Tuesday 28 November 2017

windows - How to determine what is running in DLLHOST.EXE that's missing /ProcessID switch?


I have multiple dllhost.exe processes running on my Windows 7 computer: enter image description here


Every one of these image's command line is missing (what I am thinking is) the requisite /ProcessID:{000000000-0000-0000-0000-0000000000000} command line option: enter image description here


Question: How can I determine what's actually running in this process?


It's my belief that if I can identify the actual application doing the work inside these dllhost.exe processes I'll be able to determine if my system is infected or not (see below).




Why I'm Asking/What I've Tried:


These DLLHOST.EXE instances look suspicious to me. For example, several of them have a lot of open TCP/IP connections:


enter image description here


Process Monitor shows and absurd amount of activity. Just one of these processes generated 124,390 events in under 3 minutes. To make matters worse, several of these dllhost.exe processes are writing approximately 280 MB of data per minute to the user's TEMP and Temporary Internet Files folders in the form of folders and files with random four character names. Some of these are in use and cannot be deleted. Here's a filtered sample:


enter image description here


I know this is probably malicious. Unfortunately, blasting the system from orbit must only be done after exhausting all other options. To that point, I've done:



  1. Malwarebytes full scan

  2. Microsoft Security Essentials full scan

  3. Thoroughly reviewed Autoruns and submitted files I don't recognize to VirusTotal.com

  4. Thoroughly reviewed HijackThis

  5. TDSSKiller scan

  6. Reviewed this SuperUser question

  7. Followed these instructions: How To Determine Which Application Is Running Within a COM+ or Transaction Server Package

  8. For each of the DLLHOST.EXE processes, I've reviewed the DLLs and Handles view in Process Explorer for any .exe, .dll or other application-type files for anything suspicious. Everything checked out though.

  9. Ran ESET Online scanner

  10. Ran Microsoft Safety Scanner

  11. Booted to Safe Mode. The command switch-less dllhost.exe instance is still running.


And aside from a few minor adware detections, nothing malicious is popping up!




Update 1
<>


Update 2
Results of SFC /SCANNOW: enter image description here



Answer



I see on my computer dllhost.exe running from C:\Windows\System32, while yours is running from C:\Windows\SysWOW64, which looks somewhat suspicious. But the problem can still be caused by some 32-bit product installed on your computer.
Check also the Event Viewer and post here any suspicious messages.


My guess is that you are infected or that Windows has become very unstable.


The first step is to see whether the problem arrives when booting into Safe mode. If it doesn't arrive there, then the problem is (maybe) with some installed product.


If the problem does arrive in Safe mode, then the problem is with Windows. Try running sfc /scannow to verify system integrity.


If no problems are found, scan using :



If nothing helps, try a boot-time antivirus such as :



To avoid burning real CDs, use Windows 7 USB DVD Download Tool to install the ISOs one-by-one on a USB key to boot from.


If all fails and you do suspect an infection, the safest solution is to format the disk and reinstall Windows, but try all other possibilities first.


No comments:

Post a Comment

Where does Skype save my contact&#39;s avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...