COM Surrogate using 50% CPU, non-stop

Discussion in 'Windows 7' started by Hannibal Lecter, Oct 4, 2012.

  1. Hannibal Lecter

    Hannibal Lecter MDL Senior Member

    May 12, 2010
    (Using Win 7 ulti with DAZ)

    When I open my task manager it shows that a dllhost.exe process is running, the COM Surrogate…

    But (even without having anything else open) this one uses 50% of CPU…. continuously.
    And what is called Memory (Private Working Set) is steadily increasing…

    What is going there?

  2. mictlan

    mictlan MDL Member

    Nov 9, 2009
    wormz / viruz
  3. Hannibal Lecter

    Hannibal Lecter MDL Senior Member

    May 12, 2010
  4. Hannibal Lecter

    Hannibal Lecter MDL Senior Member

    May 12, 2010
  5. Hannibal Lecter

    Hannibal Lecter MDL Senior Member

    May 12, 2010

    While everything works again without a problem now, I wanted to run sfc/scannow to be on the safe side and went to command prompt. I type sfc/scannow and get the answer, "You must be an administrator...."

    puzzled, I went to user accounts and the only account there is my "T...." and it clearly says Administrator underneath. Yet back at command prompt, there is the usual line C:\Users\T.....>
    but, after typing sfc/scannow, I again get the answer, "You must be an administrator...."

    Any ideas?

  6. portlandbear

    portlandbear MDL Novice

    May 21, 2011
    Hi Hannibal,

    You need to right click on the shortcut to Command Prompt, & select " Run as Administrator ", then you will be able to run sfc/scannow
  7. Hannibal Lecter

    Hannibal Lecter MDL Senior Member

    May 12, 2010
    Thanks, I had forgotten.... found nothing as usual.....
  8. solarstone2149

    solarstone2149 MDL Member

    Dec 11, 2009
    question is, does this happen every time you turn on PC
    or only after watching specific movie

    if its 2nd, then just kill it in task manager
  9. idsk

    idsk MDL Junior Member

    Aug 25, 2009
    that's it
    it happened to me too, i used procmon to see what happened
    it seems like windows explorer use the associated codec to decode the file to show the thumbnail (when activated in folder option)
    i had a corrupted file, so each time i was browsing the file location, the codec was bugging and made dllhost to overload the cpu
    that bug is not related to windows but to the codec, but in a way windows should manage to give up showing a thumbnail when the codec is not responding well

    anyway, i fixed the problem by deleting the corrupted file,
    imo uninstalling the codec is not the best solution because you will always need the codec for other files, i find better to delete the wrong file
    you can also disable the thumbnail feature in folder options
  10. MDLfever4ever

    MDLfever4ever MDL Novice

    Aug 23, 2012
    #12 MDLfever4ever, Oct 15, 2012
    Last edited: Oct 15, 2012
    I want to give u guys a heads up!!!!
    Its possible its a (beginning of) or a big total infection in your computer and network including portable storage, router, servers and NAS!

    I have problems that I been working on for a couple of weeks.
    DL processmonitor from sysinternals.
    (when the prog starts it immediatly begins capture. go to menu and under file unmark "capture events")
    Now: Menu > options > Enable boot logging
    restart computer!
    when restarted - now start processmonitor again.
    answar yes to process captured bootlog.
    in first lines of log; if u see "Procmon23.sys" I think u have problems.
    if u read the log u can see how a lot of "LEGACY_..." drivers starts.
    Like first starts service "ntfs" and then "HKLM\System\CurrentControlSet\Enum\Root\LEGACY_NTFS\0000" which is virtual direct under ROOT.
    its mapping up a virtuell OS under LEGACY and it will hijack everything incliding IE, Chrome, and firefox. And AVs and MS OFFICE.
    if at commandprompt u type: set devmgr_show_notpresent_devices=1
    hit enter

    now start devicemanager (devmgmt.msc)
    in menu > show > hidden devices

    NOW if u look under Drivers for nonPlugnPlay devices there's the virtuell computer on which they run the virtuell OS inside which they run your windows session.

    If u doubleclick on a driver. look under "drivers"-page.
    if false u wil see grayed out "more information"-button.
    OR if u can use "more information"-button u will see something that looks loke legit Microsoft driver BUT fileversion will ha relocated numbers like 6.1.7600.16386 will be 7600.1.600.386 or something.

    You CAN deactive all devices they have but your system will lose its networkfunctions and some more.
    It will cripple the infection but it will fight back as long there is one single service, function, routine or whatever that windows follows.

    if using ShellExView from u will see a lot of Shells that shouldnt be there, I think.
    if u burn a data dvd/cd. After verify and windows starts reading the disc u probably will get a "desktop.ini" file waiting to be written to disc.

