Spyware, Viruses, & Security forum

General discussion

Com Surrogate

by LarryD / September 14, 2004 8:36 PM PDT

Zone Alarm Pro snagged an outbound transmission by COM Surrogate. It says it's bad and I shouldn't allow it, so I listened!
The program is "dllhost.exe" and it is located in \\system32.
I use (almost) every known spyware removal (XPHome, AdAware, Spybot, Hosts file, Spyware Blaster and Guard, amongst others) innoculator, etc. How did this 'thing' get in and how do I remove it?

Post a reply
Discussion is locked
You are posting a reply to: Com Surrogate
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Com Surrogate
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re: Com Surrogate - Don't remove it! it's a system process
by Donna Buenaventura / September 14, 2004 10:14 PM PDT
In reply to: Com Surrogate

As per http://www.liutilities.com/products/wintaskspro/processlibrary/dllhost/ -
dllhost.exe is a part of the Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated.

Author: Microsoft Corp.
Part Of: Microsoft Windows Operating System

System Process: Yes
Virus: No
Spyware: No
Background Process: Yes
Uses Network: No
Hardware Related: No

As per http://blogs.msdn.com/robgruen/archive/2004/08/18/216685.aspx

XP SP2 Issues – Using the System Provided Surrogate (dllhost.exe)

DLLHost.exe can be used as a surrogate host for COM servers that are exposed via DCOM/COM+. On XP SP2 the situation may arise that you need to allow your surrogate hosted DCOM app to be accessible from outside of the personal firewall. Typically you would add your process to the firewall white list (trusted apps that are allowed access through the firewall) but the problem with doing this for dllhost.exe is that this opens the firewall for your DCOM server and any other application running under dllhost.exe. You may or may not want to do this.

Continue reading for PROS and CONS info.

From a ZA user research:

http://www.neuber.com/taskmanager/process/dllhost.exe.html says
Process name: DCOM DLL host process
Product: Windows
Company: Microsoft
File: dllhost.exe

The COM+ hosting process controls processes in the Internet Information Services (IIS) and is used by many programs. It loads .NET Runtime for example. There can be multiple instances of DLLhost.exe.

Note: The dllhost.exe file is located in the c:\windows\System32 folder. In other cases, dllhost.exe is a virus, spyware, trojan or worm!
Virus with same name: Worm/Nachi.A.1 - antivir.de

http://forums.zonelabs.com/zonelabs/board/message?board.id=security&message.id=7870

Collapse -
So why did ZA tell me it was bad?
by LarryD / September 14, 2004 10:33 PM PDT

Keep it simple, like me!

I 'blocked it' as per ZA. so I guess I can easily unblock it, but why does ZA warn? That other stuff you referred to is over my head!

Collapse -
False positive is their answer
by Donna Buenaventura / September 15, 2004 1:14 AM PDT

You may have an application that needs dllhost.exe (example: .NET application)
Try to observe what application you've run when ZA alerted you. Maybe that program needs dllhost.exe

False positive is what most ZA guru is telling the users so ignore it.

Collapse -
I was installing an IMPORTANT windows update
by LarryD / September 15, 2004 2:03 AM PDT

when the alarm rang. While I assumed that the update (for .NET) as the culprit, I didn't want to take any chances. Based upon your input, I will go back and unblock it.

Collapse -
I suggest that you delete
by Donna Buenaventura / September 15, 2004 2:20 AM PDT

the "firewall rule" for dllhost.exe instead of allow or block. It seems that it is a one time "call" only when you wrote it alarmed while installing an update.

Allow only if ZA triggers again or any of your MS application doesn't work if that dllhost.exe is not allowed by ZA.

Collapse -
Re: I was installing an IMPORTANT windows update
by Mark5019 / September 15, 2004 4:47 AM PDT

larry same here when i updated u allowed it figured what i was doing

Collapse -
Is there a list of other ZA 'bugs' available ?
by John Robie / September 15, 2004 10:43 AM PDT

Or nicely called 'False positive' instead of 'bugs'. Here I have been following what ZD tells me to do, and I would have never asked someone here in this forum, but just do what ZD advises.

Collapse -
Re: Is there a list of other ZA 'bugs' available ?
by Donna Buenaventura / September 15, 2004 5:24 PM PDT
Collapse -
(NT) (NT) Thanks Donna.
by John Robie / September 16, 2004 4:28 PM PDT
Collapse -
(NT) (NT) :)
by Donna Buenaventura / September 16, 2004 5:07 PM PDT
In reply to: (NT) Thanks Donna.
Collapse -
Re: following what ZD tells me to do
by jonah jones / October 17, 2004 10:07 PM PDT

would that be ZDuh! JR?

Happy

.

Collapse -
Re: 'cos there are TWO versions of it?
by jonah jones / October 17, 2004 9:17 PM PDT

ZA said "xxxx.xxx" is a 'no-no' "assuming" that it was the "bad" version...


.

Collapse -
Re: Com Surrogate - Don't remove it! it's a system process
by mark_cousins / October 17, 2004 8:43 PM PDT

i was trying to run the backup program from program files/accessories and had recently had bad crash due to windows XP SP2 update major crash. thought was all fixed but seems a bit strange that my system backup would require internet access? any advice would be appreciated. cheers, mark

Collapse -
It's normal and by design

Even Norton Firewall is alerting me if I'll use the backup utility.

It is connecting only to your DNS server to resolve the machine name to an IP address (your internal IP address) but I think this should not happen if the system is not a server or networked.

Disallowing the access is OK (with the help of firewall). I mean, backup process will be done.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Big stars on small screens

Smosh tells CNET what it took to make it big online

Internet sensations Ian Hecox and Anthony Padilla discuss how YouTube has changed and why among all their goals, "real TV" isn't an ambition.