Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two Dllhosts? Which one is the real one?


  • Please log in to reply
11 replies to this topic

#1 TropiconForHire

TropiconForHire

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 01 February 2017 - 06:22 PM

Hi

 

So I've made a post about this before, but this time I have more information.

 

The reason why last time I posted about this was because the person who wanted to help me asked me to download 5 different programs and run them on my computer. Please tell me how that doesn't seem weird to you.

 

Anyway, heres my updated post: 

 

So I usually sometimes look through task manager to see whats running and such, usually I have 50% CPU usage and I can't find where it's coming from, but after I check "Show processes from all users" it's something called MsMpEng.exe, which is supposed to be antispyware for Windows Defender. It always passes by and stops taking up all the cpu. However I looked for more processes while this was happening and I found two dllhost.exe's again. It didn't show up before, at least it didn't anymore. Something I can tell apart from them this time is that one is under the user name "SYSTEM" and the other "human" I read about this a little more, and it said that one of these is possibly a fake. 

 

These things never tell me which one is real and how to know. So here's my screenshot (cropped to focus on dllhost.exe's)

 

mVhEnJF.png

 

Notice both of them are identical except for "SYSTEM" and "human"

 

(If you need me to send a bigger or a screen shot with more information about my processes, let me know and I will)

 

I also included the double csrss.exe's because it looked pretty weird to me as well, so maybe fill me in on that too.

 

Thank you for viewing. 

 

-Tropicon

 

 

So: Before you ask me to download and run different programs, please let me know if this is normal (Which it probably isn't) and which category should the real dllhost.exe be in.


Edited by TropiconForHire, 01 February 2017 - 06:24 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:15 AM

Posted 02 February 2017 - 07:38 PM

Dllhost.exe is the Windows DCOM DLL Host Process that manages DLL based applications and executes COM+, a part of Microsoft Component Object Model technology in Windows which enables software components to communicate. COM+ controls processes in the Internet Information Services (IIS), handles programming tasks like resource pooling, disconnected applications, event publication/subscription and distributed transactions. The Dllhost.exe process is utilized by many different applications to include Visual Basic and .NET applications. There can be multiple instances of DLLhost.exe running at the same time. Determining whether DLLhost.exe is malware or a legitimate Windows process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. DLLhost.exe is located in the folder C:\Windows\System32 and C:\Windows\SysWOW64. If located elsewhere, dllhost.exe is malware.


 csrss.exe is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, handling the Win32 console, creating and/or deleting threads, some parts of the 16-bit virtual MS-DOS environment and GUI shutdown. This process is important for stable and secure operation of your system and should not be terminated. The legitimate csrss.exe file is located in the C:\Windows\System32 folder. If found running from a different location, it's usually indicative of malware. The csrss process always runs as a SYSTEM user...a csrss.exe process running as a different user are typically indicative of malware.

"SYSTEM" and "human" refer to User Name.

System is a process in NT "kernel mode"  that contains most of the system threads and handles various basic system functions. A thread is a single sequence stream within in a process...it is a basic unit of CPU utilization consisting of a program counter, a stack, and a set of registers. When Windows loads, the Windows kernel starts and runs in kernel mode to set up paging and virtual memory. It then creates some system processes and allows them to run in "user mode" but restricts their access to critical areas of the operation system. Every process started by Windows, except for the System process, runs in user mode which is limited in terms of what system resources they have access to. The User mode processes must request use of the kernel by means of a system call in order to perform privileged operations on their behalf. Kernel mode has unrestricted access to system resources and controls scheduling, thread prioritization, interrupt handlers, memory management and the interaction with hardware. The system process cannot be terminated.

Is there a user account named "human" on your computer?

How to Generate a List with All the User Accounts Found in Windows
The Net Command Line to List Local Users and Groups

These are tools to investigate running processes, programs that run at startup, services and gather additional information to identify them or resolve problems:

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 02 February 2017 - 07:54 PM

If you had followed Boopme on your earlier post you would probably be past this issue...


“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#4 TropiconForHire

TropiconForHire
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 02 February 2017 - 09:23 PM

If you had followed Boopme on your earlier post you would probably be past this issue

 

 

I admit it's my fault, but I just don't feel comfortable running all of those programs that I don't know on my pc. I should be more trusting but..



#5 TropiconForHire

TropiconForHire
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 02 February 2017 - 09:31 PM

Dllhost.exe is the Windows DCOM DLL Host Process that manages DLL based applications and executes COM+, a part of Microsoft Component Object Model technology in Windows which enables software components to communicate. COM+ controls processes in the Internet Information Services (IIS), handles programming tasks like resource pooling, disconnected applications, event publication/subscription and distributed transactions. The Dllhost.exe process is utilized by many different applications to include Visual Basic and .NET applications. There can be multiple instances of DLLhost.exe running at the same time. Determining whether DLLhost.exe is malware or a legitimate Windows process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. DLLhost.exe is located in the folder C:\Windows\System32 and C:\Windows\SysWOW64. If located elsewhere, dllhost.exe is malware.


 csrss.exe is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, handling the Win32 console, creating and/or deleting threads, some parts of the 16-bit virtual MS-DOS environment and GUI shutdown. This process is important for stable and secure operation of your system and should not be terminated. The legitimate csrss.exe file is located in the C:\Windows\System32 folder. If found running from a different location, it's usually indicative of malware. The csrss process always runs as a SYSTEM user...a csrss.exe process running as a different user are typically indicative of malware.

