Jump to content

dllhost and svchost malware?

J36#?^

By J36#?^
in Malware Finding and Cleaning

 Share

Recommended Posts

  • Administrators
Marcos

Marcos 5,071

Posted
  • Administrators
Posted

Do you mean that ESET detected malware injected in the mentioned processes? If so, does updating the signature database to the most current version and running a disk scan cleans the malware from the disk? Is the malware detected in memory even after a computer restart?

Link to comment
Share on other sites
J36#?^

J36#?^ 0

Posted
  • Author
Posted

ESET doesn't detect any malware. I have updated and scanned all disks.  svchost.exe grows  to several hundred MB.  Once it reached 9 GB before I deleted it in task manager.

Link to comment
Share on other sites
J36#?^

J36#?^ 0

Posted
  • Author
Posted

What OS do you use? Do you have the latest service pack as well as all hotfixes installed?

Win7.  Sp1.  I've installed all updates.  Sometimes other files grow.  Once ekm.exe grew to 200 MG.  I have to watch task manager and delete svchost.exe or dllhost.exe when they start getting too big.  When ekm.exe bloated I had to reboot.

Link to comment
Share on other sites
  • 3 weeks later...
LocknetSSmith

LocknetSSmith 6

Posted
Posted

I've found that sometimes, to find something bad, you have know what is good, or normal in order to confirm whether malware is on a machine or not.  I believe in the industry they call this looking for "anomalous characteristics." 

 

So I'd break out ProcExplorer, and check things out.  You know that svchost.exe is a generic "host" process for running service DLLs - so that in of itself is not an indication that there is an infection.  What else do we know?  That it is consuming gross amounts of resources. That is somewhere to start, but for now, I'd check to see that the svchost.exe process in question is running from C:\Windows\System32, and that it has services.msc as its parent process.

 

From there, confirm that it is in fact hosting DLL services.  One thing I know for certain, is that on default installations of Windows 7, all service DLLs are signed by Microsoft.  ProcExplorer will help you confirm these things.  If the DLLs hosted in the svchost process taking all your resources are not signed, you know there's a problem.  If the process itself is not running from C:\Windows\system32, there is a problem.  If it's parent is not services.msc, you have a problem.

 

If these things are all as they should be, it could just something non-malicious that has to be repaired.  I've found that running chkdsk /f or sfc /scannow is often helpful for these sorts of non-malware related issues. 

 

If it is malicious, you could use the service script feature of SysInspector to put a stop to it, or HiJack This.  Or by hand, using ProcExplorer, you could dig down to where the bastard is running from. 

 

Anyway that's my two cents worth.

Link to comment
Share on other sites
  • 1 year later...
vahost

vahost 0

Posted
Posted (edited)

Malwarebytes has detected the virus and removed it but it keeps coming back especially after restarting and my ESET Pharmacy CPU usage reaches 100% again, i don't know why people are happy about anti virus/malware stuff, i think they're all useless, i suffered from iexplorer.exe virus once and tried all popular anti-virus software's but the virus kicked their ###### and i was able to remove it manually after lots of attempts. My advice is stay away from any suspicious sites or downloads and you will not need any anti-sh*t.

Edited by vahost
Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

No one is "happy" about it, and everyone would rather use the system resources the products use for other tasks. Though people need to understand the bottom line which is that no product have a guarantee of detecting 100% for obvious reasons, no serious vendor claim that their product do. But the most effective "thing" we can use to counter malware and/or privacy threats is actually what we have inside our head, our brain, and it comes with a bonus that it does not require updates. But AV/AM is one thing, one can also use them together with other stuff like HIPS, sandbox, policy restrictions etc etc...Some products like ESET have features like that built-in. But most importantly, make backups, so even if ransomware (or something else) hits you or your drive may crash, you can restore the data from the backup.

 

Staying away from suspicious/unknown websites and not download everything without a second thought is quite easy, but knowing if one of all the serious websites one may visit daily or weekly has been booby-trapped before you load them in a browser is another matter.

Edited by SweX
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...