dllhost.exe help

zonny · October 5, 2012, 3:17pm

Hello , im new in here and i have one question.
Im using Comodo Firewall and the file dllhost.exe is trying to connect on port 80.
I block the connection but i don’t set to remember , because dllhost is a Windows system file.
My operative system is Windows 7 x64 and the file dllhost.exe is located in 4 places :

C:\Windows\SysWOW64
size : 7.00 KB (7,168 bytes)

C:\Windows\System32
size : 9.50 KB (9,728 bytes)

C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d
size : 9.50 KB (9,728 bytes)

C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7
size : 7.00 KB (7,168 bytes)

As you see file sizes are different , i’ve been reading about a virus the copy dllhost.exe and do other things.
Can someone help me to get rid off it ?.

Thanks in advance.

Citizen_K · October 5, 2012, 3:38pm

This is the dllhost.exe for 32 bits on a 64 bits OS

C:\Windows\System32 size : 9.50 KB (9,728 bytes)

This is the dllhost.exe for 64 bits on a 64 bits OS

C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d size : 9.50 KB (9,728 bytes)
C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7
size : 7.00 KB (7,168 bytes)

The winxsx (or side by side) folders hold copies of previous versions of applications or system files. For an extensive description of the function of the side by side folders read the following article: http://www.winvistaclub.com/f16.html .

As you see file sizes are different ,

Different sizes is what we expect in the light of the above.

i've been reading about a virus the copy dllhost.exe and do other things. Can someone help me to get rid off it ?.
Thanks in advance.

It has not been established you are infected. We need to take a closer look at this.

What are your CIS settings? What configuration are you using? Look under More → Manage My Configuration and see what configuration is active. Is your Firewall set to Safe Mode or Custom Policy?

To know for sure that dllhost.exe is the original file you can use Sigcheck to see if it is digitally signed by Microsoft.

Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the system32 or SysWOW64 folder folder, look up and select dllhost.exe click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.

zonny · October 5, 2012, 5:13pm

I have Firewall security “active” , and i set it to “custom policy” , defense+security level on “safe mode” and sandbox “disabled”.

I did check every dllhost.exe signature and they looks legit.

I just want to know why the .exe is trying to connect on port 80 every 30 minutes.

By the way thanks for your fast response.

Citizen_K · October 5, 2012, 5:48pm

What is the IP address it is trying to connect with? You may also be interested in rundll32.dll active when system idle!!.

zonny · October 6, 2012, 6:00pm

application : dllhost.exe
source ip : 200.127.73.108
source port : 50021 , 49242 , 49467 , 49252 , 49201 , 49200 and many mores.
destination ip : 65.55.58.195 and 64.4.11.25
destination port : 80

Those ips are of microsoft servers , why is my computer trying to connect there , i have updates disabled.

Citizen_K · October 6, 2012, 11:34pm

The traffic may be for Application Experience as described in the linked topic in my previous post.

zonny · October 6, 2012, 11:46pm

ok , i disabled that service.
ill let you know if it fixed.

zonny · October 7, 2012, 6:43pm

after disable the application experience service , dllhost.exe keep trying to connect.
will be safe to block it and make the firewall to remember my choose ?

Citizen_K · October 7, 2012, 10:11pm

I see no obvious reason not to block it if you don’t want traffic going to Microsoft.