If Task Manager shows COM Surrogate occupying high CPU or memory usage, it’s most likely a miner. It’s a fake COM Surrogate process whose name might be DlIHost.exe
(DLIHOST.EXE
) instead of DllHost.exe
.
The fake COM Surrogate process (DLIHOST.exe) may be located in the folder “C:\Users\%username%\AppData\Roaming\Dll
“. It runs runs as a scheduled task elevated under the SYSTEM account and establishes contact with a malicious web server, such as server.custompool.xyz
.
Whereas the legitimate COM Surrogate process is c:\windows\system32\dllhost.exe
.
Resolution
- Open Task Manager and switch to the Details tab.
- Kill the fake COM Surrogate process.
- Immediately, run these commands from admin Command Prompt:
rd /s /q "C:\Users\rotex\AppData\Roaming\Dll" schtasks /delete /tn "\UpdateTask" /f
The above commands delete the fake COM Surrogate process and the scheduled task.
Follow up with a scan using Malwarebytes Antimalware to ensure the system is clean.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!