If I manually stop each of the dozen instances of dllhost/comm surrogate then performance is fine for about 10 minutes
I leave the normal dllhost running.
After about 10 minutes, dllhost/COMM surrotes start appearing & performance degrades.
any ideas?
Page 1 / 1
Hello jmb, welcome to the Webroot Community!
That sounds like you might have something in there you don't want indeed. Have you run a scan with WSA? Has it found anything?
If you have run a scan, and it has come up blank, you might not have a malware infection, but rather what we refer to as a PUA (Potentially Unwanted Application). These range from add on toolbars in your browser, to a number of other things..
If you suspect malware, please submit a Trouble Ticket.
Here is some more information regarding non malware PUA's. You might be able to locate and remove it yourself, but you can also submit a Trouble Ticket for assistance with these as well.
(Potentially Unwanted Application)
These are very annoying at best in that they cause pop-us, redirect your browser home page, and other behavior that may slow down the computer and direct ads your way, but they are not actually doing anything bad like damaging files or stealing information. Often they are installed intentionally by you the user as browser add-ons for various tasks such as quick search tools.. but they also come with the result of added annoying pop-ups and ads. Other times they 'piggy back' with other software that you installed, or try to 'sneak' onto your system entirely.
WSA does detect and remove many PUA's, and more are being added, but WSA does not detect all of them. A simple browser add-on with PUA behavior that is easy to identify and easy to remove is not likely to be detected and removed by WSA. Those that are intentionally difficult to locate and remove are. Please see THIS LINK for more information regarding Webroot's stance on these annoying programs.
For those that are not detected by WSA, please see this KB Article. It has some easy to follow directions on locating and removing PUA's. You may also want to submit a Trouble Ticket, especially if you cannot remove it easily from the directions in the KB Article.
For those that ARE detected by WSA, but cannot be removed automatically, you can submit a Trouble Ticket. Webroot Support will help you get these annoying 'crapware' off your computer at no extra charge, and the additional examples may help to better automatic removal of that particular PUA for all users in the future.
To make sure that your WSA is checking for PUA's with the best proficiency, it sometimes helps to reset the PUA detection within WSA's settings. For PUA's that had previously been scanned and determined to be OK, but have since been added to detection/removal, you may want to complete the following steps:
I hope this helps you both understand, and resolve the problem and if not please let us know!
NOTE: As noted above, PUA's that:
are often NOT detected and removed. This is partly for legal reasons: the source of the download can complain about it's extra software being blocked automatically by Webroot. There may be to allow WSA to recognize and block a LOT more PUA's than it currently can. Please see THIS IDEA for more information, and give a KUDO if you agree. User Idea requests are noted by the Webroot Team, and the more Kudo's on an Idea the more likely we may see dev time devoted to it.
Thanks!
That sounds like you might have something in there you don't want indeed. Have you run a scan with WSA? Has it found anything?
If you have run a scan, and it has come up blank, you might not have a malware infection, but rather what we refer to as a PUA (Potentially Unwanted Application). These range from add on toolbars in your browser, to a number of other things..
If you suspect malware, please submit a Trouble Ticket.
Here is some more information regarding non malware PUA's. You might be able to locate and remove it yourself, but you can also submit a Trouble Ticket for assistance with these as well.
(Potentially Unwanted Application)
These are very annoying at best in that they cause pop-us, redirect your browser home page, and other behavior that may slow down the computer and direct ads your way, but they are not actually doing anything bad like damaging files or stealing information. Often they are installed intentionally by you the user as browser add-ons for various tasks such as quick search tools.. but they also come with the result of added annoying pop-ups and ads. Other times they 'piggy back' with other software that you installed, or try to 'sneak' onto your system entirely.
WSA does detect and remove many PUA's, and more are being added, but WSA does not detect all of them. A simple browser add-on with PUA behavior that is easy to identify and easy to remove is not likely to be detected and removed by WSA. Those that are intentionally difficult to locate and remove are. Please see THIS LINK for more information regarding Webroot's stance on these annoying programs.
For those that are not detected by WSA, please see this KB Article. It has some easy to follow directions on locating and removing PUA's. You may also want to submit a Trouble Ticket, especially if you cannot remove it easily from the directions in the KB Article.
