Results 1 to 3 of 3
  1. #1
    Member stinkingbob's Avatar
    Join Date
    Jun 2005
    Posts
    182
    Points
    0

    Default Windows DEP message popped up

    When I booted up my computer, I got a message from Windows DEP saying that it was closing a program called
    COM SURROGATE
    I clicked on the "What is DEP" link and the help center said something about DEP preventing malicious code from operating in the background and taking over my system or something similiar to that.
    My question is this: is this a false positive??

    Thanks,
    Bob

  2. #2
    Member stinkingbob's Avatar
    Join Date
    Jun 2005
    Posts
    182
    Points
    0

    Default

    Here is an addendum:
    In a previous post of my hijack this log, number 015 were flagged by the HijackThis Detective. Steam (or was it Basement) looked at it and said that that was in the trusted zone which by all normal standards should not be there because that was like giving them the keys to the house. So I deleted those entries which I will list below:

    O15 - Trusted Zone: *.sbcglobal.net
    O15 - Trusted Zone: http://*.sbcglobal.net

    Now, I noticed that the DEP message flagged
    COM Surrogate file (which I can't find. I searched for it on my computer but nothing came up). SO I am thinking that maybe when I started my computer this morning, I got that DEP mesage because I erased those those 2 015 entries. I don't know, I am just guessing, but I thought it relevant. I figured the COM was short for communication.
    I can still go ont he internet with no problems.

    Thanks,
    Bob

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Windows DEP (Data Execution Prevention)


    A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC

    Edition 2005, and Windows Server 2003


    http://support.microsoft.com/kb/875352

    ===
    COM SURROGATE is C:\windows\system32\dllhost.exe ... XPClient ...

    I have it blocked in Zonealarm and I have never had to give it access to the internet...

    It is a legitimate file, which is installed with a clean install of XP ...

    Process Name: Microsoft DCOM DLL Host Process

    Description:
    dllhost.exe is a part of the Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated.


    This program is required access the internet, in order to have a successful installation of Microsoft.NET Framework
    Only allow access if downloading from http://www.Microsoft.com or Windows Update.

    To put it as simple as possible...

    It's a host process for COM dlls.... it can run ANY requested DLLs which are registered on your machine

    So if a dll wants to connect to to a web service, it can do so through the dllhost.exe file ...

    This could be a legitimate dll or a malware dll ...

    WE need to know which dll was stopped and it's location...

    If it was a good one and required, you will soon notice something not working (a service on the internet which you can no longer connect to)

    If it's a bad one ... then it's being blocked ... so no problem

    hope that explains it

    steam

    Oh and by the way ... it's got nothing to do with those trusted zone entries...
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -