dllhost.exe *32 is using all my memory

Posted on 2014-02-25
Medium Priority
Last Modified: 2014-03-02
I have a PC with Windows 7 Pro 64-bit.  It is running very slowly.  Even though I have disabled all startup items and non-Microsoft services in MSCONFIG, it is still using over 4 GB of it's 6 GB of installed memory.  Most of the processes are listed as:
dllhost.exe *32. I counted over 25 of these and the description says "COM Surrogate" for every one.

Does anybody know how I can find out what really is "dllhost.exe *32" "COM Surrogate", why they are using so much memory and, most importantly, how to turn them off?  
Question by:tcexperts77
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
LVL 36

Accepted Solution

Kimputer earned 668 total points
ID: 39888059
25 of those processes doesn't sound healthy at all. The problem is that that process is called to use another DLL, which means you still can't tell if it's legitimate or not.
The best way now is to download a Live CD with antivirus (for instance AVG Rescue CD http://www.avg.com/eu-en/download.prd-arl) to scan your PC for viruses. Boot your computer with this CD and scan your drives (as this is better than scanning when Windows has started and a possible virus already has the upper hand).

Author Comment

ID: 39888075
Good Idea! Thanks.
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39888088
A boot cd is not the first choice to remove Malware (If you have any...). Because most processes are not running when windows is not started.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 19

Assisted Solution

helpfinder earned 668 total points
ID: 39888110
as Kimputer said, it seems to be an infection and that´s why so much resources are in use (RAM). Make AV scan or Malware scan (Malwarebytes antispyware software for example), but wise is also scan for viruses and infections with not booted system - as mentioned - another tool I have good experience is Kaspersky rescue disk you can use as bootable CD or USB. Also you can remove the HDD and put into another working machine as a secondary disk and make AV scan but in certain circumstances there is a danger you infect also the host computer.
Also System Restore could do a trick (but I am not a big fan of System Restore) if you go back to the date you was fine and without problems.
If nothing is working well, clean reinstall will do it (I know this is the last option because of lot backup has to be done and all SW have to bye installed again)
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 664 total points
ID: 39888112
Step 1:

First make sure that you have a valid Backup of your data and Operating System.
Please keep in mind that we are not responsible for any Data looses.

Free Backups methods are:
Windows Complete PC Backup, Paragon Backup & Recovery Free Edition etc.

If you need any help, please let me know.
Step 2:

Download OTL:

And save it to your Desktop

Step 3:

Run it as an Administrator and scan with these settings:

Note you have to Include 64bit Scans only in 64bit Systems!

Step 4:

OTL will create 2 logs on the Desktop (OTL.Txt & Extras.Txt) . Please upload them (both txt files) to us. Note: Don't copy and post the content here!

Please don't run any other Tools before I ask you to do if you need my help!
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39888128

Author Comment

ID: 39889123
The comment by: Kimputer got me thinking....
The comment by: helpfinder brought up some very good points.
I also don't like System Restore - it didn't help in this case.
The comment by: hopeleonie is very thorough & right "on the money".
I have had a lot of good results with Malwarebytes and Combofix.

With all this good info, I have decided to scan my hard drive on another computer and be very careful about what I remove.  It's possible I will put the drive back in the original PC and run Malwarebytes and Combofix, but everything was taking so long when I booted it - even in the safe mode.  It's also possible I may have to do a clean install.   I will post the results of the scan when it completes and ask for your recommendations.
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39889439

When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.

ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.

Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.


Author Comment

ID: 39889790
Thanks for that info.
I have backed up everything today.
If I don't feel 100% about this, I will do a clean install.
Here are the results of the scan with Microsoft Security Essentials:

Scan results Microsoft Security EssentialsScan Results

Author Comment

ID: 39891923
I plan to award the points to the following:
1.  The comment by: Kimputer was the first that indicated it was a virus.
2.  The comment by: helpfinder suggested clean install.
3.  The comment by: hopeleonie indicated my "scan" plan may have serious flaws.

With all this helpful info and since there were no comments about the serious infection found, I have decided to do a clean install.  I am also taking the opportunity to put in a new solid state drive for the Windows 7 OS and plan to keep the old drive for data only.  I am not going to format the infected drive, as I am not 100% sure I backed up everything.  I figure if I have a good antivirus program installed, it will insure that the infection does not move from the data drive to the new OS drive.  
Does anybody see any problems with this?
LVL 36

Expert Comment

ID: 39892052
No problems with that.
According to your last screenshot, here's a recommandation for the new PC, don't install Java unless you really have to. Also, use only browsers that have the click-to-play (for plugins) functions, like Opera 12.16, Chrome and Firefox. This function is NOT enabled by default (which is a shame). That limits a whole lot of incoming viruses already.

Author Comment

ID: 39893958
It seems I may have no choice with Java - it's going to be needed somewhere.
I don't understand "only use browsers that have click-to-play (for plugins) functions".
I use Firefox, Internet Explorer, and Chrome.  
Does Internet Explorer have this?
LVL 36

Expert Comment

ID: 39894095
No IE does not have it. In IE it's totally off or totally on per plug in.
If enabled in Firefox or chrome, all flash or Java or whatever plug in is running on a page, will show a Grey block.if you're sure that's something you want to see, you click on that Grey block and the Java applet or YouTube video will run.
On exploited web sites, it limits the danger of automatically running the exploited code, usually visible on the edges of the page, or through advertisements. Unless you feel the urge to click all Grey boxes on an untrustworthy website that is.

Author Closing Comment

ID: 39899428
Thanks to everyone!

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question