Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost com surrogate - virus or normal?


  • This topic is locked This topic is locked
37 replies to this topic

#1 mintea

mintea

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 10:46 AM

Hello, new to this forum.

 

I read that if the dllhost.exe file is in system 32 it's fine. I searched my computer for dllhosts and found 1 in system 32 and 3 others. Is it normal to have more than 1 of these? If not, I guess these are viruses?

 

Here are the file locations:

 

C:\Windows\System32

C:\Windows\SysWOW64

C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7

C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d

 

 

I had a problem with a dllhost.exe file, but now I have no issues at all, so I'm unsure whether I'm infected or not.

 

 

What happened to make me think I might be infected:

Yesterday I was on youtube and got a message urging me to close chrome down because of too much memory use. I did, then reopened chrome, and got the same message. I closed it down again and my computer was running slower. I clicked a video in one of my folders to play and it played fine. I closed the video down and all the thumbnails were blank and my computer was very slow. (I don't know if these were blank before or after clicking the video.) I opened task manager and dllhost.exe with description com surrogate was using up a lot of memory. I checked my main drive's free space (C drive) and it was on around 1GB - before this it was on around 10GB. I then closed everything down and then was no longer able to open anything. After searching (on my phone) I found that there is a virus which calls itself dllhost.exe which does this.

 

What I did to solve my problem:

I went into safe mode and deleted many files from my main drive (C drive.) There were no issues in safe mode. I then restarted the computer and since then I have had no problems whatsoever. I haven't even seen dllhost.exe in task manager since.

 

Why I think it might not be a virus (though unsure) :

I scanned these 4 dllhost files with microsoft security essentials and AVG and no threats were found.

Everything is running perfectly fine as though there never was a problem.

The common dllhost virus issue I read in other forums was about multiple dllhost.exe *32 com surrogates in task manager. This was just 1 single dllhost.exe com surrogate in task manager. without the *32.

 

 

 

 

 

One thing aside from just to make sure which makes me think this might be a virus is that after freeing up space on my main drive I had around 32GB free space on it. That was yesterday and today, when I booted my computer, I found the drive was now on 24GB, and have no idea where this went.

 

 

So...

Is it possible for my issue to happen without a virus causing it? - could this simply have been a case of having low memory and my computer trying to do something which required more memory than was available, resulting in this?

Is having 4 dllhost.exe files normal and safe? Are these definitely viruses or is there a chance that they are legit files?

Is this overnight loss of GB normal? Could this be being used for temporary things, or is this a bad sign?

 

 

 

Thank you, anybody who can answer any of this. I'm either in great need of help or great need to know my computer is fine.

 

 

 



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 15 May 2015 - 11:42 AM

Hi there,

There is nothing wrong with having dllhost.exe files in those 4 locations - SysWOW64 is for 64-bit compability, and the winsxs folders are for system file backups. Needless to say, it is a very bad idea to delete system files without prior knowledge :)

The common issue with dllhost.exe that you referred to is Poweliks - that is a trojan that injects its code into dllhost.exe to do its dirty job, not something wrong with the file itself. However it is very obvious if you get infected with it.

As for the loss of hard drive space, you might want to check with a tool like WinDirStat to see where the space goes. It can also be a sign of infection - in which case, you will need assistance in the Malware Removal Logs area - we can't do anything about it with the tools allowed here.

Regards,
Alex

#3 mintea

mintea
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 12:11 PM

Thank you very much, Alexstrasza! 

 

With using WinDirStat - do you know if it will be clear from the results if this is caused by a virus? 



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 15 May 2015 - 12:13 PM

You can post the results here and I'll review it to see if it's caused by an infection or not.

Alex

#5 mintea

mintea
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 12:18 PM

Thanks :)

 

Sorry, I just want to be sure here - Should I download WinDirStat from "fosshub" on the link you posted?

 

(Just an aside - Maybe it needs its own thread? If it turns out my computer is safe, would a system restore restore the files I deleted to free up space on my C drive? These aren't essential files so it's not too bad if I can't recover them but I was in a bit of a panic at the time and deleted some which if possible I would prefer to keep. These are video and image files.)



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 15 May 2015 - 12:21 PM

Hi there,

If System Restore is on then you can use Shadow Explorer to recover deleted files.

Please use the download link from FossHub since it's the main download site :)

Regards,
Alex

#7 mintea

mintea
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 12:25 PM

Bleh - I just realised, the files I care about getting back were in another drive, not the C drive. I wasn't sure what was going on at the time so I just deleted what I didn't need to free up space. Like I said, these aren't very important, but if I could recover them that would be good :P

Would this still work even though the files aren't in the main drive?

 

I'll download WinDirStat now, thank you.



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 15 May 2015 - 12:29 PM

If System Restore is set to on in that drive, then yes. If it isn't, you can try a data recovery tool like Piriform's Recuva.

Keep me posted.

Regards,
Alex

#9 mintea

mintea
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 12:31 PM

Okay. Let's hope it is on :P

 

WinDirStat finished. How should I post the results? Is there a way to do it through the program or should I just screencap or something?



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 15 May 2015 - 12:35 PM

Hi there,

Just do a screencap is fine.

You can use information in here to see if System Restore is enabled in that drive (or to be precise, the partition on the drive) or not.

Regards,
Alex

Edited by Alexstrasza, 15 May 2015 - 12:35 PM.


#11 mintea

mintea
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 12:39 PM

Sorry about this :P I can't find how to attach an image here?

 

I'll have a look at that link now, thank you :D



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 15 May 2015 - 12:40 PM

Hi there,

Please upload the image to an external hosting service (i.e. Imgur), then copy the link into your post :)

Alex

#13 mintea

mintea
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 12:42 PM

http://i.imgur.com/70mtmRr.jpg

 

Okay, here :)



#14 mintea

mintea
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 15 May 2015 - 12:49 PM

Yiss. System restore is enabled on all drives.

Is there any problem with using system restore/shadow explorer with a virus on the computer? Like, should I wait to see if that^ was caused by a virus or can I just do this whenever?

 

Thanks so much for all of this. I'd be so lost otherwise:P



#15 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 15 May 2015 - 01:38 PM

Hi there,

If it's only to recover files then it should be okay to do.

Most of the space is taken by Program Files (x86)... let's see what you got there.

MiniToolbox by Farbar

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Regards,
Alex

Edited by Alexstrasza, 15 May 2015 - 01:38 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users