Re: anyone know what dllhost.exe is?
- From: "Rick Harmon" <rharmon@xxxxxxxxxxxxxxxxxxx>
- To: <jfw@xxxxxxxxxxxxx>
- Date: Tue, 26 Jun 2007 23:27:21 -0400
Here is what a google search came up with
It's rather technical, but seems to say this program can slow systems down.
Rick
DLLHOST.EXE - Good Or Bad
images/vai
Vectors & Interfaces
The networking specialist
About Vectors & Interfaces
Network support services
Useful resources
PC News
Contact The support specialist
Support Guide
DLLHOST.EXE - Good Or Bad
Even if you do not download any kind of free programs from the Internet, be
suspicious if you see a file like GatorHDPlugin.log in your Windows
directory.
Chances are that you have gotten the software through automated download and
installation. This will happen if your Internet option is set enabled for
Install On Demand (IE and Others) and enable third party browser extensions.
Having dealt with so many different type of spyware in the course of work,
whenever I press CTRL-ALT-DEL to get to the Task Manager and look at the
processes
list and see DLLHOST.EXE as one of the processes, it would get me
suspicious.
A search on the net yields results that says -
"Description:
dllhost.exe is a part of the Microsoft Windows Operating System. The
dllhost.exe file manages DLL based applications. This program is important
for the
stable and secure running of your computer and should not be terminated."
"The COM+ hosting process controls processes in the Internet Information
Services (IIS) and is used by many programs."
So is it good or bad ?
First, my clean installed system with IIS does not consist of dllhost.exe
process in the processes list.
Secondly, whenever I encounter DLLHOST.EXE processes in the processes list,
my system would slow down drastically.
Thus it would seem that anyone who runs IIS without any .NET extension
should not have this process running at all.There are of course other usage
of this
process by some programs like antivirus, some mail server and even Winfax.
Thus it would requires checking if there are too many instances of it
running.
To check the list of DLLs that are or have been loaded in your system before
click on Start, Run and then type CMD in the prompt (command for
WIN95/98/ME).
At the DOS prompt, type cd c:\windows or cd c:\winnt (if the previous
command doesn't work) and then press enter key. Once you are Windows system
directory,
type cd downlo~1 to get into the downloaded program files folder. Type dir
to see a list of files that are in that folder.
Following are some of the files that were installed on my system by a
drive-by download;
HDPlugin1015.dll
HDPlugin1018.dll
HDPlugin1019.dll
winadtoolsx.dll
ISTactivex.dll
WUInst.dll
To uninstall these modules from memory, type regsvr32 /u
%systemroot%\downlo~1\ followed by the DLL file name, e.g. regsvr32 /u
"%systemroot%\downlo~1\HDPlugin1015.dll".
Remember to add the quote marks. Delete the files after uninstall by typing
del followed by the file name e.g. del hdplugin1015.dll or rename it to
another
extension e.g. ren bridgex.dll bridgex.bak. Doing so will enable you to know
how often the spyware came back.
You may also wish to run regedit (Start, Run, type regedit at prompt) to
remove any traces of the above or some other suspicious entries in the
following
keys. Please be sure you know what you are doing because a wrong deletion
may cause your system to become unstable.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Current Version\Run
Also do a scan using Spybot Search & Destroy or any other spyware removal
tools and fix any problem that it detects.
Be cautious of some commercial spyware removal tools that claims to be free
but keeps prompting you to purchase in order to remove the spywares it
detected
on your system. Chances are that they are spyware themselves (probably
written by the same people who's software you are trying to remove) that is
installed
to take control of your machine and hard sell you their wares.
Pest Patrol, commercial anti-spyware/anti-trojan software and some free ones
like Spybot S&D
are the real tools for your anti-spyware and anti-trojan problem. Some
sites like 3721.net and programs like
eAcceleration
installed as a popup stopper with all their bundled stuffs are
"worse than the disease itself"
or "bringing in the cat to get rid of the mouse but now the cat don't want
to leave!!"
4e66ax0pvtEGKOKNNIEOJKOFOH
There may be some new tricks from these hijackers and thus it would be
advisable to constantly scan your system and remove any doubtful DLL files
using
the same method above.
Spyware don't provide you with very much useful function but causes much
more problems than it is worth. So far issues that we have encountered
caused
in part by spyware includes login only to be brought back to the logoff
screen, constantly losing Internet connection, losing stored profiles, etc.
Other spyware dlls & exes found on some client's machines ; (Dec 2004)
(In Windows\Downloaded Program Files)
bridgex.dll, ieawsdc.dll, minesweeper.dll, pinstall.dll, popcaploader.dll,
purzh-sg.dll, v2.dll, retro64_loader.dll, solitaireshowdown.dll,
toolbar_nieuw14.dll.
(In Windows\sytem32)
msegcompid.dll
WildTangent has their own folder within Windows known as WT. Also remove all
traces of alg.exe from registry by running regedit or regedt32, edit, find
and delete key. F3 to find next and then repeat.