For those that ARE detected by WSA, but cannot be removed automatically, you can submit a Trouble Ticket. Webroot Support will help you get these annoying 'crapware' off your computer at no extra charge, and the additional examples may help to better automatic removal of that particular PUA for all users in the future.
To make sure that your WSA is checking for PUA's with the best proficiency, it sometimes helps to reset the PUA detection within WSA's settings. For PUA's that had previously been scanned and determined to be OK, but have since been added to detection/removal, you may want to complete the following steps:
- Open Webroot SecureAnywhere
- Click on ‘Advanced Settings’ from the top right
- Select ‘Scan Settings’ from the left side
- Unselect the option “Detect Potentially Unwanted Applications”
- Click on the Save button (you may have to enter in a CAPTCHA)
- Reselect the option to “Detect Potentially Unwanted Applications”
- Click on the Save button
- Run another scan with Webroot and remove any items that get detected.
I hope this helps you both understand, and resolve the problem and if not please let us know!
NOTE: As noted above, PUA's that:
- Come in with other downloads
- Have a clear opt out ability prior to install
are often NOT detected and removed. This is partly for legal reasons: the source of the download can complain about it's extra software being blocked automatically by Webroot. There may be to allow WSA to recognize and block a LOT more PUA's than it currently can. Please see THIS IDEA for more information, and give a KUDO if you agree. User Idea requests are noted by the Webroot Team, and the more Kudo's on an Idea the more likely we may see dev time devoted to it.
Thanks!
I've been having this same issue all night, I honestly don't know i have uninstalled the only 2 things i have added in the last month, and dont generally go to questionable sites....
but yat the dllhost for me is all over the place and webroot doesnt see anything wrong.
I followed the advice above and its still causing issues...any other ideas?
but yat the dllhost for me is all over the place and webroot doesnt see anything wrong.
I followed the advice above and its still causing issues...any other ideas?
Hi capneclipse
Welcome to the Community Forums.
From the research I have done on this there seems to be both the possibility that this is just a MS OS glitch which appear to be fixable by various means such as installing specific Windows Updates etc, but confusingly there also seems to be the possibility that the issue can be malware-related, i.e.e, there does not appear to be a clear cut reason for the issue...OS or malware-related.
If you want to read up some more on this then I would suggest that you Google "dllhost/comm surrogate" and you will find plenty on the MS OS-related issue from several reputable forums, and something on the malware-related angle from some others.
Given the above and not knowing how techincal you are I would recommend that you Open a Support Ticket so that the Support Team can take a look and advise accordingly. This is a service avaialble for free to all WSA users. Please not that whilst the Support Team does work 24/7 their response may not be as fast as usual given it is the weekend.
Please post back here and let us know what transpires as feedback helps us help other users in the future.
Regards, Baldrick
Welcome to the Community Forums.
From the research I have done on this there seems to be both the possibility that this is just a MS OS glitch which appear to be fixable by various means such as installing specific Windows Updates etc, but confusingly there also seems to be the possibility that the issue can be malware-related, i.e.e, there does not appear to be a clear cut reason for the issue...OS or malware-related.
If you want to read up some more on this then I would suggest that you Google "dllhost/comm surrogate" and you will find plenty on the MS OS-related issue from several reputable forums, and something on the malware-related angle from some others.
Given the above and not knowing how techincal you are I would recommend that you Open a Support Ticket so that the Support Team can take a look and advise accordingly. This is a service avaialble for free to all WSA users. Please not that whilst the Support Team does work 24/7 their response may not be as fast as usual given it is the weekend.
Please post back here and let us know what transpires as feedback helps us help other users in the future.
Regards, Baldrick
So update from me, dunno bout the original poster,
anyway
Running microsoft windows malacious software removal tool 31 minutes in and no files found so far, however,
after the initial start up of the program to find infections i had the dll host spam hit again and of course cancelled it in task manager, it was occuring bout every 10 minutes or so but since i started the windows tool and cancelled the initial hit again, it hasnt hit back...so
is it hiding??
i am still almost sure this is an actual virus and not just a windows update fubar, since the incident originally occured sometime last night my color scheme went from normal to like 16 bit version and than it would bounce back, this occured 3 times in maybe 8 hours, and i lost connection to my speakers twice...
still no word from webroot ticket filed last night, as it was mentioned, it is the weekend so things move a bit slower im sure.
anyway
Running microsoft windows malacious software removal tool 31 minutes in and no files found so far, however,
after the initial start up of the program to find infections i had the dll host spam hit again and of course cancelled it in task manager, it was occuring bout every 10 minutes or so but since i started the windows tool and cancelled the initial hit again, it hasnt hit back...so
is it hiding??
i am still almost sure this is an actual virus and not just a windows update fubar, since the incident originally occured sometime last night my color scheme went from normal to like 16 bit version and than it would bounce back, this occured 3 times in maybe 8 hours, and i lost connection to my speakers twice...
still no word from webroot ticket filed last night, as it was mentioned, it is the weekend so things move a bit slower im sure.
