Attention Essex Boy - Possible Worm Activity

[DonZ63]

Win 7 x64 SP1, Avast! Free 6.0.1289

This one has me stumped. I have these two dllhost.exe processes always running. When I open Task Manager, they always disappear after a few seconds. I checked out the registry keys they reference and the data looks legit. Also sometimes there is a third dllhost.exe process running that rarely shows up in the Task Manager display. I know it is there because when I use Resource Manager, it show three dllhost.exe processes terminated. Very suspicious activity to me.

I did checked out dllhost.exe in the system32 directory and appears to be OK.

Screen shot attached.

[Pondus]

and you have checked any suspicious file(s) at virustotal ?

[DonZ63]

I will submit dllhost.exe when I get home from work. I fully expect the file to be clean since I have scanned my PC using various anti-malware scanners and it is always clean.

Appears Win 7 uses dllhost for its device sync capability. However if that was it, I would assume the dllhost entries would not mysteriously disappear every time some software tried to view overall system activities.

[DonZ63]

VirusTotal Scan is clean as a whistle.

Complete scanning result of "dllhost.exe", processed in VirusTotal at 11/03/2011
20:58:50 (CET).

[ file data ]
* name..: dllhost.exe
* size..: 7168
* md5...: a63dc5c2ea944e6657203e0c8edeaf61
* sha1..: ace762c51db1908c858c898d7e0f9b36f788d2d9
* peid..: -

[ scan result ]
AhnLab-V3   2011.11.03.00/20111103   found nothing
AntiVir   7.11.17.6/20111103   found nothing
Antiy-AVL   2.0.3.7/20111103   found nothing
Avast   6.0.1289.0/20111103   found nothing
AVG   10.0.0.1190/20111103   found nothing
BitDefender   7.2/20111103   found nothing
ByteHero   1.0.0.1/20110923   found nothing
CAT-QuickHeal   11.00/20111103   found nothing
ClamAV   0.97.3.0/20111103   found nothing
Commtouch   5.3.2.6/20111103   found nothing
Comodo   10654/20111103   found nothing
DrWeb   5.0.2.03300/20111103   found nothing
Emsisoft   5.1.0.11/20111103   found nothing
eSafe   7.0.17.0/20111102   found nothing
eTrust-Vet   36.1.8655/20111103   found nothing
F-Prot   4.6.5.141/20111103   found nothing
F-Secure   9.0.16440.0/20111103   found nothing
Fortinet   4.3.370.0/20111103   found nothing
GData   22/20111103   found nothing
Ikarus   T3.1.1.107.0/20111103   found nothing
Jiangmin   13.0.900/20111103   found nothing
K7AntiVirus   9.116.5386/20111103   found nothing
Kaspersky   9.0.0.837/20111103   found nothing
McAfee   5.400.0.1158/20111103   found nothing
McAfee-GW-Edition   2010.1D/20111103   found nothing
Microsoft   1.7801/20111103   found nothing
NOD32   6599/20111103   found nothing
Norman   6.07.13/20111103   found nothing
nProtect   2011-11-03.01/20111103   found nothing
Panda   10.0.3.5/20111103   found nothing
PCTools   8.0.0.5/20111103   found nothing
Prevx   3.0/20111103   found nothing
Rising   23.82.02.02/20111102   found nothing
Sophos   4.71.0/20111103   found nothing
SUPERAntiSpyware   4.40.0.1006/20111103   found nothing
Symantec   20111.2.0.82/20111103   found nothing
TheHacker   6.7.0.1.337/20111103   found nothing
TrendMicro   9.500.0.1008/20111103   found nothing
TrendMicro-HouseCall   9.500.0.1008/20111103   found nothing
VBA32   3.12.16.4/20111102   found nothing
VIPRE   10955/20111103   found nothing
ViRobot   2011.11.3.4753/20111103   found nothing
VirusBuster   14.1.44.0/20111103   found nothing

[essexboy]

That is a legitimate function... Related to the user profile

Results for {e10f6c3a-f1ae-4adc-aa9d-2fe65525666e}
Found in Windows Vista registry
Registered class: PSIProfileNotify
Inproc sever: C:\Windows\system32\USERENV.dll (product: Microsoft® Windows® Operating System,version 6.0.6000.16386)
Registered interface: IProfileNotify
Subkey of registry key HKLM\SOFTWARE\Classes\AppID

So it will appear for short periods

Are you experiencing any other problems ?

[Left123]

The COM+ hosting process controls processes in Internet Information Services (IIS) and is used by many programs. For example, it loads the .NET runtime. There can be multiple instances of the DLLhost.exe process running. http://www.neuber.com/taskmanager/process/dllhost.exe.html

Note: The dllhost.exe file is located in the folder C:\Windows\System32. In other cases, dllhost.exe is a virus,

[DonZ63]

Thanks, Essexboy!

Only other strange thing I have is a rundll32.exe process that wants to dial-out to MS periodically. IP address 65.55.53.156.

Also in the past, I have seen rundll32.exe running for an extended period scanning my HDD. Has not done it recently. Don't think that is defrag related since it uses taskhost.exe.

[essexboy]

That address resolves to MS - do you have windows updates set to auto ?

Also windows does a defrag in the background if you have it set up, plus the various housekeeping tasks all done seamlessly without you noticing

[DonZ63]

That address resolves to MS - do you have windows updates set to auto ?

I have it set to notify me but do not auto install. BTW - I do think this is win updates periodic checking but just wanted a second opinion.

[essexboy]

AYye it will still check for updates to see if any are available