Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Multiple processes of dllhost.exe-COM Surrogate

  • Please log in to reply
1 reply to this topic

#1 padjr


  • Members
  • 19 posts
  • Local time:01:30 PM

Posted 18 October 2014 - 12:55 AM

Just switched to high speed cable and four days in I've already got a problem.  It is triggered when I open a folder or start IE.  I can see conhost.exe flash in Task Manager followed by multiple processes of dllhost.exe-COM Surrogate, it will open several, eating up processor but more concerning I can see it eating bandwidth as well.  Also any open folder shows a green progress bar at the top like it is indexing or something.  I can END all the dllhost.exe-COM Surrogates in Task Manager but they return when I open a folder or start IE again, also IE keeps resetting the 'File Download' in security to 'Disable'.  I can change it and get files downloaded but the next time I open IE it's set back to disable. 


I have managed to download and run rkill, TDSSKiller and RogueKiller.  I was able to make several passes with Spybot and Malwarebyts (finding Trojan.Sirede.C and Backdoor.OAccess among other things) until they no longer find any more.  I thought I had it fixed but the COM Surrogate came right back.


Just now for the first time I got a message saying 'COM Surrogate has stopped working, end program?'


I could use some help rooting this the rest of the way out.



BC AdBot (Login to Remove)


#2 LiquidTension


  • Malware Response Team
  • 1,278 posts
  • Gender:Male
  • Local time:07:30 PM

Posted 18 October 2014 - 01:49 AM

Based on the detections by Malwarebytes Anti-Malware, the following warnings must be issued. 
The issue involving dllhost.exe is most likely due to the presence of Poweliks; a rootkit which also opens a backdoor on the compromised machine. 

xgoGMWSt.gif.pagespeed.ic.T3xMEQZT0d.pngBACKDOOR WARNING


One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc). Consider these accounts already compromised.

Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

Please let me know how you wish to proceed, and if you have any questions.


Tools capable of removing this infection are not permitted here. I would suggest creating a new topic in the Virus and Malware Removal section if you wish to proceed. It is simply unpractical to deal with such sophisticated infections using the limited tools available in Am I Infected?.
Before creating your topic, please read the Preparation Guide. Include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Edited by LiquidTension, 18 October 2014 - 01:50 AM.

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users