{"id":75552,"date":"2024-06-15T16:37:45","date_gmt":"2024-06-15T11:07:45","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=75552"},"modified":"2024-06-15T16:43:17","modified_gmt":"2024-06-15T11:13:17","slug":"fake-com-surrogate-high-cpu","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/fake-com-surrogate-high-cpu\/","title":{"rendered":"Fix: Fake COM Surrogate and High CPU Usage"},"content":{"rendered":"

If Task Manager shows COM Surrogate occupying high CPU or memory usage, it’s most likely a miner. It’s a fake COM Surrogate process whose name might be DlIHost.exe<\/code> (DLIHOST.EXE<\/code>) instead of DllHost.exe<\/code>.<\/p>\n

\"COM<\/p>\n

The fake COM Surrogate process (DLIHOST.exe) may be located in the folder “C:\\Users\\%username%\\AppData\\Roaming\\Dll<\/code>“. It runs runs as a scheduled task elevated under the SYSTEM account and establishes contact with a malicious web server, such as server.custompool.xyz<\/code>.<\/p>\n

Whereas the legitimate COM Surrogate process is c:\\windows\\system32\\dllhost.exe<\/code>.<\/p>\n

Resolution<\/h2>\n
    \n
  1. Open Task Manager and switch to the Details tab.<\/li>\n
  2. Kill the fake COM Surrogate process.<\/span><\/li>\n
  3. Immediately, run these commands from admin Command Prompt:<\/span>\n
    rd \/s \/q \"C:\\Users\\rotex\\AppData\\Roaming\\Dll\"\n\nschtasks \/delete \/tn \"\\UpdateTask\" \/f<\/pre>\n<\/li>\n<\/ol>\n
    The above commands delete the fake COM Surrogate process and the scheduled task.<\/p>\n
    Follow up with a scan using Malwarebytes Antimalware to ensure the system is clean.<\/p>\n","protected":false},"excerpt":{"rendered":"
    If Task Manager shows COM Surrogate occupying high CPU or memory usage, it’s most likely a miner. It’s a fake COM Surrogate process whose name might be DlIHost.exe (DLIHOST.EXE) instead of DllHost.exe.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,869],"tags":[963],"class_list":["post-75552","post","type-post","status-publish","format-standard","hentry","category-windows-10","category-windows-11","tag-malware"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":18635,"url":"https:\/\/www.winhelponline.com\/blog\/pc-doctor-module-high-cpu-memory-and-disk-usage-and-slowdown\/","url_meta":{"origin":75552,"position":0},"title":"“PC-Doctor Module” High CPU, Memory, Disk Usage and Slowdown","author":"Ramesh","date":"September 16, 2020","format":false,"excerpt":"Occasionally, your system may slow down to a crawl due to the PC-Doctor Module process that runs in the background. When this happens, it can take several seconds to open the Task Manager or any program. The Task Manager may show that a process named PC-Doctor Module is occupying 100%\u2026","rel":"","context":"In "Utilities"","block_context":{"text":"Utilities","link":"https:\/\/www.winhelponline.com\/blog\/category\/utilities\/"},"img":{"alt_text":"dell pc-doctor module 100% cpu and memory usage","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/09\/dell-pc-doctor-high-cpu-7.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":29386,"url":"https:\/\/www.winhelponline.com\/blog\/preview-pane-blank-every-file-type\/","url_meta":{"origin":75552,"position":1},"title":"Preview Pane is Blank for Every File Type Except Images","author":"Ramesh","date":"October 21, 2022","format":false,"excerpt":"We've seen the \"No preview available\" situations before, caused by the incorrect or missing preview handler registration for a file type. Here is a similar problem: the preview pane is empty, showing just the white space for all file types except images. However, the image file types may preview correctly.\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"preview pane blank white all file types","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/10\/preview-pane-blank-white-2.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/10\/preview-pane-blank-white-2.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/10\/preview-pane-blank-white-2.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/10\/preview-pane-blank-white-2.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":75787,"url":"https:\/\/www.winhelponline.com\/blog\/wmi-high-cpu-and-memory\/","url_meta":{"origin":75552,"position":2},"title":"Fix: WMI consuming High CPU and Memory","author":"Ramesh","date":"July 2, 2024","format":false,"excerpt":"When you open Task Manager to investigate a sluggish computer, you may see that the WMI Provider Host (WmiPrvSE.exe) process uses a lot of CPU and memory. Here's a screenshot from another computer where the Windows Management Instrumentation service (Winmgmt) occupies more CPU usage on some systems than on a\u2026","rel":"","context":"In "Utilities"","block_context":{"text":"Utilities","link":"https:\/\/www.winhelponline.com\/blog\/category\/utilities\/"},"img":{"alt_text":"ASUS lightingservice.exe high cpu usage","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/lighting-service-high-cpu.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/lighting-service-high-cpu.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/lighting-service-high-cpu.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/lighting-service-high-cpu.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":3971,"url":"https:\/\/www.winhelponline.com\/blog\/task-manager-startup-impact-calculated-bootckcl\/","url_meta":{"origin":75552,"position":3},"title":"What is Startup Impact in Task Manager and How is it Calculated?","author":"Ramesh","date":"September 2, 2016","format":false,"excerpt":"You would have noticed a column named \"Startup Impact\" in Task Manager's Startup tab in Windows 8 and higher. But what does \"Startup Impact\" mean and how is it assessed? Task Manager Startup tab lists all startup apps loading from Run, RunOnce registry keys and from the user's Startup folder,\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"task manager startup impact","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/09\/taskmgr-startup-impact-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/09\/taskmgr-startup-impact-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/09\/taskmgr-startup-impact-1.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":4527,"url":"https:\/\/www.winhelponline.com\/blog\/view-resources-usage-each-service-svchost-windows-10\/","url_meta":{"origin":75552,"position":4},"title":"View Resources Usage by Individual Services in Windows 10","author":"Ramesh","date":"November 5, 2016","format":false,"excerpt":"With the Windows 10 Creators Update (codenamed \"Redstone 2\") Preview Build 14942, the way in which services are hosted has changed. In Windows 10 v1703 systems with more than 3.5 GB of RAM, each service would get its own service host (svchost.exe), instead of running under a shared service process.\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"svchost separate windows 10","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/services_1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/services_1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/services_1.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":5946,"url":"https:\/\/www.winhelponline.com\/blog\/program-constantly-writing-hard-disk-io\/","url_meta":{"origin":75552,"position":5},"title":"Find Which Program is Constantly Reading or Writing to Disk","author":"Ramesh","date":"November 4, 2017","format":false,"excerpt":"Does your hard drive LED in the computer's chassis show non-stop disk input or output activity? If the I\/O operations occur at an alarming rate, sometimes even at 100% disk usage, find the process and stop it from running, especially if you're using Solid State Drive. If you're wondering which\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"track disk io usage","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/track-disk-usage-windows.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/track-disk-usage-windows.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/track-disk-usage-windows.jpg?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/75552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=75552"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/75552\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=75552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=75552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=75552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}