dllhost.exe *32 is using all my memory

Posted on 2014-02-25
Last Modified: 2014-03-02
I have a PC with Windows 7 Pro 64-bit.  It is running very slowly.  Even though I have disabled all startup items and non-Microsoft services in MSCONFIG, it is still using over 4 GB of it's 6 GB of installed memory.  Most of the processes are listed as:
dllhost.exe *32. I counted over 25 of these and the description says "COM Surrogate" for every one.

Does anybody know how I can find out what really is "dllhost.exe *32" "COM Surrogate", why they are using so much memory and, most importantly, how to turn them off?  
Question by:tcexperts77
  • 6
  • 4
  • 3
  • +1
LVL 35

Accepted Solution

Kimputer earned 167 total points
ID: 39888059
25 of those processes doesn't sound healthy at all. The problem is that that process is called to use another DLL, which means you still can't tell if it's legitimate or not.
The best way now is to download a Live CD with antivirus (for instance AVG Rescue CD to scan your PC for viruses. Boot your computer with this CD and scan your drives (as this is better than scanning when Windows has started and a possible virus already has the upper hand).

Author Comment

ID: 39888075
Good Idea! Thanks.
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39888088
A boot cd is not the first choice to remove Malware (If you have any...). Because most processes are not running when windows is not started.
LVL 19

Assisted Solution

helpfinder earned 167 total points
ID: 39888110
as Kimputer said, it seems to be an infection and that´s why so much resources are in use (RAM). Make AV scan or Malware scan (Malwarebytes antispyware software for example), but wise is also scan for viruses and infections with not booted system - as mentioned - another tool I have good experience is Kaspersky rescue disk you can use as bootable CD or USB. Also you can remove the HDD and put into another working machine as a secondary disk and make AV scan but in certain circumstances there is a danger you infect also the host computer.
Also System Restore could do a trick (but I am not a big fan of System Restore) if you go back to the date you was fine and without problems.
If nothing is working well, clean reinstall will do it (I know this is the last option because of lot backup has to be done and all SW have to bye installed again)
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 166 total points
ID: 39888112
Step 1:

First make sure that you have a valid Backup of your data and Operating System.
Please keep in mind that we are not responsible for any Data looses.

Free Backups methods are:
Windows Complete PC Backup, Paragon Backup & Recovery Free Edition etc.

If you need any help, please let me know.
Step 2:

Download OTL:

And save it to your Desktop

Step 3:

Run it as an Administrator and scan with these settings:

Note you have to Include 64bit Scans only in 64bit Systems!

Step 4:

OTL will create 2 logs on the Desktop (OTL.Txt & Extras.Txt) . Please upload them (both txt files) to us. Note: Don't copy and post the content here!

Please don't run any other Tools before I ask you to do if you need my help!
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39888128

Author Comment

ID: 39889123
The comment by: Kimputer got me thinking....
The comment by: helpfinder brought up some very good points.
I also don't like System Restore - it didn't help in this case.
The comment by: hopeleonie is very thorough & right "on the money".
I have had a lot of good results with Malwarebytes and Combofix.

With all this good info, I have decided to scan my hard drive on another computer and be very careful about what I remove.  It's possible I will put the drive back in the original PC and run Malwarebytes and Combofix, but everything was taking so long when I booted it - even in the safe mode.  It's also possible I may have to do a clean install.   I will post the results of the scan when it completes and ask for your recommendations.
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 39889439

When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.

ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.

Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.


Author Comment

ID: 39889790
Thanks for that info.
I have backed up everything today.
If I don't feel 100% about this, I will do a clean install.
Here are the results of the scan with Microsoft Security Essentials:

Scan results Microsoft Security EssentialsScan Results

Author Comment

ID: 39891923
I plan to award the points to the following:
1.  The comment by: Kimputer was the first that indicated it was a virus.
2.  The comment by: helpfinder suggested clean install.
3.  The comment by: hopeleonie indicated my "scan" plan may have serious flaws.

With all this helpful info and since there were no comments about the serious infection found, I have decided to do a clean install.  I am also taking the opportunity to put in a new solid state drive for the Windows 7 OS and plan to keep the old drive for data only.  I am not going to format the infected drive, as I am not 100% sure I backed up everything.  I figure if I have a good antivirus program installed, it will insure that the infection does not move from the data drive to the new OS drive.  
Does anybody see any problems with this?
LVL 35

Expert Comment

ID: 39892052
No problems with that.
According to your last screenshot, here's a recommandation for the new PC, don't install Java unless you really have to. Also, use only browsers that have the click-to-play (for plugins) functions, like Opera 12.16, Chrome and Firefox. This function is NOT enabled by default (which is a shame). That limits a whole lot of incoming viruses already.

Author Comment

ID: 39893958
It seems I may have no choice with Java - it's going to be needed somewhere.
I don't understand "only use browsers that have click-to-play (for plugins) functions".
I use Firefox, Internet Explorer, and Chrome.  
Does Internet Explorer have this?
LVL 35

Expert Comment

ID: 39894095
No IE does not have it. In IE it's totally off or totally on per plug in.
If enabled in Firefox or chrome, all flash or Java or whatever plug in is running on a page, will show a Grey block.if you're sure that's something you want to see, you click on that Grey block and the Java applet or YouTube video will run.
On exploited web sites, it limits the danger of automatically running the exploited code, usually visible on the edges of the page, or through advertisements. Unless you feel the urge to click all Grey boxes on an untrustworthy website that is.

Author Closing Comment

ID: 39899428
Thanks to everyone!

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now