dllhost.exe *32 is using all my memory

tcexperts77 used Ask the Experts™
I have a PC with Windows 7 Pro 64-bit.  It is running very slowly.  Even though I have disabled all startup items and non-Microsoft services in MSCONFIG, it is still using over 4 GB of it's 6 GB of installed memory.  Most of the processes are listed as:
dllhost.exe *32. I counted over 25 of these and the description says "COM Surrogate" for every one.

Does anybody know how I can find out what really is "dllhost.exe *32" "COM Surrogate", why they are using so much memory and, most importantly, how to turn them off?  
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
25 of those processes doesn't sound healthy at all. The problem is that that process is called to use another DLL, which means you still can't tell if it's legitimate or not.
The best way now is to download a Live CD with antivirus (for instance AVG Rescue CD http://www.avg.com/eu-en/download.prd-arl) to scan your PC for viruses. Boot your computer with this CD and scan your drives (as this is better than scanning when Windows has started and a possible virus already has the upper hand).


Good Idea! Thanks.
*** Hopeleonie ***IT Manager

A boot cd is not the first choice to remove Malware (If you have any...). Because most processes are not running when windows is not started.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

helpfinderIT Consultant
as Kimputer said, it seems to be an infection and that´s why so much resources are in use (RAM). Make AV scan or Malware scan (Malwarebytes antispyware software for example), but wise is also scan for viruses and infections with not booted system - as mentioned - another tool I have good experience is Kaspersky rescue disk you can use as bootable CD or USB. Also you can remove the HDD and put into another working machine as a secondary disk and make AV scan but in certain circumstances there is a danger you infect also the host computer.
Also System Restore could do a trick (but I am not a big fan of System Restore) if you go back to the date you was fine and without problems.
If nothing is working well, clean reinstall will do it (I know this is the last option because of lot backup has to be done and all SW have to bye installed again)
*** Hopeleonie ***IT Manager
Step 1:

First make sure that you have a valid Backup of your data and Operating System.
Please keep in mind that we are not responsible for any Data looses.

Free Backups methods are:
Windows Complete PC Backup, Paragon Backup & Recovery Free Edition etc.

If you need any help, please let me know.
Step 2:

Download OTL:

And save it to your Desktop

Step 3:

Run it as an Administrator and scan with these settings:

Note you have to Include 64bit Scans only in 64bit Systems!

Step 4:

OTL will create 2 logs on the Desktop (OTL.Txt & Extras.Txt) . Please upload them (both txt files) to us. Note: Don't copy and post the content here!

Please don't run any other Tools before I ask you to do if you need my help!


The comment by: Kimputer got me thinking....
The comment by: helpfinder brought up some very good points.
I also don't like System Restore - it didn't help in this case.
The comment by: hopeleonie is very thorough & right "on the money".
I have had a lot of good results with Malwarebytes and Combofix.

With all this good info, I have decided to scan my hard drive on another computer and be very careful about what I remove.  It's possible I will put the drive back in the original PC and run Malwarebytes and Combofix, but everything was taking so long when I booted it - even in the safe mode.  It's also possible I may have to do a clean install.   I will post the results of the scan when it completes and ask for your recommendations.
*** Hopeleonie ***IT Manager


When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.

ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.

Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.



Thanks for that info.
I have backed up everything today.
If I don't feel 100% about this, I will do a clean install.
Here are the results of the scan with Microsoft Security Essentials:

Scan results Microsoft Security EssentialsScan Results


I plan to award the points to the following:
1.  The comment by: Kimputer was the first that indicated it was a virus.
2.  The comment by: helpfinder suggested clean install.
3.  The comment by: hopeleonie indicated my "scan" plan may have serious flaws.

With all this helpful info and since there were no comments about the serious infection found, I have decided to do a clean install.  I am also taking the opportunity to put in a new solid state drive for the Windows 7 OS and plan to keep the old drive for data only.  I am not going to format the infected drive, as I am not 100% sure I backed up everything.  I figure if I have a good antivirus program installed, it will insure that the infection does not move from the data drive to the new OS drive.  
Does anybody see any problems with this?

No problems with that.
According to your last screenshot, here's a recommandation for the new PC, don't install Java unless you really have to. Also, use only browsers that have the click-to-play (for plugins) functions, like Opera 12.16, Chrome and Firefox. This function is NOT enabled by default (which is a shame). That limits a whole lot of incoming viruses already.


It seems I may have no choice with Java - it's going to be needed somewhere.
I don't understand "only use browsers that have click-to-play (for plugins) functions".
I use Firefox, Internet Explorer, and Chrome.  
Does Internet Explorer have this?

No IE does not have it. In IE it's totally off or totally on per plug in.
If enabled in Firefox or chrome, all flash or Java or whatever plug in is running on a page, will show a Grey block.if you're sure that's something you want to see, you click on that Grey block and the Java applet or YouTube video will run.
On exploited web sites, it limits the danger of automatically running the exploited code, usually visible on the edges of the page, or through advertisements. Unless you feel the urge to click all Grey boxes on an untrustworthy website that is.


Thanks to everyone!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial