dllhost.exe *32 is using all my memory

Posted on 2014-02-25
Last Modified: 2014-03-02
I have a PC with Windows 7 Pro 64-bit.  It is running very slowly.  Even though I have disabled all startup items and non-Microsoft services in MSCONFIG, it is still using over 4 GB of it's 6 GB of installed memory.  Most of the processes are listed as:
dllhost.exe *32. I counted over 25 of these and the description says "COM Surrogate" for every one.

Does anybody know how I can find out what really is "dllhost.exe *32" "COM Surrogate", why they are using so much memory and, most importantly, how to turn them off?  
Question by:tcexperts77
  • 6
  • 4
  • 3
  • +1
LVL 35

Accepted Solution

Kimputer earned 167 total points
ID: 39888059
25 of those processes doesn't sound healthy at all. The problem is that that process is called to use another DLL, which means you still can't tell if it's legitimate or not.
The best way now is to download a Live CD with antivirus (for instance AVG Rescue CD to scan your PC for viruses. Boot your computer with this CD and scan your drives (as this is better than scanning when Windows has started and a possible virus already has the upper hand).

Author Comment

ID: 39888075
Good Idea! Thanks.
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39888088
A boot cd is not the first choice to remove Malware (If you have any...). Because most processes are not running when windows is not started.
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

LVL 19

Assisted Solution

helpfinder earned 167 total points
ID: 39888110
as Kimputer said, it seems to be an infection and that´s why so much resources are in use (RAM). Make AV scan or Malware scan (Malwarebytes antispyware software for example), but wise is also scan for viruses and infections with not booted system - as mentioned - another tool I have good experience is Kaspersky rescue disk you can use as bootable CD or USB. Also you can remove the HDD and put into another working machine as a secondary disk and make AV scan but in certain circumstances there is a danger you infect also the host computer.
Also System Restore could do a trick (but I am not a big fan of System Restore) if you go back to the date you was fine and without problems.
If nothing is working well, clean reinstall will do it (I know this is the last option because of lot backup has to be done and all SW have to bye installed again)
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 166 total points
ID: 39888112
Step 1:

First make sure that you have a valid Backup of your data and Operating System.
Please keep in mind that we are not responsible for any Data looses.

Free Backups methods are:
Windows Complete PC Backup, Paragon Backup & Recovery Free Edition etc.

If you need any help, please let me know.
Step 2:

Download OTL:

And save it to your Desktop

Step 3:

Run it as an Administrator and scan with these settings:

Note you have to Include 64bit Scans only in 64bit Systems!

Step 4:

OTL will create 2 logs on the Desktop (OTL.Txt & Extras.Txt) . Please upload them (both txt files) to us. Note: Don't copy and post the content here!

Please don't run any other Tools before I ask you to do if you need my help!
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39888128

Author Comment

ID: 39889123
The comment by: Kimputer got me thinking....
The comment by: helpfinder brought up some very good points.
I also don't like System Restore - it didn't help in this case.
The comment by: hopeleonie is very thorough & right "on the money".
I have had a lot of good results with Malwarebytes and Combofix.

With all this good info, I have decided to scan my hard drive on another computer and be very careful about what I remove.  It's possible I will put the drive back in the original PC and run Malwarebytes and Combofix, but everything was taking so long when I booted it - even in the safe mode.  It's also possible I may have to do a clean install.   I will post the results of the scan when it completes and ask for your recommendations.
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39889439

When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.

ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.

Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.


Author Comment

ID: 39889790
Thanks for that info.
I have backed up everything today.
If I don't feel 100% about this, I will do a clean install.
Here are the results of the scan with Microsoft Security Essentials:

Scan results Microsoft Security EssentialsScan Results

Author Comment

ID: 39891923
I plan to award the points to the following:
1.  The comment by: Kimputer was the first that indicated it was a virus.
2.  The comment by: helpfinder suggested clean install.
3.  The comment by: hopeleonie indicated my "scan" plan may have serious flaws.

With all this helpful info and since there were no comments about the serious infection found, I have decided to do a clean install.  I am also taking the opportunity to put in a new solid state drive for the Windows 7 OS and plan to keep the old drive for data only.  I am not going to format the infected drive, as I am not 100% sure I backed up everything.  I figure if I have a good antivirus program installed, it will insure that the infection does not move from the data drive to the new OS drive.  
Does anybody see any problems with this?
LVL 35

Expert Comment

ID: 39892052
No problems with that.
According to your last screenshot, here's a recommandation for the new PC, don't install Java unless you really have to. Also, use only browsers that have the click-to-play (for plugins) functions, like Opera 12.16, Chrome and Firefox. This function is NOT enabled by default (which is a shame). That limits a whole lot of incoming viruses already.

Author Comment

ID: 39893958
It seems I may have no choice with Java - it's going to be needed somewhere.
I don't understand "only use browsers that have click-to-play (for plugins) functions".
I use Firefox, Internet Explorer, and Chrome.  
Does Internet Explorer have this?
LVL 35

Expert Comment

ID: 39894095
No IE does not have it. In IE it's totally off or totally on per plug in.
If enabled in Firefox or chrome, all flash or Java or whatever plug in is running on a page, will show a Grey block.if you're sure that's something you want to see, you click on that Grey block and the Java applet or YouTube video will run.
On exploited web sites, it limits the danger of automatically running the exploited code, usually visible on the edges of the page, or through advertisements. Unless you feel the urge to click all Grey boxes on an untrustworthy website that is.

Author Closing Comment

ID: 39899428
Thanks to everyone!

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Delete Temp on all PCs 7 43
Problem Loading Chrome 6 34
SBS 2011 server backup failing. 27 39
Citrix App 7 25
This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question