    At commandprompt if u type: ipconfig /all
    u will probably see Toredo tunneling under IPv6 first with fe80:: internal LAN and than 2001::

    this is a rootkit that is the worst I ever seen. When using tools like Gmer, TDSSkiller, Rougekiller and anything the guys at and or any other specialist recommend doesnt help me to kill the infection.
    Cant release the hooks and than clean it.
    Also use ESETs Sysinspector to get an understanding of the situation.
    Best result so far is Symantec endpoint protection 12.1.671.4971 . u can download TRIAL at or

    read this: h t t p : / /
    gives clues regarding ie4uinit.exe which also is used.

    problem is:
    this infestations has same right as system is seems using user "S-1-5-18" which ca be found in HKEY_USERS in registry.
    I think its using a lot of compability compromices dating back to Windows NT and mayby even DOS regarding the services, security and programs like IE4 & 5.
    they have REALLY gone Oldschool on this thing and the security must be tightened so ONLY needed processes, programs and drivers are installed.
    BUT it also uses VB-scripts and latest IPv6 and a lot of encrytions.

    They are using windows against you. The OS has a lot of filters that exclude information from u.
    remove netshares.
    change passwords.
    strong passwords on guest-account EVEN if deactivated.
    and standard user account for daily usage and admin account ONLY for admin purpose.
    close every service not needed. (check out

    recommend u guys make backups of all your valuble files and minimize your installation of windows.
    Than use Macrium Reflect Free and make image of systemdisk and 100MB partion used by windows.
    convert image 2 VHD using Macrium.
    Now u can play around with this.

    remove hdd
    flash bios (just 2 be sure)
    Flash (firmware) of router (just 2 be sure)
    lowlevelformat HDD

    YOUR LOG-files are important.
    MAKE SURE they are not set to be purged at something like 1MB. (64 kb steps so 1024 kb)
    I have set my limit at 20480 kb (20MB)

    AND if at commandprompt u type: netstat -a
    u might have a long list of ESTABLISHED connections via http and https from your computer to somewhere in the following IP range: - 255 (its AKAMAI if use Whois) - (EU-AKAMAI) - (RACKSPACE) - ( owned by Google) - (Facebook) - (Microsoft-1BLK) - (TELIANET)

    So since ALL the zones in IE are all infested with the same dubius domains so its a possibilty that my computers where cotrolled via facebook and/or storage for some s**t that I havent found yet.

    In my case I guess they been able to use a Leagcy "password" or command packet ICMP/Netbios that loggs them in to my computer as some built-in Legacy user-account and begins with starting up tasks that executed by taskschedular service and changes/starts/stops services.
    And from there they take over my machine bit by bit :(

    I think there are five files working together and %systemroot%\%windir%\system32\msdtc is where part of it operates/resides together with a lot of other automated windows functions that makes it hard to kill.

    If I understand what and how I will update but the time already spent as far to much and for now Im seriously looking into:
    MAC OSX Server
    MS Server 2008 R2 (rebuild into Workstation) where admin really means something to the system
    Or how to delete ALL LEGACY s**t in Windows.

    I also understand that for some of u this might not seem like something difficult.
    Good for you!

    for the rest of us this is somewhat problematic and there might be alot of people with this infestation that are unaware because they dont understand that something is wrong.
    this happened on XP SP3, Vista SP2 and Windows 7 SP1. (all updated)

    Even strange activity on Mac OSX 10.7.5 but not infected.
    Logg shows strange packets.
    Mostly firewall logg shows a lot of dropped packets to/from internet.

    Also recommend for some really good tools.
    And a lot of people out there hacking away! Thanks to all for sharing tools, tips or whatever that makes it possible for people like myself to digg around in software and hardware.

    Good Luck to everyone!
  11. anarchist9027

    anarchist9027 MDL Expert

    Oct 30, 2010
    #13 anarchist9027, Oct 15, 2012
    Last edited: Oct 15, 2012
    For all that trouble, a 20 minute Windows 7 reinstallation sounds way more easy..... But ultimately if you know what you are downloading, not clicking every banner you see claiming you won a laptop or cash, or have premium Antivirus; you should have nothing to worry about.
  12. Luckie

    Luckie MDL Junior Member

    Jan 14, 2008
    try this:

    maybe you can see more details why dllhost.exe hogs your CPU.
  13. MDLfever4ever

    MDLfever4ever MDL Novice

    Aug 23, 2012

    My infection-problems almost same as descriebed here:
    h t t p : / / work2bdone . com/live/2012/05/what-immunet-revealed-on-my-computer/

    READ and reflect upon it!

    He gives reference to IMMUNET.

    google and wiki gives yhat sourcefire owns Immunet
    h t t p : / / blog . sourcefire . com/
    READ and reflect!

    I have found amazing FREE software that can READ (only) EVERY!!! file in your filesystem.
    h t t p : / / www . diskinternals . com/linux-reader/

    its for reading linux filesystem BUT excels in ntfs also.

    when started so if rightclick on "middelpart" where you can se empty space beginning or end of drive;
    choose "open in new window"
    possible to see HEX and text.

    open directories and read HEX and text of files thats locked OR EVEN some files that show size ZERO that rightclick and open new window and you can read HEX and text!

    Thats it for now!
  14. Kyopia

    Kyopia MDL Novice

    Jul 25, 2013
    This worked for me:

    I traced mine down to the little checkbox under the View tab of Folder Options. Place a check mark in the very first entry under Files and Folders which says “Always show icons, never thumbnails”. Click on OK, then reboot. No more thumbnail icons on my Desktop, but no more high CPU usage by COM Surrogate, either. I can live with that.