Winavi has loaded dinput.dll into explorer.exe using global hook

I’m totaly new to Comodo & this Forum:
I have a very simple question that I can’t find an answer to on My own.
I have a FIC AM-35 AMD Athlon™ XP 1700+ (1457 MHz) 640 MB DDR
nVidias GeForce 3 Ti 200(256mb)(latest driver)
I run ESET’s Nod32 Ver:2.70.39(latest update)
AVG’s Antispyware 7.5(latest update)
Comodo ver:
On Microsoft Windows XP Ver: 5.1.2600 Service Pack 2 Platform(fully updated)

I’ve seen an Alert from Comodo like 4 times in the last 4 hours that states:
Winavi has loaded dinpur.dll into the parent application explorer.exe using a global hook, which could be used by keyloggers to steal private information. Winavi may be using explorer.exe to conseal its behaviour in an attempt to conect with the internet with IEXPLORE.EXE

I don’t know if I should allow it or not? so I’ve temporaily Blocked it untill someone here can help Me understand why this dll would do what it’s doing & if it’s ok to Allow it?

I’ve Googled the dinput.dll & it’s supposed to be a M$ file that is used along side DVD Burning Software or with a Joystick but the file sizes listed here:
are totaly different! Here are some screenshots of My dll’s properties:

PS: As for DVDBurning Software I have Winavi & DVDDecrypter & DVDShrink but none of these are running when the Alert pops up!

Yeah I know, it’s strange, I got the same problem, I sometimes get messages about stuff after I uninstalled them and open Firefox, or after I’ve ran a program.


Erm… I’m not sure what you guys have been looking at but dinput.dll is Microsoft DirectInput (part of DirectX). It deals with things like joysticks & other such input devices. Its often used by games. If you worried about your particular version then take it for wizz at

Thanx for the quick reply Ragwing! & Yes there are some strange alerts like the one that says explorer.exe isn’t running! when I know darn well it is otherwise I wouldn’t be on My desktop !
Erm… kail as for what I’m looking at.
I guess that would be the part of the Alert that says
global hook / keyloggers / stealing private info
It kinda makes a Guy jump up & look wouldn’t you say Ragwing?

kail you make it sound as though I’m trippin for no good reason & that I’m not aware of what the dinput.dll is used for. I’m aware of what it’s for, like I stated in My post it’s for DVDBurning & Joysticx
But what I didn’t know is that it was to be used by Winavi to connect to the internet via IEXPLORE.EXE Are you hearing that part?
What I’m trippin on is why Comodo is making it look like it’s hiding behind another program & all while I’m doing nothing other than surfing the Net.
I have no Joystick installed & I’ve not any DVD software running when this Alert arrives. If it’s no big deal & “I kinda think it’s not”
Then Maybe there sould be a Stickie/Thread that list’s these Not to Worry Alerts in a place thats easy for Newbs to the Software & Forum to find .

PS: I use the word Newb lightly as I’m only a Newb to this software & Forum Not to Computing in general.
Thanx for the Jotti link as it’s been awhile since I’ve had to go there!

Sorry, I only meant to be informative… nothing else. I didn’t see the term Newb in your first post. I only saw that you said you were new to Comodo & these forums.

I doubt that anything has used DINPUT.DLL to access the Net, since DINPUT.DLL does not do that… assuming it has not be replaced or patched. As far burning CDs/DVDs is concerned… the only reason for DINPUT.DLL to get involved would be if the CD/DVD burning application used a pseudo multimedia device that fell within DINPUT.DLLs control.

On CFPs alert… the thing to note is that it says “could be”, not “is”. In the alert you posted CFP is a warning you that WinAVI meddled with explorer.exe (apps do this to add context menu’s, claim file associations, etc…) and that explorer.exe is the parent process of MSIE. This is the exact same method that many firewall leaktests try to exploit. This is why CFP warned you, because it is a risk/threat. You’ll need to authorise all such explorer.exe to MSIE relationships where another application does something to explorer.exe.

BTW It doesn’t matter if WinAVI was running at the time of alert or not… what it did to explorer.exe remains in effect until the system or the shell is restarted.

I need to both thank You for Your second reply & apologize for My offensive reaction to Your first!

DINPUT.DLL does not do that.. assuming it has not be replaced
[i]"I too felt that the dinput.dll should not be doing that"[/i] So I choose to have Comodo block the dll & then I hit the books(Google) in an attempt to find out what it all meant,however because I couldn't find anything to explain-away the dll's characteristics on My own,I decided to ask for Help/Direction here at Comodos Home-Forum hoping that there was a [b]"[/b][i]Known Issue[/i][b]"[/b]or a post that would help Me decide if I'm to allow or block this activity. But in all honesty I think I've gotten more confused,but please let Me word to You what I think You've told Me.

Just because the alert says
Winavi has loaded dinput.dll into the parent application explorer.exe using a global hook doesn’t meen that the prog Winavi nor the dinput.dll are actually doing something bad, it just meens that Winavi is using the same method of loading/injecting the dll that Malware & Virus’ use to
put in work ! Did I get it rite?

Look kail
I’m sorry about My being so hang-on-ish,but I’m just looking for an explination as to why it’s happening & if it’s ok for it to be happening & Comodo made it real easy for Me to interpet the Alert as MAL Conceal /Global Hook /Keyloggers /Stealing Private Info
Along with very small 1 worded exemptions/explinations like may.
PS:Thanx for the informative reply kail !!!

Hey TioTek,

Just to follow up on kails advice about the DLL injection remaining active until the PC is rebooted or the shell restarted, if you are concerned about a DLL injection, you can try the following;

  1. do the M$ 3 finger salute (CTRL-ALT-DEL)
  2. click on the PROCESSES tab and end EXPLORER.EXE
    2a. this will end the shell and your desktop will be empty
  3. click the APPLICATION tab and click the NEW TASK button and enter EXPLORER.EXE as the new task name
    3a. This will restart the shell and your desktop will be returned to normal.

Following this method, any DLL injections that were in place prior to the process being ended will be gone.

hope this helps,
Ewen :slight_smile:

Ride On Panic
Thanx for the tip & thats exactly what I do when I want to delete a file that won’t delete, I just open up SysInternals(M$) Process Explorer & kill explorer.exe then run new task & browse to explorer.exe & the file deletes fine after that, so Yeah I follow what Your saying.
Good Lookin Out ! (:KWL)

Hey Kail when You said

You'll need to authorise all such explorer.exe to MSIE relationships where another application does something to explorer.exe.
I'll take that as a Yes & that I'll need to unblock the dinput.dll & allow it?

Hi Tiotek & no problem, I completely understand. (:AGL)


Yes, assuming that DINPUT.DLL itself checks out OK, then it should be allowed remembered.

Hey Kail
I ran the input.dll by Jotti & it came back as Ok!
So I’ll go ahead and allow it

Thanx for Your advice & I’m sure I’ll need it again.