Hi capneclipse
Thanks for the feedback.
Yes, I suspect that it may take more time than usual for Support to respond...if you have had no joy by tomorrow then post back here and we will see if there is any way of getting the Support Ticket seen too (can't promise anything but you never know).
If you really believe that it is malware-related then the best approach is definitively the Support Ticket although you could also try running a Deep Scan with WSA...that may turn up something that the normal scan has not...though I doubt it as the normal scan is pretty thorough.
Do keep us posted, and also try to limite to the bare minimum, i.e., none, doing anything on your system that involves sensitiev data or activities, such as internet banking and the like...better safe than sorry.
Regards, Baldrick
Thanks for the feedback.
Yes, I suspect that it may take more time than usual for Support to respond...if you have had no joy by tomorrow then post back here and we will see if there is any way of getting the Support Ticket seen too (can't promise anything but you never know).
If you really believe that it is malware-related then the best approach is definitively the Support Ticket although you could also try running a Deep Scan with WSA...that may turn up something that the normal scan has not...though I doubt it as the normal scan is pretty thorough.
Do keep us posted, and also try to limite to the bare minimum, i.e., none, doing anything on your system that involves sensitiev data or activities, such as internet banking and the like...better safe than sorry.
Regards, Baldrick
Baldrick,
Is there a chance there might be some PUA garbage in there as well?
Is there a chance there might be some PUA garbage in there as well?
Hi David / Hi capneclipse
Been doing some more research prmopted by you last post, David, and have come across the following explanation of what is going on at the base here (reproduced in part, with credit being given to blogs.msdn.com):
"The dllhost.exe process goes by the name COM Surrogate and the only time you're likely even to notice its existence is when it crashes and you get the message COM Surrogate has stopped working. What is this COM Surrogate and why does it keep crashing?
The COM Surrogate is a fancy name for Sacrificial process for a COM object that is run outside of the process that requested it. Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder. It does this because Explorer has learned not to trust thumbnail extractors; they have a poor track record for stability. Explorer has decided to absorb the performance penalty in exchange for the improved reliability resulting in moving these dodgy bits of code out of the main Explorer process. When the thumbnail extractor crashes, the crash destroys the COM Surrogate process instead of Explorer.
In other words, the COM Surrogate is the I don't feel good about this code, so I'm going to ask COM to host it in another process. That way, if it crashes, it's the COM Surrogate sacrificial process that crashes instead of me process. And when it crashes, it just means that Explorer's worst fears were realized.
In practice, if you get these types of crashes when browsing folders containing video or media files, the problem is most likely a flaky codec."
This may be stating the obvious to some but does in my mind reinforce the need to get experts looking at this due to the fact that this is the result of failing processes somewhere either due to none malicious flaky software or malware, flaky adware, etc.
Hope that helps to clarify somewhat...now over the the professionals.
Regards, Baldrick
Been doing some more research prmopted by you last post, David, and have come across the following explanation of what is going on at the base here (reproduced in part, with credit being given to blogs.msdn.com):
"The dllhost.exe process goes by the name COM Surrogate and the only time you're likely even to notice its existence is when it crashes and you get the message COM Surrogate has stopped working. What is this COM Surrogate and why does it keep crashing?
The COM Surrogate is a fancy name for Sacrificial process for a COM object that is run outside of the process that requested it. Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder. It does this because Explorer has learned not to trust thumbnail extractors; they have a poor track record for stability. Explorer has decided to absorb the performance penalty in exchange for the improved reliability resulting in moving these dodgy bits of code out of the main Explorer process. When the thumbnail extractor crashes, the crash destroys the COM Surrogate process instead of Explorer.
