dllhost.exe *32 COM Surrogate uses up to 100% CPU Usage and over 1,000,000K memory

Jim1098

New Member
Thread author
May 12, 2015
12
Can you help? My dllhost.exe *32 COM Surrogate as time progresses uses up to 100% CPU Usage and over 1,000,000K memory slowing the computer to almost a stop.
 

Attachments

  • AdwCleaner[S1].txt
    1.1 KB · Views: 19
  • Addition.txt
    37.1 KB · Views: 27
  • FRST.txt
    55.7 KB · Views: 31
  • Search.txt
    238 bytes · Views: 22
  • aswMBR.txt
    2.4 KB · Views: 22

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Download
51a5f31352b88-icon_MBAR.png
Malwarebytes Anti-Rootkit to your desktop.
  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"




FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content into your next reply.
 

Jim1098

New Member
Thread author
May 12, 2015
12
Files from running Malwarebytes Anti-Rootkit and Farbar Recovery Scan Tool
 

Attachments

  • mbar-log-2015-05-16 (12-49-05).txt
    2.1 KB · Views: 18
  • system-log.txt
    29.6 KB · Views: 17
  • Anti-Rootkit Screen Shot.jpg
    Anti-Rootkit Screen Shot.jpg
    37.1 KB · Views: 37
  • FRST.txt
    54.6 KB · Views: 30
  • Addition.txt
    36.1 KB · Views: 25

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
MGADiag.png
Scan with MGADiag

Need to check one more thing.
  • Please download MGADiag by Microsoft and save it to your desktop.
  • Double-click on
    MGADiag.png
    icon to start the tool.
  • PressContinuewhen prompted.
  • When it has finished, press Copy.
  • Press the
    WindowsKey.png
    + R on your keyboard at the same time. Type Notepad and click OK.
  • Paste (Ctrl+V) this into notepad and save to your desktop.
Include that report in your reply.
 

Jim1098

New Member
Thread author
May 12, 2015
12
Attached are screen shots of the message that pops up on the desktop when the COM Surrogate stops working just last night on 05-16-15 at 7:00pm. The Task Manager 05-15-15 11am.jpg shows 100% CPU usage. The problem is still with me. Right now as I write this reply the Task Manager 05-17-15 0135AM.jpg is showing 43% CPU and 630,460K memory and this will continue to increase probably by morning until the CPU is 100% and the memory is over 1,000,000K.
 

Attachments

  • COM Surrogate 05-16-15 7pm-1.jpg
    COM Surrogate 05-16-15 7pm-1.jpg
    42.6 KB · Views: 34
  • COM Surrogate 05-16-15 7pm-2.jpg
    COM Surrogate 05-16-15 7pm-2.jpg
    43.7 KB · Views: 34
  • Task Manager 05-16-15 7pm.jpg
    Task Manager 05-16-15 7pm.jpg
    185.2 KB · Views: 35
  • Task Manager 05-15-15 11am.jpg
    Task Manager 05-15-15 11am.jpg
    185.4 KB · Views: 39
  • Task Manager 05-17-15 0135AM.jpg
    Task Manager 05-17-15 0135AM.jpg
    170.3 KB · Views: 33

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
We need to use Task Manager:
  • Press the
    WindowsKey.png
    + R on your keyboard at the same time. Type taskmgr and click OK.
  • Click View --> Select Columns, check PID (Process Identifier) and click OK.
  • Now, return to Task Manager and give me the PID from dllhost.exe

Now we will use Command Prompt:

  • Press the
    WindowsKey.png
    + R on your keyboard at the same time. Type cmd and click OK.
  • Copy this command into Command Prompt
  • Code:
    tasklist /svc /fi "imagename eq dllhost.exe" >%userprofile%\Deskt
    op\results.txt
  • Press Enter
  • You should find results.txt file on your Desktop.
  • Please upload it in your next reply.
 

Jim1098

New Member
Thread author
May 12, 2015
12
I have attached file results1.txt which is the results going from 05/17/15 at 11:33am when in Task Manager I have clicked on "End Process" for all dllhost.exe and dllhost.exe *32 entries. I have included many results going to 05/17/15 at 4:14pm. I am going to reboot my computer now because I am not seeing the dllhost.exe that keeps increasing the CPU usage and memory used. I will forward another results.txt file after gather the addition information after the reboot.
 

