Solved

dllhost.exe *32 is using all my memory

Posted on 2014-02-25
15
1,990 Views
Last Modified: 2014-03-02
I have a PC with Windows 7 Pro 64-bit.  It is running very slowly.  Even though I have disabled all startup items and non-Microsoft services in MSCONFIG, it is still using over 4 GB of it's 6 GB of installed memory.  Most of the processes are listed as:
dllhost.exe *32. I counted over 25 of these and the description says "COM Surrogate" for every one.

Does anybody know how I can find out what really is "dllhost.exe *32" "COM Surrogate", why they are using so much memory and, most importantly, how to turn them off?  
Thanks.
0
Comment
Question by:tcexperts77
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 35

Accepted Solution

by:
Kimputer earned 167 total points
ID: 39888059
25 of those processes doesn't sound healthy at all. The problem is that that process is called to use another DLL, which means you still can't tell if it's legitimate or not.
The best way now is to download a Live CD with antivirus (for instance AVG Rescue CD http://www.avg.com/eu-en/download.prd-arl) to scan your PC for viruses. Boot your computer with this CD and scan your drives (as this is better than scanning when Windows has started and a possible virus already has the upper hand).
0
 

Author Comment

by:tcexperts77
ID: 39888075
Good Idea! Thanks.
0
 
LVL 18

Expert Comment

by:hopeleonie
ID: 39888088
@tcexperts77
A boot cd is not the first choice to remove Malware (If you have any...). Because most processes are not running when windows is not started.
0
 
LVL 19

Assisted Solution

by:helpfinder
helpfinder earned 167 total points
ID: 39888110
as Kimputer said, it seems to be an infection and that´s why so much resources are in use (RAM). Make AV scan or Malware scan (Malwarebytes antispyware software for example), but wise is also scan for viruses and infections with not booted system - as mentioned - another tool I have good experience is Kaspersky rescue disk you can use as bootable CD or USB. Also you can remove the HDD and put into another working machine as a secondary disk and make AV scan but in certain circumstances there is a danger you infect also the host computer.
Also System Restore could do a trick (but I am not a big fan of System Restore) if you go back to the date you was fine and without problems.
If nothing is working well, clean reinstall will do it (I know this is the last option because of lot backup has to be done and all SW have to bye installed again)
0
 
LVL 18

Assisted Solution

by:hopeleonie
hopeleonie earned 166 total points
ID: 39888112
Step 1:

First make sure that you have a valid Backup of your data and Operating System.
Please keep in mind that we are not responsible for any Data looses.

Free Backups methods are:
Windows Complete PC Backup, Paragon Backup & Recovery Free Edition etc.

If you need any help, please let me know.
   
Step 2:

Download OTL:
http://oldtimer.geekstogo.com/OTL.exe

And save it to your Desktop

Step 3:

Run it as an Administrator and scan with these settings:

settings
Note you have to Include 64bit Scans only in 64bit Systems!

Step 4:

OTL will create 2 logs on the Desktop (OTL.Txt & Extras.Txt) . Please upload them (both txt files) to us. Note: Don't copy and post the content here!

Please don't run any other Tools before I ask you to do if you need my help!
0
 
LVL 18

Expert Comment

by:hopeleonie
ID: 39888128
0
 

Author Comment

by:tcexperts77
ID: 39889123
The comment by: Kimputer got me thinking....
The comment by: helpfinder brought up some very good points.
I also don't like System Restore - it didn't help in this case.
The comment by: hopeleonie is very thorough & right "on the money".
I have had a lot of good results with Malwarebytes and Combofix.

With all this good info, I have decided to scan my hard drive on another computer and be very careful about what I remove.  It's possible I will put the drive back in the original PC and run Malwarebytes and Combofix, but everything was taking so long when I booted it - even in the safe mode.  It's also possible I may have to do a clean install.   I will post the results of the scan when it completes and ask for your recommendations.
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 18

Expert Comment

by:hopeleonie
ID: 39889439
SLAVED DRIVE SCANS

When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
 
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
"Windows"="basekwgb32.dll"
 
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.

ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
 
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.

Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.

Source:
http://www.experts-exchange.com/Software/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
0
 

Author Comment

by:tcexperts77
ID: 39889790
Thanks for that info.
I have backed up everything today.
If I don't feel 100% about this, I will do a clean install.
Here are the results of the scan with Microsoft Security Essentials:

Scan results Microsoft Security EssentialsScan Results
0
 

Author Comment

by:tcexperts77
ID: 39891923
I plan to award the points to the following:
1.  The comment by: Kimputer was the first that indicated it was a virus.
2.  The comment by: helpfinder suggested clean install.
3.  The comment by: hopeleonie indicated my "scan" plan may have serious flaws.

With all this helpful info and since there were no comments about the serious infection found, I have decided to do a clean install.  I am also taking the opportunity to put in a new solid state drive for the Windows 7 OS and plan to keep the old drive for data only.  I am not going to format the infected drive, as I am not 100% sure I backed up everything.  I figure if I have a good antivirus program installed, it will insure that the infection does not move from the data drive to the new OS drive.  
Does anybody see any problems with this?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 39892052
No problems with that.
According to your last screenshot, here's a recommandation for the new PC, don't install Java unless you really have to. Also, use only browsers that have the click-to-play (for plugins) functions, like Opera 12.16, Chrome and Firefox. This function is NOT enabled by default (which is a shame). That limits a whole lot of incoming viruses already.
0
 

Author Comment

by:tcexperts77
ID: 39893958
It seems I may have no choice with Java - it's going to be needed somewhere.
I don't understand "only use browsers that have click-to-play (for plugins) functions".
I use Firefox, Internet Explorer, and Chrome.  
Does Internet Explorer have this?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 39894095
No IE does not have it. In IE it's totally off or totally on per plug in.
If enabled in Firefox or chrome, all flash or Java or whatever plug in is running on a page, will show a Grey block.if you're sure that's something you want to see, you click on that Grey block and the Java applet or YouTube video will run.
On exploited web sites, it limits the danger of automatically running the exploited code, usually visible on the edges of the page, or through advertisements. Unless you feel the urge to click all Grey boxes on an untrustworthy website that is.
0
 

Author Closing Comment

by:tcexperts77
ID: 39899428
Thanks to everyone!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now