In other words, the COM Surrogate is the I don't feel good about this code, so I'm going to ask COM to host it in another process. That way, if it crashes, it's the COM Surrogate sacrificial process that crashes instead of me process. And when it crashes, it just means that Explorer's worst fears were realized.
In practice, if you get these types of crashes when browsing folders containing video or media files, the problem is most likely a flaky codec."
This may be stating the obvious to some but does in my mind reinforce the need to get experts looking at this due to the fact that this is the result of failing processes somewhere either due to none malicious flaky software or malware, flaky adware, etc.
Hope that helps to clarify somewhat...now over the the professionals.
Regards, Baldrick
Hey folks, update my end again on this,
Recieved email from the support and hopefully with have something set up soon.
As for the above mentioned com surrogate crashing, nope not experiencing any of that, what it is doing is spooling up multiple versions of itself, so we end up with not 1 but about 30 plus if you let it keep going unchecked in the task manager to the point where both usage and memory are pushed to 100% on the computer tasking.
What was very interesting is not only does webroot see no issues but when runing the windows version of malware search, which as a full scan took about 100 minutes on my system, the dll host com surrogate issue never popped up once. Once the program itself was done running and never found anything, the issue than returned every 10 minutes or so just as before. This tells me that it is indeed bad things hiding on the system.
My only regret is not knowing how it started to begin with, i have not installed anything all week minus a windows update, and im truly wondering if some microsoft employee was feeling mischievous at this point.
Recieved email from the support and hopefully with have something set up soon.
As for the above mentioned com surrogate crashing, nope not experiencing any of that, what it is doing is spooling up multiple versions of itself, so we end up with not 1 but about 30 plus if you let it keep going unchecked in the task manager to the point where both usage and memory are pushed to 100% on the computer tasking.
What was very interesting is not only does webroot see no issues but when runing the windows version of malware search, which as a full scan took about 100 minutes on my system, the dll host com surrogate issue never popped up once. Once the program itself was done running and never found anything, the issue than returned every 10 minutes or so just as before. This tells me that it is indeed bad things hiding on the system.
My only regret is not knowing how it started to begin with, i have not installed anything all week minus a windows update, and im truly wondering if some microsoft employee was feeling mischievous at this point.
Hello capneclipse!@ wrote:
Hey folks, update my end again on this,
Recieved email from the support and hopefully with have something set up soon.
As for the above mentioned com surrogate crashing, nope not experiencing any of that, what it is doing is spooling up multiple versions of itself, so we end up with not 1 but about 30 plus if you let it keep going unchecked in the task manager to the point where both usage and memory are pushed to 100% on the computer tasking.
What was very interesting is not only does webroot see no issues but when runing the windows version of malware search, which as a full scan took about 100 minutes on my system, the dll host com surrogate issue never popped up once. Once the program itself was done running and never found anything, the issue than returned every 10 minutes or so just as before. This tells me that it is indeed bad things hiding on the system.
My only regret is not knowing how it started to begin with, i have not installed anything all week minus a windows update, and im truly wondering if some microsoft employee was feeling mischievous at this point.
May I also Welcome you to the Community,
Hopefully Support will tackle this for you pretty soon. And we appreciate you letting us know and would also let us know the outcome form support so that we can help others.
Besides we are a friendly group and your always welcome to jump in whenever!!
Bset Regards,;)
So i decided against what all people seem to keep saying and that was to not go to a previous version of updates, i went back to right before the oct 16th windows update, full system restore...
reason was it seemed the issue occured after thursday,
soon as my system restarted from the restore point i selected, webroot immediately popped up as windows was loading and told me there was 5 infections possible found, i immediately had it run the scan, it found 4, had it clean it all up, and for the past 20 minutes been sitting staring at my task manager waiting for the dll host to appear....
nothing...system seems good for the moment still, before i did all of this it was appearing every 10 minutes from initial start up and running multiple versions of itself.
So my only theory at this moment is there was something in the windows critical update from the 16th that i recieved, of course since everything is running well atm, i told the update system to go to hell and shut it down, till futher proof one way or another tells me it wasnt the windows updates.
I shall follow through with the support remote help as well to be on the safe side, since webroot said there was 5 at start up and only 4 were found with 3 scans total back to back.
