I just got Security Task Manager and it found some different things over Process Hacker, such as “Multi-User Windows USER API Client DLL”, found in “C:\Users\Silent\AppData\Local\Temp\ZMN1125.tmp”. I can’t find the file anymore, and actually it seems that Security Task Manager has frozen up in effect allowing me to retain its report on the DLL. HOLD ON-- it still says that name, *now its gone, it changed back to ISW_RESTRICTED_GROUP(SILENT_ISW_RESTRICTED_GROUP_), it flashed the numbers when I closed the properties and reopened it.
The first time I checked the properties, there was a user with a question mark and the name was a bunch of numbers listed with the other users/groups. Now it Also, when I first clicked the details tab, it took about 10 seconds to load it, and it says the file is 0 bytes… but its says 1,126,912 bytes under the General tab.
When I clicked the Advanced button to change permissions my HIPS found C:\Windows\SysWOW64\DllHost.exe trying to access File Path: \srvsvc
Any help would be nice tracking this DLL down, as its gone and I want to poke it with sticks and stuff… thanks
The ‘Multi-User Windows USER API Client DLL’ is the long name for a file called User32.dll, which on a 64 bit version of Windows can usually be found in:
C:\Windows\System32
and
C:\Windows\SysWOW64\
Quite what it’s doing in 'C:\Users\Silent\AppData\Local\Temp' is a mystery and may warrant further investigation.
If I remember correctly the ‘ISW_RESTRICTED_GROUP’ is something to do with ZoneAlarm, but I forget what exactly.
If you want to find the file under Process Hacker, select the System process and look at modules.
The first time I checked the properties, there was a user with a question mark and the name was a bunch of numbers listed with the other users/groups. Now it Also, when I first clicked the details tab, it took about 10 seconds to load it, and it says the file is 0 bytes... but its says 1,126,912 bytes under the General tab.
When I clicked the Advanced button to change permissions my HIPS found C:\Windows\SysWOW64\DllHost.exe trying to access File Path: \srvsvc
Any help would be nice tracking this DLL down, as its gone and I want to poke it with sticks and stuff… thanks
Dllhost.exe is another normal file found on most Windows systems and is part of the Component Object Model (COM) system. The srvsvc process is the Windows Server Service. Are you running IIS?
Sorry for the late reply- No I an not running IIS and have never heard of it. From Googling it I see that it is web server software, which is the last thing my I need in my journey to privacy… What did you see that indicated IIS being active?
I have uninstalled Zone Alarm and regularly clear my temp folder, so I doubt this is still up for investigation… I just wanted to answer your question.
Only that there’s quite a close relationship between IIS hosted processes and dllhost. However, dllhost pops up all over the place.
I have uninstalled Zone Alarm and regularly clear my temp folder, so I doubt this is still up for investigation.. I just wanted to answer your question.
Unfortunately, security suites are notoriously difficult things to remove completely, hence the plethora of dedicated removal tools available.