Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DLLHOST.EXE


  • Please log in to reply
10 replies to this topic

#1 hazhiq

hazhiq

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:32 AM

Posted 19 December 2017 - 09:16 AM

Hello yesterday when i open task manager i found 3 dllhost.exe. 1 its username is "user" and 2 other is "system". 2 with the username "system" dissapear about 5 second after i opened task manager. the thing is, today i'm still curious about that dllhost and opened task manager. none with the username "user" were shown and the other 2 still acting like yesterday . does it cause from virus ?


Edited by hazhiq, 19 December 2017 - 09:18 AM.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:32 AM

Posted 19 December 2017 - 09:38 AM

The dllhost.exe files are part of the Windows operating system.  You should leave these alone as they are normal.

 

Dynamic Link Library (DLL) files are executable files used to allocate resources for performing software tasks. In other words, DLL files help programs work properly in Windows. The program dllhost.exe is used in conjunction with many DLL files to passively manage and access DLL files. Without a functioning DLL host file, your computer's operating system could become unstable.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 hazhiq

hazhiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:32 AM

Posted 19 December 2017 - 09:42 AM

welp thanks a lot because i'm a bit paranoid about my pc. and that sure was a fast response. but may i ask about the one with user name "user" that was not shown at all on task manager today since its different from yesterday. i forgot to mention but yesterday when i opened MSE and look at history it shows a poweliks.A at quarantined at date 14 dec. i surf google and most of them says that poweliks.A commonly involved with dllhost.exe. but i remove it via MSE . 


Edited by hazhiq, 19 December 2017 - 09:58 AM.


#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:32 AM

Posted 19 December 2017 - 10:54 AM

What you are implying here is that this computer is infected with poweliks.  In order to address this I will have to request that this topic be moved to the Am I Infected, What Do I Do forum.  The scan you need to run for this is not allowed in the Windows forums.

 

Please download Powelikscleaner (by ESET) and save it to your Desktop.

1.  Double-click on ESETPoweliksCleaner.exe to start the tool.

2.  Read the terms of the End-user license agreement and click Agree.

3.  The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

4.  If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.

The tool will produce a log in the same directory the tool was run from.

Please copy and paste the log in your next reply.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 hazhiq

hazhiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:32 AM

Posted 19 December 2017 - 11:16 AM

1. should i send the notepad of the log or copy and paste because its say the reply too long

2. it says im not infected

3. thanks a lot . i sure made a correct decision to ask from this website


Edited by hazhiq, 19 December 2017 - 11:18 AM.


#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:32 AM

Posted 19 December 2017 - 11:33 AM

I had been rather curious about the poweliks, I haven't seen this type of infection posted in quite a while.

 

Are there any other problems aside from the dllhost.exe?


Edited by dc3, 19 December 2017 - 11:36 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 hazhiq

hazhiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:32 AM

Posted 19 December 2017 - 11:48 AM

well that is all. i already delete that poweliks.A via MSE yesterday. the symptom talked around google are not shown at my computer and that ESET says im not infected. but can you list the symptom of poweliks.A so i can watch over my computer.



#8 MalwareDefense

MalwareDefense

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 19 December 2017 - 06:02 PM

well that is all. i already delete that poweliks.A via MSE yesterday. the symptom talked around google are not shown at my computer and that ESET says im not infected. but can you list the symptom of poweliks.A so i can watch over my computer.

Poweliks doesn't use a run-time mutex, so its usual to encounter numerous instances of dllhost.exe in your Task Manager since its execution is triggered by a commonly used COM Object. A COM Object is a utility used to uniquely identify certain features of the Windows OS. The OS uses these identities to execute components which help operate other Windows features. However, an attacker can abuse this and replace the DLL that is loaded by the given COM Object in your registry hive with a malicious DLL or execution sequence. 

You should use a registry editor that uses Nt/Zw APIs to query the registry and check for Software\\Microsoft\\Windows\\CurrentVersion\\Run keys that are hidden, this is usually a key that contains a '\0' (NULL byte) at the beginning of its KeyName or KeyData value. This leads normal WinAPI wrappers that aren't from the Nt/Zw family to tell you the key is unavailable, or cannot be viewed.

Use a registry editor such as Autoruns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) or RegDelNull (https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull) to view/remove these entries. In the case of Poweliks it abuses rundll32.exe to run a Windows Shell Script (WSH) which downloads powershell and injects a remote dll into dllhost.exe - you can remove these run keys, or use ESET Nod32 Registry Scanner on the COM Object hive to remove malicious entries.



#9 hazhiq

hazhiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:32 AM

Posted 19 December 2017 - 07:28 PM

 

well that is all. i already delete that poweliks.A via MSE yesterday. the symptom talked around google are not shown at my computer and that ESET says im not infected. but can you list the symptom of poweliks.A so i can watch over my computer.

Poweliks doesn't use a run-time mutex, so its usual to encounter numerous instances of dllhost.exe in your Task Manager since its execution is triggered by a commonly used COM Object. A COM Object is a utility used to uniquely identify certain features of the Windows OS. The OS uses these identities to execute components which help operate other Windows features. However, an attacker can abuse this and replace the DLL that is loaded by the given COM Object in your registry hive with a malicious DLL or execution sequence. 

You should use a registry editor that uses Nt/Zw APIs to query the registry and check for Software\\Microsoft\\Windows\\CurrentVersion\\Run keys that are hidden, this is usually a key that contains a '\0' (NULL byte) at the beginning of its KeyName or KeyData value. This leads normal WinAPI wrappers that aren't from the Nt/Zw family to tell you the key is unavailable, or cannot be viewed.

Use a registry editor such as Autoruns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) or RegDelNull (https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull) to view/remove these entries. In the case of Poweliks it abuses rundll32.exe to run a Windows Shell Script (WSH) which downloads powershell and injects a remote dll into dllhost.exe - you can remove these run keys, or use ESET Nod32 Registry Scanner on the COM Object hive to remove malicious entries.

 

how to make the keyname or keydata shown . sorry because i'm still an amateur i'm this



#10 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:32 AM

Posted 20 December 2017 - 08:31 AM

@MalwareDefense

 

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

Why you should not use Registry Cleaners and Optimization Tools

There are numerous programs which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programs even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product.

Credit for this goes to Quietman7, one of our Global Moderators.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#11 hazhiq

hazhiq
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:32 AM

Posted 21 December 2017 - 12:59 AM

thank you, btw can you recommend me what software can i use.


Edited by hazhiq, 21 December 2017 - 01:02 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users