"SYSTEM" and "human" refer to User Name.

System is a process in NT "kernel mode"  that contains most of the system threads and handles various basic system functions. A thread is a single sequence stream within in a process...it is a basic unit of CPU utilization consisting of a program counter, a stack, and a set of registers. When Windows loads, the Windows kernel starts and runs in kernel mode to set up paging and virtual memory. It then creates some system processes and allows them to run in "user mode" but restricts their access to critical areas of the operation system. Every process started by Windows, except for the System process, runs in user mode which is limited in terms of what system resources they have access to. The User mode processes must request use of the kernel by means of a system call in order to perform privileged operations on their behalf. Kernel mode has unrestricted access to system resources and controls scheduling, thread prioritization, interrupt handlers, memory management and the interaction with hardware. The system process cannot be terminated.

Is there a user account named "human" on your computer?

How to Generate a List with All the User Accounts Found in Windows
The Net Command Line to List Local Users and Groups

These are tools to investigate running processes, programs that run at startup, services and gather additional information to identify them or resolve problems:

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

 

 

 
The list of users were "Administrator" (I am assuming is me) Guest, and human.
 
I've checked those pages about the malware symptoms, the only one that applies to me is the "slow down". Everything else hasn't happened.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:15 AM

Posted 02 February 2017 - 09:31 PM

Every tool our volunteer 1st Responders ask you to run are trustworthy, safe and can easily be removed when clean up is done. However, some folks learn how useful they can be and decide to keep them for future use.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:15 AM

Posted 02 February 2017 - 10:19 PM

Someone created the human account since it is not a standard account. If this is your computer, then you most likely are Administrator but there usually is a name associated with it.

There are several ways to see a listing of User Accounts by name.

1. Open Administrative Tools > Computer Management > System Tools > Local Users and Groups > Users.
8578d1379263623t-local-users-groups-mana

2. Right-click on My Computer, select Manage and from within the Computer Management window, double-click on Local Users and Groups to expand, double-click on Users. <- this method also provides a description of the account
user_accounts_groups1.png

3. Click the Start Orb > Control Panel and double-click the icon for User Accounts.
control7.jpg

4. Press the WINKEY + R keys on your keyboard or Click the Start Orb > Run..., and in the Open dialog box, type: control userpasswords2
Click OK or press Enter. <- this method also provides the account Group
Controluserpasswords2.gif


.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 TropiconForHire

TropiconForHire
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 03 February 2017 - 02:52 PM

Someone created the human account since it is not a standard account. If this is your computer, then you most likely are Administrator but there usually is a name associated with it.

There are several ways to see a listing of User Accounts by name.

1. Open Administrative Tools > Computer Management > System Tools > Local Users and Groups > Users.
8578d1379263623t-local-users-groups-mana

2. Right-click on My Computer, select Manage and from within the Computer Management window, double-click on Local Users and Groups to expand, double-click on Users. <- this method also provides a description of the account
user_accounts_groups1.png

3. Click the Start Orb > Control Panel and double-click the icon for User Accounts.
control7.jpg

4. Press the WINKEY + R keys on your keyboard or Click the Start Orb > Run..., and in the Open dialog box, type: control userpasswords2
Click OK or press Enter. <- this method also provides the account Group
Controluserpasswords2.gif


.

I went with options 3 and 4.

 

For #3 it showed me (administrator) and a guest account. It said the guest account was off.

 

for #4 it showed the human user, and some other weird user "HomeGroupUser$"

 

What's next?



#9 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 03 February 2017 - 03:31 PM

Using the program process explorer you can get a overview of where it's located and how it's process starting up and kill it. probably a malicious persistent reverse remote shell. After you get rid of this thing you need to change your passwords, email passwords everything.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:15 AM

Posted 03 February 2017 - 04:29 PM

What's next?

You can continue to investigate but it sounds like there is an account on your system which you did not create. That alone should be of concern. I would recommend you follow the instructions provided by boopme in your other topic and post the logs for him to check.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 TropiconForHire

TropiconForHire
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 03 February 2017 - 07:02 PM

You can continue to investigate but it sounds like there is an account on your system which you did not create. That alone should be of concern. I would recommend you follow the instructions provided by boopme in your other topic and post the logs for him to check.

 

 

Okay so this might sound weird but do you have any free time later tonight? Maybe we can skype or something and we can work this out in real time, because I've never dealt with these things before and I don't want to make any wrong moves! Let alone if I even have anything and I am just paranoid. 



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:15 AM

Posted 03 February 2017 - 09:41 PM

By Bleeping Computer policy all help must be provided in the public forums. Again I suggest you continue in your other topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users