vmhost.exe

[davefoc]

I had four instances of the process vmhost.exe running. I looked around the web and it sounds like vmhost.exe can be a problem. In my case one of the instances of vmhost.exe was using up 50% of the CPU time. I stopped the process and things got better.

 

Should malwarebytes detect vmhost.exe as a problem?

What exactly is vmhost.exe and is it good for something sometimes?

Should I prevent it from starting up and if so how should I do this?

 

Thanks for any help on this.

 

Dave

 

[Firefox]

Hello and Welcome to Malwarebytes

If you think your infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

[davefoc]

Thanks for the link. Perhaps I should have asked for help, but I have continued to investigate and hopefully fix the problem on my own. This is a rough log of what has gone on.

 

1. As I noted above vmhost.exe is a noxious piece of malware that uses up to 50% of the CPU time on my computer and slows down every piece of software that runs.
2. Stopping the process fixes the problem temporarily
3. Malwarebytes seems to stop some of its badness by blocking access to some websites but it doesn't stop it from running or using up CPU resources
4. When I rename vmhost.exe Malwarebytes can find it and quarantine it if I tell it to.
5. If I don't rename vmhost.exe Marwarebytes can't find it.
6. The service that seems to start and restore vmhost.exe is stisvc
7. I ran a Malwarebytes scan in the safe mode to see if it couldn't eliminate stisvc from the registry. It didn't detect it
8. It isn't possible to stop stisvc using the task manager stop service command
9. I didn't find anything using the msconfig program that was starting stisvc.
10. It isn't possible to delete the reference to stisvc in the registry. You get a message back that the entry can't be deleted.
11. I tried numerous ways to delete the entry, they all might have worked if I had the patience to learn exactly how to get them to do what I wanted but I looked for something simpler
12. I downloaded and installed Registrar Registry Manager 7.60 and searched for stisvc
13. Registrar Registry Manager found about 30 instances of stisvc in the registry. Regedit had only found 3.
14. I delected every instance of stisvc in the registry with Registrar Registry Manager.
15. I have rebooted my computer and so far I haven't seen either the service stisvc or the process vmhost.exe. It is possible that the problem has been fixed.

As an aside there are numerous sites offering a program to get rid of vmhost.exe. I suspect they were safe but I didn't want to take a chance on them so I tried to get rid of the virus without resorting to them.

[davefoc]

Bummer,

vmhost.exe is back

 

This is one serious piece of crap. I'm going to ask for help

[Firefox]

Wow that is some work you have done.... The use of registry tools can be very dangerous and it can even potentially render your computer to be un-bootable. The sort of infection and symptoms you are experiencing point to some sort of a rootkit perhaps, but that's hard to say for sure without looking a log files.

As already mentioned, we have experts that can help you clean up the infection, and even look for leftovers that are left behind from the malware. That being said, we do not work on malware removal in this section of the forum, we have a dedicated section were we do that.

As already mentioned if you want to verify your computer is no longer infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you