How to determine what is running in DLLHOST.EXE that's missing /ProcessID switch?
Solution 1:
I see on my computer dllhost.exe running from C:\Windows\System32
, while yours is running from
C:\Windows\SysWOW64
, which looks somewhat suspicious. But the problem can still be caused
by some 32-bit product installed on your computer.
Check also the Event Viewer and post here any suspicious messages.
My guess is that you are infected or that Windows has become very unstable.
The first step is to see whether the problem arrives when booting into Safe mode. If it doesn't arrive there, then the problem is (maybe) with some installed product.
If the problem does arrive in Safe mode, then the problem is with Windows. Try running sfc /scannow to verify system integrity.
If no problems are found, scan using :
- AdwCleaner
- ComboFix
If nothing helps, try a boot-time antivirus such as :
- Dr.Web
- F-Secure
- Panda
To avoid burning real CDs, use Windows 7 USB DVD Download Tool to install the ISOs one-by-one on a USB key to boot from.
If all fails and you do suspect an infection, the safest solution is to format the disk and reinstall Windows, but try all other possibilities first.
Solution 2:
It's a Fileless, Memory-Injecting, DLL Trojan!
The credit for pointing me in the right direction goes to @harrymc so I've awarded him the answer flag & bounty.
As far as I can tell, a proper instance of DLLHOST.EXE
always has the /ProcessID:
switch. These processes don't because they're executing a .DLL that has been injected directly into memory by the Poweliks trojan.
According to this writeup:
...[Poweliks] is stored in an encrypted registry value, and loaded at boot time by a RUN key calling rundll32 process on an encrypted JavaScript payload.
Once [the] payload [is] loaded in rundll32, it tries to execute an embedded PowerShell script in interactive mode (no UI). That PowerShell scripts contains a base64-encoded payload (another one) which will be injected into a dllhost process (the persistent item), which will be zombified and act as a trojan downloader for other infections.
As noted in at the beginning of the above-referenced article, recent variants (mine included) no longer start from an entry in the HKEY_CURRENT_USER\...\RUN
key but are instead hidden in a hijacked CLSID key. And to make it even harder to detect there are no files written to disk, only these Registry entries.
Indeed (thanks to harrymc's suggestion) I found the trojan by doing the following:
- Boot to Safe Mode
- Use Process Explorer to suspend all of the rouge
dllhost.exe
processes - Run a ComboFix scan
In my case the Poweliks trojan was hiding in the HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
key (which is has to do with the Thumbnail Cache). Apparently when this key is accessed it executes the trojan. Since thumbnails are used a lot this had the effect of the trojan coming to life almost as quickly as if it had an actual RUN
entry in the Registry.
For some additional technical details, see this TrendMicro blog post.