-
Many DllHost processes- High RAM usage when online
Hello,
Firstly, I'd like to thank y'all in advance for any help. I have posted here quite a few years ago, and the problems were solved rather painlessly.
Yesterday, I noitced my laptop was running at 100% CPU usage, checked task manager and noticed a large amount of dllhost.exe (about 20, COM Surrogate as the description), all running at high memory usage (over 100K). Disconnected from the internet, all dropped down slowly till about 3,500K memory and computer seemed to run normally. Ran a malware bytes scan which found nothing. Reconnected to the internet, again all the dllhost.exe processes jumped back up in memory usage until effectively crashing the machine while I ran another malware bytes scan after updating their virus definitions. Again, it found nothing. I can end the dllhost processes but they reappear instantly. If I open the file location of any of them, it takes me to "C:\Windows\System32". I have also tired disabling all startup programs through msconfig and a reboot, no luck there. I just installed Spybot and ran a system scan, it found 11 tracking cookies which were deleted. I was not able to find a way to get a log file from that.
I can recreate the high memory usage by just connecting to the internet; something is definitely wrong here. Aside from it being some sort of malware, I don't see any reason for this process to be running as much as it is.
I have followed the before you post sticky, and ran ERUNT. Below are the contents from the dds.txt file. attach.txt was zipped up and attached. The MBR.txt contents are pasted below as well.
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16686 BrowserJavaVersion: 1.6.0_22
Run by Patrick at 15:28:03 on 2013-11-05
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4023.1668 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/plugins/activex/YoYo.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 130.85.1.3 130.85.1.4 130.85.1.5
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639} : NameServer = 8.8.8.8
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639} : DHCPNameServer = 130.85.1.3 130.85.1.4 130.85.1.5
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639}\55D42434026596379647F627 : NameServer = 8.8.8.8
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639}\55D42434026596379647F627 : DHCPNameServer = 130.85.1.3 130.85.1.4 130.85.1.5
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639}\F42716E676563456461627 : NameServer = 8.8.8.8
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639}\F42716E676563456461627 : DHCPNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639}\F42716E676563456461627D27657563747 : NameServer = 8.8.8.8
TCP: Interfaces\{8D10E40F-39D7-49E9-878E-7221E17CE639}\F42716E676563456461627D27657563747 : DHCPNameServer = 192.168.33.1 75.75.75.75 75.75.76.76
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\wbamu2pn.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Patrick\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Users\Patrick\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll
FF - plugin: C:\Users\Patrick\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Patrick\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Patrick\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-6-8 283200]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [2009-3-2 89600]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2010-7-16 30520]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-11-5 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-11-5 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-11-5 171416]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2009-10-12 151040]
R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2009-7-20 140712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-1-9 228408]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-2-27 258560]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-7 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-30 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-11-05 20:18:09 21040 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-11-05 20:18:08 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-11-05 20:18:04 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-11-03 20:12:38 -------- d-----w- C:\Program Files (x86)\Audacity
.
==================== Find3M ====================
.
2013-08-10 05:22:18 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-08-10 05:20:59 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-08-10 05:20:55 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-08-10 05:20:55 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-08-10 03:59:10 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-08-10 03:17:38 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-08-10 03:07:50 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-08-10 02:27:59 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-10 02:17:19 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-08-08 01:20:43 3155456 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 15:28:31.18 ===============
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-11-05 15:32:20
-----------------------------
15:32:20.373 OS Version: Windows x64 6.1.7601 Service Pack 1
15:32:20.373 Number of processors: 4 586 0x2502
15:32:20.374 ComputerName: PATRICK-LAPTOP UserName: Patrick
15:32:21.728 Initialize success
15:33:32.638 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:33:32.644 Disk 0 Vendor: Hitachi_ PC4O Size: 476940MB BusType: 3
15:33:32.729 Disk 0 MBR read successfully
15:33:32.733 Disk 0 MBR scan
15:33:32.737 Disk 0 unknown MBR code
15:33:32.754 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
15:33:32.769 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 459474 MB offset 409600
15:33:32.797 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 17162 MB offset 941412352
15:33:32.816 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
15:33:32.857 Disk 0 scanning C:\Windows\system32\drivers
15:33:39.408 Service scanning
15:33:54.435 Service ?etadpug C:\Program Files (x86)\Google\Desktop\Install\{b6deba4e-a8e0-94fb-6532-d70db4eb65a9}\ **HIDDEN**
15:33:54.954 Modules scanning
15:33:54.962 Disk 0 trace - called modules:
15:33:55.321 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys
15:33:55.330 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800586b060]
15:33:55.339 3 CLASSPNP.SYS[fffff88000e4f43f] -> nt!IofCallDriver -> [0xfffffa8005714b10]
15:33:55.344 5 hpdskflt.sys[fffff88001c022bd] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004a3b050]
15:33:55.349 Scan finished successfully
15:34:09.728 Disk 0 MBR has been saved successfully to "C:\Users\Patrick\Desktop\MBR.dat"
15:34:09.733 The log file has been saved successfully to "C:\Users\Patrick\Desktop\aswMBR.txt"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
