft Corporation) <==== ATTENTION
FF SearchPlugin: C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\7esrjq5x.default\searchplugins\yahoo_ff.xml
FF Extension: XULRunner - C:\Users\Brian\AppData\Local\{0A7222E7-7196-46CE-A6C6-DD18322412A1} [2011-05-12]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
C:\Windows\System32\RunFDS.exe

End
*****************

[1328] C:\Windows\System32\RunFDS.exe => Process closed successfully.
HKU\S-1-5-21-3090190035-4030179846-3314137925-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\7esrjq5x.default\searchplugins\yahoo_ff.xml => Moved successfully.
C:\Users\Brian\AppData\Local\{0A7222E7-7196-46CE-A6C6-DD18322412A1} => Moved successfully.
IpInIp => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.
C:\Windows\System32\RunFDS.exe => Moved successfully.

==== End of Fixlog ====

Attached Files


Edited by nasdaq, 21 October 2014 - 09:31 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:25 PM

Posted 21 October 2014 - 09:32 AM

Run this tool and fix everything that is found.

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#5 btsquared

btsquared
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 21 October 2014 - 09:02 PM

Rogue Killer seems to have worked. While running the scan microsoft security essentials detected other threats and required me to restart. Upon restating dllhost.exe no longer launches and the memory and cpu usage seem to have return to normal.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:25 PM

Posted 22 October 2014 - 10:08 AM

Please run the Farbar tool normally and post a fresh FRST log for my review.

===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

#7 btsquared

btsquared
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 22 October 2014 - 09:27 PM

Ran the requested scans and the resulting files are attached.

Results of screen317's Security Check version 0.99.89
Windows Vista Service Pack 1 x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner (remove only)
Java 7 Update 60
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (3.6.6) Firefox out of Date!
Google Chrome 37.0.2062.120
Google Chrome 37.0.2062.124
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
IObit IObit Malware Fighter IMFsrv.exe
IObit IObit Malware Fighter IMF.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 9 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Attached Files


Edited by nasdaq, 23 October 2014 - 09:46 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:25 PM

Posted 23 October 2014 - 09:54 AM

Clean your Temporary files/Folders.

Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.

  • ===

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
    start
    
    FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-11-04]
    FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-06-08]
    FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-25]
    FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-02]
    FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-10-21]
    FF HKCU\...\Firefox\Extensions: [{0A7222E7-7196-46CE-A6C6-DD18322412A1}] - C:\Users\Brian\AppData\Local\{0A7222E7-7196-46CE-A6C6-DD18322412A1}
    FF Extension: No Name - C:\Users\Brian\AppData\Local\{0A7222E7-7196-46CE-A6C6-DD18322412A1} [Not Found]
    Task: {5F363A51-20F1-42D4-AD27-144636800B09} - \Security Center Update - 2619349716 No Task File <==== ATTENTION
    
    End
    
    Save the files as fixlist.txt into the same folder as FRST

    Run FRST and click Fix only once and wait.

    Restart the computer normally to reset the registry.

    The tool will create a log Fixlog.txt please post it to your reply.
    ===

    Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
    Latest version is Java JRE 7u67.

    You can manually check your present version and update as recommended.
    https://www.java.com/en/download/installed.jsp

    Be careful not to install malware posing as Java update!
    Important read this blog.
    http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

    Quoted from the page.
    "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

    How to disable Java in your browsers
    http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


    If present remove the old version(s) of Java using the Add/Remove Programs applet.

    Java 7 Update 60

    ===

    Get the latest version of the Adobe Reader.
    http://get.adobe.com/reader/
    Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

    When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
    <<<>>>

    Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

    Flash test site:
    http://www.adobe.com/software/flash/about/
    Install the new version or if you have the latest close the windows.

    Flash Player Help / Find version
    http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
    ===

    After a restart of the computer and if all is well I suggest you install the Vista SP2.
    Follow the instructions on this page.
    http://windows.microsoft.com/en-ca/windows-vista/learn-how-to-install-windows-vista-service-pack-2-sp2


#9 btsquared

btsquared
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 26 October 2014 - 12:27 AM

Thank you for your help. All updates to programs were made as suggested. I have attached the fix report as well. Everything seems to be running as normal.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:25 PM

Posted 26 October 2014 - 07:56 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:25 PM

Posted 01 November 2014 - 09:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users