This one has me stumped. I have these two dllhost.exe processes always running. When I open Task Manager, they always disappear after a few seconds. I checked out the registry keys they reference and the data looks legit. Also sometimes there is a third dllhost.exe process running that rarely shows up in the Task Manager display. I know it is there because when I use Resource Manager, it show three dllhost.exe processes terminated. Very suspicious activity to me.
I did checked out dllhost.exe in the system32 directory and appears to be OK.
I will submit dllhost.exe when I get home from work. I fully expect the file to be clean since I have scanned my PC using various anti-malware scanners and it is always clean.
Appears Win 7 uses dllhost for its device sync capability. However if that was it, I would assume the dllhost entries would not mysteriously disappear every time some software tried to view overall system activities.
Complete scanning result of “dllhost.exe”, processed in VirusTotal at 11/03/2011
20:58:50 (CET).
[ file data ]
name…: dllhost.exe
size…: 7168
md5…: a63dc5c2ea944e6657203e0c8edeaf61
sha1…: ace762c51db1908c858c898d7e0f9b36f788d2d9
peid…: -
[ scan result ]
AhnLab-V3 2011.11.03.00/20111103 found nothing
AntiVir 7.11.17.6/20111103 found nothing
Antiy-AVL 2.0.3.7/20111103 found nothing
Avast 6.0.1289.0/20111103 found nothing
AVG 10.0.0.1190/20111103 found nothing
BitDefender 7.2/20111103 found nothing
ByteHero 1.0.0.1/20110923 found nothing
CAT-QuickHeal 11.00/20111103 found nothing
ClamAV 0.97.3.0/20111103 found nothing
Commtouch 5.3.2.6/20111103 found nothing
Comodo 10654/20111103 found nothing
DrWeb 5.0.2.03300/20111103 found nothing
Emsisoft 5.1.0.11/20111103 found nothing
eSafe 7.0.17.0/20111102 found nothing
eTrust-Vet 36.1.8655/20111103 found nothing
F-Prot 4.6.5.141/20111103 found nothing
F-Secure 9.0.16440.0/20111103 found nothing
Fortinet 4.3.370.0/20111103 found nothing
GData 22/20111103 found nothing
Ikarus T3.1.1.107.0/20111103 found nothing
Jiangmin 13.0.900/20111103 found nothing
K7AntiVirus 9.116.5386/20111103 found nothing
Kaspersky 9.0.0.837/20111103 found nothing
McAfee 5.400.0.1158/20111103 found nothing
McAfee-GW-Edition 2010.1D/20111103 found nothing
Microsoft 1.7801/20111103 found nothing
NOD32 6599/20111103 found nothing
Norman 6.07.13/20111103 found nothing
nProtect 2011-11-03.01/20111103 found nothing
Panda 10.0.3.5/20111103 found nothing
PCTools 8.0.0.5/20111103 found nothing
Prevx 3.0/20111103 found nothing
Rising 23.82.02.02/20111102 found nothing
Sophos 4.71.0/20111103 found nothing
SUPERAntiSpyware 4.40.0.1006/20111103 found nothing
Symantec 20111.2.0.82/20111103 found nothing
TheHacker 6.7.0.1.337/20111103 found nothing
TrendMicro 9.500.0.1008/20111103 found nothing
TrendMicro-HouseCall 9.500.0.1008/20111103 found nothing
VBA32 3.12.16.4/20111102 found nothing
VIPRE 10955/20111103 found nothing
ViRobot 2011.11.3.4753/20111103 found nothing
VirusBuster 14.1.44.0/20111103 found nothing
That is a legitimate function… Related to the user profile
Results for {e10f6c3a-f1ae-4adc-aa9d-2fe65525666e}
Found in Windows Vista registry
Registered class: PSIProfileNotify
Inproc sever: C:\Windows\system32\USERENV.dll (product: Microsoft® Windows® Operating System,version 6.0.6000.16386)
Registered interface: IProfileNotify
Subkey of registry key HKLM\SOFTWARE\Classes\AppID
The COM+ hosting process controls processes in Internet Information Services (IIS) and is used by many programs. For example, it loads the .NET runtime. There can be multiple instances of the DLLhost.exe process running. http://www.neuber.com/taskmanager/process/dllhost.exe.html
Note: The dllhost.exe file is located in the folder C:\Windows\System32. In other cases, dllhost.exe is a virus,
Only other strange thing I have is a rundll32.exe process that wants to dial-out to MS periodically. IP address 65.55.53.156.
Also in the past, I have seen rundll32.exe running for an extended period scanning my HDD. Has not done it recently. Don’t think that is defrag related since it uses taskhost.exe.