Trouble with dllhost.exe process

[BFM_Fuzzy]

Yesterday morning I realized I no longer had sound on my computer. I went to volume control (Start>All Programs>Accessories>Entertainment>Volume control) and found the Wave volume slider all the way down. I'd raise it up only to have it fall again and again, typically in 1-2 minutes.

A scan was performed with MS Security Essentials, a scan with a Kaspersky rootkit finder, and a few other programs (brother handled most of it, so can't remember all program names). Each one turned up nothing. Found a process called dllhost.exe that, according to my brother, has some suspicious components. Suspended it, and now the volume stays where it is supposed to. We have to suspend it, because we terminated it only to see it come back from the dead a moment later.

Wondering what this process is, and why none of the scans found it, and what should be done. Any thoughts?

Running Windows XP, service pack 3 I believe.

Edit (Feb-18-14): After Mxy sent me the message he referenced in the final post in this thread, we handled the rest through PM. Since that is obviously not publicly viewable, I'll lay out what was done to solve the issue.

We did a number of scans and used different anti-virus tools to try and remove the infection. Even after using Trend-Micro, MS Security Essentials, Kaspersky TDSS Killer, and I think one or two other things, the infection remained. A number of things were removed by running these scans, but still dllhost.exe remained, and a viewing of Process Monitor revealed that it was pinging bad sites. So, it was determined to reformat the drive and start anew. This was done by booting up the computer through a Unbuntu disk and reformatting with G-Parted, a drive partitioning utility. Having done that, Windows was reinstalled and the computer was scanned (with MS Security Essentials & Kaspersky TDSS Killer) and monitored (With Process Monitor Portable & Process Hacker Portable) for months afterwards*. To this day there are no indications that the infection survived the reformat. If by chance you are having any trouble with dllhost.exe, please send me a PM.

* The reason all this scanning and monitoring was done was because, as Mxy told me, these infections can sometimes bury themselves so deeply that even a reformat wont remove them and a much longer process is in order to cleanse the drive(s) infected.

[MrMxyzptlk]

There's a real-life, MS-created process called "dllhost.exe." but that doesn't mean it's the real one as opposed to one of those by the same name that are nasty viruses....

If you've tried getting rid of it via:

1: Start "Task Manager"
2: Select the "CPU" tab so that numbers are showing instead of zeros
3: "dllhost.exe" should be at or near the top.
    (This does NOT indicate which kind of "dllhost.exe" this is, FYI....)
4: <Right-click> on it, then <left-click> "End Process".
5: Wait a few minutes, then see if it's back.  If it is, you it MAY be one of the versions of the virus by that name.    (This is especially likely if the term "COM Surrogate" has popped up anywhere in your "Image Name" list as well.)

I suggest that you try a different kind of virus scan as follows:

Go here and load/use TrendMicro's "Housecall." (Hmmm, this USED to do all its work via the web, installing nothing on your machine, but I see that now it's a download.... So download, install and run it....)

If it finds nothing, it's likely NOT a virus, just the MS dllhost.exe going bonkers. If that's the case, post again and we'll go into dealing with THAT....

GL!

[BFM_Fuzzy]

Sorry for the delay. Had to scan multiple times, each one taking, when fully completed, probably ~11 hours.

I scanned once, and at the end of the scan there was an error message saying that HouseCall had asked C++ Runtime to terminate in an unusual manner. Then I got an error message from HouseCall, and it closed without letting me deal with the threats it found. Without detailing all the times I scanned and everything, I ended up stopping the scan part way through on two occasions, and removing the threats that way. I finished scanning it just a bit ago, and it found no threats this time, but still had the same error trouble as the first time. 

If you want the error info, I copied down most of it.

The threats found had the following names:

-Eicar test file
-Hidden file (it said this was a rootkit, though apparently it was downloaded as part of a webpage, and was undeletable in the past)
-HKTL Bypass (it said this was spyware)


Regarding dllhost.exe, when I terminate it, it instantly starts up again. I use a program from Portable Apps called Process Hacker, and in the description it says "COM Surrogate." Don't know if it matters, but I noticed that its priority is set to "below normal" in task manager. Also, a few days ago, after I had suspended the process, I noticed the sound was gone and upon looking I found two dllhost.exe's. I suspended the second one as well, and no further ones started up.

Edit: After the scans were all done, dllhost.exe was not there. So I restarted, logged into the regular account I use, and played some Halo online. In about 5 minutes dllhost was back.

[MrMxyzptlk]

Sorry, I should've warned you about the long time for those scans.  I also should've warned you to do a clean boot with nothing (other than auto-started stuff) running. My bad....  At least you finally got a "clean" scan in the end, which is good.

The returning "dllhost.exe" might very well be the Microsoft one, so don't panic: Recent jabber indicates that it's a problem (an old one rearing its ugly head anew...), a problem that is caused by a recent (May 2013, "KB2670838 update") IE10 MS Update, to boot. 

It has to do with the use of thumbnails and/or MP4 files/trailers causing continuous re-runs of "dllhost.exe", BTW.

Unfortunately the "possible" fix seems to be ill-defined/experimental, and requires permanent disabling of UAC and other Security systems just to even TRY to see if the complicated "fix" might work.  Hence I do NOT advise its use.

If you really want to look into it I've PMd you a link to the discussion thread about it. (Hint/Mxy advice: Always start at the END of the existing thread to read about such things, and go backwards from there if you need more info.  Doing this will help you get the "best" existing "fix"/"workaround." Hence I've PMing you the link to one of the latter posts in the thread about this.)