Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DLLs, MUIs & DISMHOST.EXE re-appearing in temp folder


  • Please log in to reply
4 replies to this topic

#1 Jones9800

Jones9800

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 PM

Posted 06 February 2016 - 02:56 AM

I have folders and files appearing randomly in my Win10 x64 temp folder, but Malwarebytes and Window Defender detect nothing suspicious. DISMHOST.EXE is related to scheduling/maintenance, like Windows Defender schedules, however.

 

folder: 9BBB87E8-CFF4-44B2-89CB-05DB5D98EBF0/ <- GUID name changes

 

AppxProvider.dll
AssocProvider.dll
CbsProvider.dll
CompatProvider.dll
DismCore.dll
DismCorePS.dll
DismProv.dll
DmiProvider.dll
FfuProvider.dll
FolderProvider.dll
GenericProvider.dll
IBSProvider.dll
ImagingProvider.dll

 

DismHost.exe <- the culprit

 

folder: 9BBB87E8-CFF4-44B2-89CB-05DB5D98EBF0/en-US/

 

AppxProvider.dll.mui
AssocProvider.dll.mui
CbsProvider.dll.mui
CompatProvider.dll.mui
DismCore.dll.mui
DismProv.dll.mui
DmiProvider.dll.mui
FfuProvider.dll.mui
FolderProvider.dll.mui
GenericProvider.dll.mui
IBSProvider.dll.mui
ImagingProvider.dll.mui
IntlProvider.dll.mui
LogProvider.dll.mui
MsiProvider.dll.mui
OfflineSetupProvider.dll.mui
OSProvider.dll.mui
ProvProvider.dll.mui
SmiProvider.dll.mui
TransmogProvider.dll.mui
UnattendProvider.dll.mui
VhdProvider.dll.mui
WimProvider.dll.mui

 

The DLLs and EXE are signed by Microsoft.  I doubt the files themselves are viral but something may be trying to block a Defender maintenance schedule.  There is this article, but it's unresolved. I would like to know what is triggering these files and where they are emanating from, if anyone knows.

 

TY in advance.


Edited by hamluis, 06 February 2016 - 09:13 AM.
Moved from Win 10 Support to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:06 PM

Posted 06 February 2016 - 03:39 PM

Hello Jones9800, and welcome to Bleeping Computer! :thumbsup: 
 
My name is bloopie and I'll be helping you as best I can! :thumbup2:
 
==========
 

There is this article, but it's unresolved.

Have you tried the SFC scan that was suggested in that thread? If there were any detections, then let me know and we'll get that log posted as well! :wink:

 

Just FYI: Please copy and paste all logs directly into your replies unless otherwise instructed to do so! :)
 
====================
 
None of those files you listed above are malicious, and most of these services use the temp directory for any number of things. The DismHost.exe file is the Deployment Image Servicing and Management Host...and usually gets created in the temp folder whenever Windows Defender fails to run a scheduled maintenance scan.

What antivirus program are you using right now? It's possible that Windows Defender got disabled by another program...

In any case, those files are all safe to leave on the system, but I'd still like to see if there is anything else that may be causing this. In addition to the above questions, are you experiencing any other problems or performance issues with your computer at this time that you'd like me to know about?

==========

We should probably get a couple of logs to see where we stand at the moment, so please follow the below steps to get those logs posted :) :

Step :step1:

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure all checkboxes are checked!
  • Press the "Scan" button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.

==========

Step :step2:

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

==========

And finally, have you ever used MalwareBytes Antimalware before? If not, please simply post back and let me know.

If you have, and have it installed...please update it, run a Hyper Scan (or Threat Scan depending on the version installed) removing anything it finds, and post the resultant log for my review.

 

bloopie
 



#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:06 PM

Posted 08 February 2016 - 07:01 PM

Hello again,

This is a topic bump! Do you still wish to receive assistance with this issue? If so, please follow the instructions in my previous post!

bloopie

#4 Jones9800

Jones9800
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 PM

Posted 09 February 2016 - 04:06 AM

Hello, Bloopie, and thank you for the instructions.

 

I do use Malwarebytes (free), and it showed no issues.

 

SFC scan showed no integrity violations.

 

However, I ran the Farbar service scanner, and it showed the Windows update service as not running.

 

In services, Windows update was set to 'Automatic (Delayed Start)'.

 

Windows scheduling may have been attempting to check for Windows updates, while the service itself was not starting per 'Delayed Start'.

 

I changed the Windows update service to 'Automatic', and the issue seems to have subsided for the last 24hrs.  I will post again if the issue returns.

 

Thank you.


Edited by Jones9800, 09 February 2016 - 04:06 AM.


#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:06 PM

Posted 09 February 2016 - 04:18 PM

Hello again,

It's my pleasure! :wink:

I'm glad the issue seems to be resolved! :thumbup2:

If that is not the case and you post back in a few days, please be sure to include the logs from all tools...the logs are extremely important for us to assist you. :)

Thanks and best regards,

bloopie






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users