Attachments

  • results1.txt
    5.6 KB · Views: 21
  • Task Manager Screen Shot 05-17-15 at 1614.jpg
    Task Manager Screen Shot 05-17-15 at 1614.jpg
    189.7 KB · Views: 28

Jim1098

New Member
Thread author
May 12, 2015
12
This morning when I got up the "COM Surrogate has stopped working" warning was on my desktop. I ran your command prompt to get the results.txt and looked at the "Task Manager" and there are 20 copies of dllhost running when it stopped working. It appears from the Task Manager screen shot that dllhost.exe *32 PID 1696 was the "Run Away" that would have been using lots of CPU Usage (The CPU Usage shows 0% in the Task Manager now because COM Surrogate was stopped) but was eating lots of memory 1,954,912K before it was stopped. When I closed the "COM Surrogate has stopped working" warning on my desktop only dllhost.exe *32 PID 1696 was removed from the Task Manager with the 1,954,912K of memory used and one dllhost.exe *32 PID 6588 was added as the "Run Away", so I still have 20 copies of dllhost.exe running. I hope you have enough information and screen shots to help you identify this problem.
 

Attachments

  • COM Surrogate 05-18-15 1015am-1.jpg
    COM Surrogate 05-18-15 1015am-1.jpg
    43 KB · Views: 26
  • COM Surrogate 05-18-15 1015am-2.jpg
    COM Surrogate 05-18-15 1015am-2.jpg
    43.2 KB · Views: 27
  • Task Manager 05-18-15 1015am.jpg
    Task Manager 05-18-15 1015am.jpg
    186.1 KB · Views: 31
  • Task Manager 05-18-15 1113am.jpg
    Task Manager 05-18-15 1113am.jpg
    382.2 KB · Views: 28
  • results2.txt
    8.5 KB · Views: 15

Jim1098

New Member
Thread author
May 12, 2015
12
dllhost.exe *32 COM Surrogate has 30 copies running and one PID 4832 is using 99% CPU and 1,900,632K memory. I clicked on "End Process" for this entry and immediately dllhost.exe *32 PID 1760 started as the "Run Away" using 20% CPU and 37,736K memory and I expect in a few hours it will be at 100% CPU and 1,900,000K memory usage. Is there anything else I can provide you to help identify and get rid of this problem? Thanks Jim
 

Attachments

  • Task Manager Screen Shot 05-21-15 at 1056am 100pct.jpg
    Task Manager Screen Shot 05-21-15 at 1056am 100pct.jpg
    181.4 KB · Views: 27
  • Task Manager Screen Shot 05-21-15 at 1057am 20pct.jpg
    Task Manager Screen Shot 05-21-15 at 1057am 20pct.jpg
    183.7 KB · Views: 25
  • results3.txt
    2.8 KB · Views: 12

Jim1098

New Member
Thread author
May 12, 2015
12
Yes, When the CPU usage is high for dllhost.exe *32 COM Surrogate my computer is very sluggish and takes excessive time to call up programs and to call up pages from the web with IE. Sometimes I can't even call up my word processor to save my file I am working on because the computer is so slow.
 

Jim1098

New Member
Thread author
May 12, 2015
12
Yes, I removed everything from my Startup folder, I unplugged my Magic Jack phone and disconnected my computer from the internet by pulling the RJ45 LAN cable from the back of the computer and I do not have a wireless connection. I rebooted the computer and immediately after the reboot there were no dllhost.exe in the Task Manager, I came back one hour later and there was a "Run Away" dllhost.exe *32 PID 3116 32% CPU and 383,224K memory.
 

Attachments

  • Task Manager Screen Shot 05-22-15 1hr after reboot.jpg
    Task Manager Screen Shot 05-22-15 1hr after reboot.jpg
    202.9 KB · Views: 23
  • results4.txt
    326 bytes · Views: 14

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
51a5bf3d99e8a-ComboFixlogo16.png
Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    51a5bf3d99e8a-ComboFixlogo16.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
 

Jim1098

New Member
Thread author
May 12, 2015
12
Here is the ComboFix.txt file run on 05-23-15. After 2 hours of "Up Time" there is NO "Run Away" dllhost.exe showing up in the Task Manager. I will reboot and see if it stays gone.
 

Attachments

  • ComboFix.txt
    24.9 KB · Views: 55

Jim1098

New Member
Thread author
May 12, 2015
12
Unfortunately the dllhost.exe *32 "Run Away" is still with me. Task Manager screen shot after 3.5 hours shows dllhost.exe *32 PID 4152 using 31% CPU Usage and 494,508K memory. This will probably continue until it gets to 100% CPU usage and basically making my computer unusable. Did you see anything in the ComboFix.txt file I uploaded in my last reply that could possibly be a problem?
 

Jim1098

New Member
Thread author
May 12, 2015
12
Here is the screen shot of the Task Manager that should have been uploaded with the last reply.
 

Attachments

  • Task Manager 05-23-15 after ComboFix was run.jpg
    Task Manager 05-23-15 after ComboFix was run.jpg
    198.4 KB · Views: 15

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top