tcexperts77
asked on
dllhost.exe *32 is using all my memory
I have a PC with Windows 7 Pro 64-bit. It is running very slowly. Even though I have disabled all startup items and non-Microsoft services in MSCONFIG, it is still using over 4 GB of it's 6 GB of installed memory. Most of the processes are listed as:
dllhost.exe *32. I counted over 25 of these and the description says "COM Surrogate" for every one.
Does anybody know how I can find out what really is "dllhost.exe *32" "COM Surrogate", why they are using so much memory and, most importantly, how to turn them off?
Thanks.
dllhost.exe *32. I counted over 25 of these and the description says "COM Surrogate" for every one.
Does anybody know how I can find out what really is "dllhost.exe *32" "COM Surrogate", why they are using so much memory and, most importantly, how to turn them off?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@tcexperts77
A boot cd is not the first choice to remove Malware (If you have any...). Because most processes are not running when windows is not started.
A boot cd is not the first choice to remove Malware (If you have any...). Because most processes are not running when windows is not started.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Experts
Dear friends please have a look:
https://www.experts-exchange.com/Software/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
Dear friends please have a look:
https://www.experts-exchange.com/Software/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
ASKER
The comment by: Kimputer got me thinking....
The comment by: helpfinder brought up some very good points.
I also don't like System Restore - it didn't help in this case.
The comment by: hopeleonie is very thorough & right "on the money".
I have had a lot of good results with Malwarebytes and Combofix.
With all this good info, I have decided to scan my hard drive on another computer and be very careful about what I remove. It's possible I will put the drive back in the original PC and run Malwarebytes and Combofix, but everything was taking so long when I booted it - even in the safe mode. It's also possible I may have to do a clean install. I will post the results of the scan when it completes and ask for your recommendations.
The comment by: helpfinder brought up some very good points.
I also don't like System Restore - it didn't help in this case.
The comment by: hopeleonie is very thorough & right "on the money".
I have had a lot of good results with Malwarebytes and Combofix.
With all this good info, I have decided to scan my hard drive on another computer and be very careful about what I remove. It's possible I will put the drive back in the original PC and run Malwarebytes and Combofix, but everything was taking so long when I booted it - even in the safe mode. It's also possible I may have to do a clean install. I will post the results of the scan when it completes and ask for your recommendations.
SLAVED DRIVE SCANS
When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\
"Windows"="basekwgb32.dll"
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.
ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.
Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.
Source:
https://www.experts-exchange.com/Software/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\
"Windows"="basekwgb32.dll"
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.
ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.
Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.
Source:
https://www.experts-exchange.com/Software/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
ASKER
Thanks for that info.
I have backed up everything today.
If I don't feel 100% about this, I will do a clean install.
Here are the results of the scan with Microsoft Security Essentials:
Scan Results
I have backed up everything today.
If I don't feel 100% about this, I will do a clean install.
Here are the results of the scan with Microsoft Security Essentials:
Scan Results
ASKER
I plan to award the points to the following:
1. The comment by: Kimputer was the first that indicated it was a virus.
2. The comment by: helpfinder suggested clean install.
3. The comment by: hopeleonie indicated my "scan" plan may have serious flaws.
With all this helpful info and since there were no comments about the serious infection found, I have decided to do a clean install. I am also taking the opportunity to put in a new solid state drive for the Windows 7 OS and plan to keep the old drive for data only. I am not going to format the infected drive, as I am not 100% sure I backed up everything. I figure if I have a good antivirus program installed, it will insure that the infection does not move from the data drive to the new OS drive.
Does anybody see any problems with this?
1. The comment by: Kimputer was the first that indicated it was a virus.
2. The comment by: helpfinder suggested clean install.
3. The comment by: hopeleonie indicated my "scan" plan may have serious flaws.
With all this helpful info and since there were no comments about the serious infection found, I have decided to do a clean install. I am also taking the opportunity to put in a new solid state drive for the Windows 7 OS and plan to keep the old drive for data only. I am not going to format the infected drive, as I am not 100% sure I backed up everything. I figure if I have a good antivirus program installed, it will insure that the infection does not move from the data drive to the new OS drive.
Does anybody see any problems with this?
No problems with that.
According to your last screenshot, here's a recommandation for the new PC, don't install Java unless you really have to. Also, use only browsers that have the click-to-play (for plugins) functions, like Opera 12.16, Chrome and Firefox. This function is NOT enabled by default (which is a shame). That limits a whole lot of incoming viruses already.
According to your last screenshot, here's a recommandation for the new PC, don't install Java unless you really have to. Also, use only browsers that have the click-to-play (for plugins) functions, like Opera 12.16, Chrome and Firefox. This function is NOT enabled by default (which is a shame). That limits a whole lot of incoming viruses already.
ASKER
It seems I may have no choice with Java - it's going to be needed somewhere.
I don't understand "only use browsers that have click-to-play (for plugins) functions".
I use Firefox, Internet Explorer, and Chrome.
Does Internet Explorer have this?
I don't understand "only use browsers that have click-to-play (for plugins) functions".
I use Firefox, Internet Explorer, and Chrome.
Does Internet Explorer have this?
No IE does not have it. In IE it's totally off or totally on per plug in.
If enabled in Firefox or chrome, all flash or Java or whatever plug in is running on a page, will show a Grey block.if you're sure that's something you want to see, you click on that Grey block and the Java applet or YouTube video will run.
On exploited web sites, it limits the danger of automatically running the exploited code, usually visible on the edges of the page, or through advertisements. Unless you feel the urge to click all Grey boxes on an untrustworthy website that is.
If enabled in Firefox or chrome, all flash or Java or whatever plug in is running on a page, will show a Grey block.if you're sure that's something you want to see, you click on that Grey block and the Java applet or YouTube video will run.
On exploited web sites, it limits the danger of automatically running the exploited code, usually visible on the edges of the page, or through advertisements. Unless you feel the urge to click all Grey boxes on an untrustworthy website that is.
ASKER
Thanks to everyone!
ASKER