Appreciate the comments/feedback from the community here.
reason was it seemed the issue occured after thursday,
soon as my system restarted from the restore point i selected, webroot immediately popped up as windows was loading and told me there was 5 infections possible found, i immediately had it run the scan, it found 4, had it clean it all up, and for the past 20 minutes been sitting staring at my task manager waiting for the dll host to appear....
nothing...system seems good for the moment still, before i did all of this it was appearing every 10 minutes from initial start up and running multiple versions of itself.
So my only theory at this moment is there was something in the windows critical update from the 16th that i recieved, of course since everything is running well atm, i told the update system to go to hell and shut it down, till futher proof one way or another tells me it wasnt the windows updates.
I shall follow through with the support remote help as well to be on the safe side, since webroot said there was 5 at start up and only 4 were found with 3 scans total back to back.
Appreciate the comments/feedback from the community here.
Hi capneclipse
Thanks for coming back to us re. the issue and what has been found so far. You are approaching getting it cleared up in the right when by liaising with Support on what WSA has found and then been able to deal with. Unfortunately, sometimes threats/malware can be hard to remove safely by automatic means, and Webroot takes a cautious approach in that area preferring to provide Techncial Support free of charge rather than trying to automate the clean up and further damaging your system.
Looking forward to hearing about the last installment.
Regards, Baldrick
Thanks for coming back to us re. the issue and what has been found so far. You are approaching getting it cleared up in the right when by liaising with Support on what WSA has found and then been able to deal with. Unfortunately, sometimes threats/malware can be hard to remove safely by automatic means, and Webroot takes a cautious approach in that area preferring to provide Techncial Support free of charge rather than trying to automate the clean up and further damaging your system.
Looking forward to hearing about the last installment.
Regards, Baldrick
I'm also experiencing this -- one one of my 2 home PCs. They both run Win7 and are up-to-date on Windows udates. But only one has the problem.
I have tried all the suggestions I've read on this and am at my wit's end. If certainly acts like a virus/malware. WSA tells me it can't find anything.
Some suggestions (from MS) include a corrupted user profile, which would have me duplicate my entire user profile. Others suggest wiping the HD and doing a complete reinstall.
This apparenltly a common problem -- and there is no solution!?
Has Webroot made any progress on this?
Please help!
TIA...
I have tried all the suggestions I've read on this and am at my wit's end. If certainly acts like a virus/malware. WSA tells me it can't find anything.
Some suggestions (from MS) include a corrupted user profile, which would have me duplicate my entire user profile. Others suggest wiping the HD and doing a complete reinstall.
This apparenltly a common problem -- and there is no solution!?
Has Webroot made any progress on this?
Please help!
TIA...
Hello gbanko, and Welcome to the Webroot Community.
In the first instance I'd contact Support, who'll take a look if necessary, and advise you: Submit a Support Ticket
I've seen advice to perform a clean boot in Windows also, if you feel confident to try that, but I'd contact support 1st to see what they say. How to perform a clean boot in Windows
Let us know how you get on, or if you have questions, thanks.
p.s. It's worth noting also that the issues you see on the 2nd machine, may well be unrelated to the Webroot software.
In the first instance I'd contact Support, who'll take a look if necessary, and advise you: Submit a Support Ticket
I've seen advice to perform a clean boot in Windows also, if you feel confident to try that, but I'd contact support 1st to see what they say. How to perform a clean boot in Windows
Let us know how you get on, or if you have questions, thanks.
p.s. It's worth noting also that the issues you see on the 2nd machine, may well be unrelated to the Webroot software.
This is precisely the same issue I have encountered. VERY high CPU usage associated with COM Surrogate. Also, internet security options in the Control Panel were changed (to "custom" settings) mysteriously. (Discovered this when I tried to download Malwarebytes and wasn't able to do so.) I have now run full scans now of Webroot and Malwarebytes, but nothing detected. The problem persists.
Last post on this issue was last week. Has anyone found a solution to this issue?
Last post on this issue was last week. Has anyone found a solution to this issue?
Hello and Welcome to the Webroot Community!
Can you please Submit a Support Ticket and they will be happy to help you and in the meantime please don't use any other scanners as Webroot can reverse infections and it's free of charge with your paid subscription! https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202
Thanks,
Daniel 😉
Can you please Submit a Support Ticket and they will be happy to help you and in the meantime please don't use any other scanners as Webroot can reverse infections and it's free of charge with your paid subscription! https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202
Thanks,
Daniel 😉
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.