Fix: Fake COM Surrogate and High CPU Usage

If Task Manager shows COM Surrogate occupying high CPU or memory usage, it’s most likely a miner. It’s a fake COM Surrogate process whose name might be DlIHost.exe (DLIHOST.EXE) instead of DllHost.exe.

COM Surrogate high CPU usage

The fake COM Surrogate process (DLIHOST.exe) may be located in the folder “C:\Users\%username%\AppData\Roaming\Dll“. It runs runs as a scheduled task elevated under the SYSTEM account and establishes contact with a malicious web server, such as server.custompool.xyz.

Whereas the legitimate COM Surrogate process is c:\windows\system32\dllhost.exe.



Resolution

  1. Open Task Manager and switch to the Details tab.
  2. Kill the fake COM Surrogate process.
  3. Immediately, run these commands from admin Command Prompt:
    rd /s /q "C:\Users\rotex\AppData\Roaming\Dll"
    
    schtasks /delete /tn "\UpdateTask" /f

The above commands delete the fake COM Surrogate process and the scheduled task.

Follow up with a scan using Malwarebytes Antimalware to ensure the system is clean.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

Leave a Comment