Registry editing has been disabled by your administrator
Some spyware not only take control of your PC but also does not want you or
anyone else to have any ability to make changes with administrative tools
like
regedit. If you agreed to install the adwares, naturally it means that it is
OK that they disallow you to remove them.
TVM.exe (TV Media) stays resident in memory on startup and can only be
removed in safe mode but part of its entries may be stored in a user-level
profile
and cannot be cleaned unless you login with that user name. But when you
login with the hijacked user name, you have no access to regedit program.
To restore registry editing right to your own machine, copy the following
text, save as a file name with .reg extension and then open it up.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
Got the following from somewhere but could not locate the source anymore.
To restore control of your Internet Option & Control Panel, copy the
following text, save as a file with .reg extension and open it.
REGEDIT4
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"GeneralTab"=dword:00000000
"ProgramsTab"=dword:00000000
"SecurityTab"=dword:00000000
"ContentTab"=dword:00000000
"PrivacyTab"=dword:00000000
"AdvancedTab"=dword:00000000
"ConnectionsTab"=dword:00000000
"HomePage"=dword:00000000
"Accessibility"=dword:00000000
"CertifPers"=dword:00000000
"CertifSite"=dword:00000000
"SecChangeSettings"=dword:00000000
"SecAddSites"=dword:00000000
"FormSuggest"=dword:00000000
"FormSuggest Passwords"=dword:00000000
"Connwiz Admin Lock"=dword:00000000
"Settings"=dword:00000000
"ResetWebSettings"=dword:00000000
"Connection Wizard"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"GeneralTab"=dword:00000000
"ProgramsTab"=dword:00000000
"SecurityTab"=dword:00000000
"ContentTab"=dword:00000000
"PrivacyTab"=dword:00000000
"AdvancedTab"=dword:00000000
"ConnectionsTab"=dword:00000000
"HomePage"=dword:00000000
"Accessibility"=dword:00000000
"CertifPers"=dword:00000000
"CertifSite"=dword:00000000
"SecChangeSettings"=dword:00000000
"SecAddSites"=dword:00000000
"FormSuggest"=dword:00000000
"FormSuggest Passwords"=dword:00000000
"Connwiz Admin Lock"=dword:00000000
"Settings"=dword:00000000
"ResetWebSettings"=dword:00000000
"Connection Wizard"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=dword:00000000
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet
Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000
Removal of spyware using commercial and non-commercial software
Remember to keep your system updated with the latest service pack as we
encounter explorer.exe error and mshta.exe error for a Windows 2000 machine
running
SP2 after removing some spywares like Gator, CoolWebSearch and have to
restore all registry entries that Spybot remove, install SP4 & IE patches
and then
remove them again in order to get the system working.
Some spyware companies are advertising as spyware remover software & may
cause more problems than solving them. Typical indication of spyware loaded
removers
are that it is scan your PC free and it comes with a very long user
agreement which you don't read.
List of so-called anti-spyware softwares that are spywares themselves;
Spy Wiper, AdWare Remover Gold, BPS Spyware Remover, Online PC-Fix
SpyFerret, SpyBan, SpyBlast, SpyGone, SpyHunter, SpyKiller, SpyKiller Pro,
SpywareNuker,
TZ Spyware-Adware Remover, xp-AntiSpy, SpyAssault, InternetAntiSpy, Virtual
Bouncer, AdProtector.
If you're interested in getting a commercial anti-spyware program, you can
buy Pest Patrol which is known to be a genuine anti-spyware plus anti-trojan
product. You can buy it through us using the following link;
4e66ax0pvtEGKOKNNIEOJKOFOH
Otherwise, there are also various non-commercial anti-spyware tools like
Spybot Search and Destroy and ad-aware which is free for non-commercial use.
Don't go for unknown products and if you must, then do a search for review
from popular spyware forums like spywarewarrior.com before deciding.
Don't pay the anti-spyware programs to 'remove' what they install into your
system.
RPCSS+ Terminating a malware process
About Us
We are network support specialist serving corporate clients in Singapore.
Our range of services includes :-
System support and maintenance
Network setup and maintenance
Disaster recovery
Internetworking
View our full computer product price list
Great Deals @ Geeks.com!
----- Original Message -----
From: "Missy Hoppe" <melissah@xxxxxxxx>
To: <jfw@xxxxxxxxxxxxx>
Sent: Tuesday, June 26, 2007 10:39 PM
Subject: anyone know what dllhost.exe is?
Hello, all. I'm still trying to pinpoint the reason why my new system
becomes sluggish after running for a few hours. I've sent my task list to
someone local, and the only thing he's never heard of is called
dllhost.exe. Does anyone know what this program is? Is it essential to the
functioning of Windows? If not, does anyone have any ideas how I might get
rid of it?
Thanks in advance for any advice any of you might be able to provide in
this matter.
Missy
--
JFW related links:
JFW homepage: http://www.freedomscientific.com/
Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw
If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
--
JFW related links:
JFW homepage: http://www.freedomscientific.com/
Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw
If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
Other related posts:
