Link to home
Start Free TrialLog in
Avatar of Starr Duskk
Starr DuskkFlag for United States of America

asked on

MICROSOFTSHELLHOST.EXE Is this a virus?

I have a web server that this process is taking up 66% of my processing memory.
MICROSOFTSHELLHOST.EXE

I google it and come up with these pages that tell you that this is a virus and here is the hard way to remove it, and the easy way is to buy their product. But I've been burned by these non-legit pages before claiming something else I had was a virus, bought their product and it didn't fix it either. Got my money back by calling my credit card company since they don't respond to support at all, but still am now aware of these fraudulent practices. (Found out the other thing was due to my PC using a newer version of the software trying to VPN into a server with an older version.)

Google results are cluttered with the above type of pages.

This is on a windows server 2012 R2.

Anyway, what is this process? And why is it running? I know I didn't open it. thanks!
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Alan
Hi,

As John says, it appears this is a virus.

I would just wipe the machine and start from scratch.

Once a machine has been infected, it can never be trusted again until wiped.  Even if you *think* you've gotten rid of it, you can never truly be sure, and what professional wants to take the risk of having a compromised machine inside their network?


Alan.
Avatar of Starr Duskk

ASKER

@alan where do you get this "wipe the machine and start from scratch?" Is this just your opinion, because that is a hard core solution when you have a server all setup with all the things required to run it, like configuration, users, schedules, databases, IIS, ftp's, attached drives, etc. Did you read it somewhere in regard to this specific problem?
If the game is working fine, then the search that says the shell string above is a virus may just be an opinion.

You now have 2 questions open about this. Slither.to is a game. Is it working properly for you? If so, no need to reinstall Windows.
I don't even have slitherio? Where is this reference to slitherio coming from? John Davidson had his comment about "play slitherio" and I reported it as spam.

I am using a server that has nothing to do with this game.
Sorry, I thought you did have the game.

Did you try the removal link I poste to remove the file(s)?
John:
I  did go to that link. I did step 1, and checked all of my chrome link properties, which wasn't hard because I only had one icon. It did not have it in the target property.

Step 2: I checked the list of installed programs,  and there was only the ONE program, which was Google Chrome, installed on 10/1. That is the only browser I used on this system.

Step 3: I had already stopped the process in the Task Manager, and so far it hasn't come back. Ran a search for MICROSOFTSHELLHOST.EXE on system.

Step 4: went to services and it was not there, nor were there any random names.

step 5: check scheduler for any tasks for it. No tasks that I didnt create were there as new ones and I checked all the MS ones and none were named MICROSOFTSHELLHOST.EXE and seemed legit.

step 6: ran regedit and searched the registry for MICROSOFTSHELLHOST. Found nothing.

STEP 7: Remove MICROSOFTSHELLHOST.EXE from Google Chrome.
Checked all extensions. had the typical chrome google docs ones. Nothing else.

STEP 8: Remove MICROSOFTSHELLHOST.EXE from Internet Explorer.
Not an issue there either. Only used IE once to download Chrome.

STEP 9: Remove MICROSOFTSHELLHOST.EXE from Mozilla Firefox.
don't have firefox.

STEP 10: And at the end, clear your basket, temporal files, browser's cache.
I checked my browsing history before removing it and noticed one I did not recognize: searchguide.level3.com at 3:16PM Sunday Oct. 15.
I googled this and it looks like this is probably the culprit. I don’t know how that page is in the history. I clicked onto it to see what was there, and it just had an error page. I rechecked everything all over again after going there and found no problems.
Then he says:
>>But if you miss any of these steps and only one part of virus remains – it will come back again immediately or after reboot.
So I did  a reboot.
What is weird is, the only indication of it was in the task manager, eating up resources. Once we stopped that, we found it no where else on the machine. Seems it would be somewhere.

Next message will be results after reboot.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
After reboot, it is back, looking all innocuous and innocent:

User generated image
But this time I've found the name of the file to look for:
ShellExperienceHost.exe

It says it is here:
C:\ProgramData\System32\Logs

I tried to delete the Logs folder and it says it can't because another file is open in it. So I stopped the task, then it did delete.

Going to reboot again.




But if I go to file location, it is not there, even though I have my view set to show hidden files and extensions.
Try the Process Explorer route I suggested.
there are  lot of urls for this download. i wanted to post a legit URL for those looking:
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
The link you posted is the correct Microsoft link. I use this myself. Down the left side are other Microsoft tools as well.
yes, I know. I wanted to post it for those who visit this thread to find a legit one.
After I rebooted, and found it in the task manager and viewed the properties to find the location and deleted the directory it was in (because it was hidden even as a hidden file), I rebooted and it is not back.

I installed Process Explorer. I loaded another windows server 2012 R2 server that has never had this problem and compared both processess. Everything on both machines is the same, with the second one having more things running. So I believe it's taken care of. Found nothing unusual there. If I do, I'll try malwarebytes also.

thanks!
thanks!
Thanks for the update