How to determine what is running in DLLHOST.EXE that's missing /ProcessID switch?

It's a Fileless, Memory-Injecting, DLL Trojan!

The credit for pointing me in the right direction goes to @harrymc so I've awarded him the answer flag & bounty.

As far as I can tell, a proper instance of DLLHOST.EXE always has the /ProcessID: switch. These processes don't because they're executing a .DLL that has been injected directly into memory by the Poweliks trojan.

According to this writeup:

...[Poweliks] is stored in an encrypted registry value, and loaded at boot time by a RUN key calling rundll32 process on an encrypted JavaScript payload.

Once [the] payload [is] loaded in rundll32, it tries to execute an embedded PowerShell script in interactive mode (no UI). That PowerShell scripts contains a base64-encoded payload (another one) which will be injected into a dllhost process (the persistent item), which will be zombified and act as a trojan downloader for other infections.

As noted in at the beginning of the above-referenced article, recent variants (mine included) no longer start from an entry in the HKEY_CURRENT_USER\...\RUN key but are instead hidden in a hijacked CLSID key. And to make it even harder to detect there are no files written to disk, only these Registry entries.

Indeed (thanks to harrymc's suggestion) I found the trojan by doing the following:

  1. Boot to Safe Mode
  2. Use Process Explorer to suspend all of the rouge dllhost.exe processes
  3. Run a ComboFix scan

In my case the Poweliks trojan was hiding in the HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} key (which is has to do with the Thumbnail Cache). Apparently when this key is accessed it executes the trojan. Since thumbnails are used a lot this had the effect of the trojan coming to life almost as quickly as if it had an actual RUN entry in the Registry.

For some additional technical details, see this TrendMicro blog post.


I see on my computer dllhost.exe running from C:\Windows\System32, while yours is running from C:\Windows\SysWOW64, which looks somewhat suspicious. But the problem can still be caused by some 32-bit product installed on your computer.
Check also the Event Viewer and post here any suspicious messages.

My guess is that you are infected or that Windows has become very unstable.

The first step is to see whether the problem arrives when booting into Safe mode. If it doesn't arrive there, then the problem is (maybe) with some installed product.

If the problem does arrive in Safe mode, then the problem is with Windows. Try running sfc /scannow to verify system integrity.

If no problems are found, scan using :

  • AdwCleaner
  • ComboFix

If nothing helps, try a boot-time antivirus such as :

  • Dr.Web
  • F-Secure
  • Panda

To avoid burning real CDs, use Windows 7 USB DVD Download Tool to install the ISOs one-by-one on a USB key to boot from.

If all fails and you do suspect an infection, the safest solution is to format the disk and reinstall Windows, but try all other possibilities first.

Tags:

Windows

Security

Command Line

Process

Virus

Related

How do I display the usage flags for my encryption keys in a less hackish way? Manually flushing write cache on Windows How to enable hardware based encryption on Samsung 850 Pro Is it possible to have one MBR partition and one GPT partition on the same drive? How to open multiple local HTML files in Google Chrome at once? Create video with 5 images with fadeIn/out effect in ffmpeg In Office 365 how do I get a direct download link for an Excel document stored in One Drive for Business? How can I get MySQL workbench to always show the result grid? Why can't I save as picture? (Word 2010) PM: Hibernation image not present or could not be loaded Why do some AC adapters and power supplies generate a whining noise, and what can I do about it? Advertisement suddenly appearing on top of almost every page

Recent Posts