How to determine what is running in DLLHOST.EXE that's missing /ProcessID switch?

11

6

I have multiple dllhost.exe processes running on my Windows 7 computer: enter image description here

Every one of these image's command line is missing (what I am thinking is) the requisite /ProcessID:{000000000-0000-0000-0000-0000000000000} command line option: enter image description here

Question: How can I determine what's actually running in this process?

It's my belief that if I can identify the actual application doing the work inside these dllhost.exe processes I'll be able to determine if my system is infected or not (see below).

Why I'm Asking/What I've Tried:

These DLLHOST.EXE instances look suspicious to me. For example, several of them have a lot of open TCP/IP connections:

enter image description here

Process Monitor shows and absurd amount of activity. Just one of these processes generated 124,390 events in under 3 minutes. To make matters worse, several of these dllhost.exe processes are writing approximately 280 MB of data per minute to the user's TEMP and Temporary Internet Files folders in the form of folders and files with random four character names. Some of these are in use and cannot be deleted. Here's a filtered sample:

enter image description here

I know this is probably malicious. Unfortunately, blasting the system from orbit must only be done after exhausting all other options. To that point, I've done:

  1. Malwarebytes full scan
  2. Microsoft Security Essentials full scan
  3. Thoroughly reviewed Autoruns and submitted files I don't recognize to VirusTotal.com
  4. Thoroughly reviewed HijackThis
  5. TDSSKiller scan
  6. Reviewed this SuperUser question
  7. Followed these instructions: How To Determine Which Application Is Running Within a COM+ or Transaction Server Package
  8. For each of the DLLHOST.EXE processes, I've reviewed the DLLs and Handles view in Process Explorer for any .exe, .dll or other application-type files for anything suspicious. Everything checked out though.
  9. Ran ESET Online scanner
  10. Ran Microsoft Safety Scanner
  11. Booted to Safe Mode. The command switch-less dllhost.exe instance is still running.

And aside from a few minor adware detections, nothing malicious is popping up!

Update 1
<<Removed as irrelevant>>

Update 2
Results of SFC /SCANNOW: enter image description here

I say Reinstate Monica

Posted 2014-10-30T18:02:01.663

Reputation: 21 477

1

ask this Gov Maharaj from Microsoft via the posted emai, so that he can answer this in his show: http://channel9.msdn.com/Shows/The-Defrag-Show/

– magicandre1981 – 2014-10-31T08:09:21.297

@harrymc Mine shows 7/13/2009 and 7168 bytes. File version 6.1.7600.16385. – I say Reinstate Monica – 2014-11-05T19:49:39.580

If your Windows is 64-bit then I would guess that the problem is coming from a 32-bit installed product. – harrymc – 2014-11-05T20:08:47.433

What's on the strings tab? Anything interesting? – Jon Kloske – 2014-11-10T05:01:50.800

Could be worthwhile to know what of services the dllhost.exe process makes use of? Start from command line wmic path Win32_Service Where "ProcessId = 28420" – JosefZ – 2014-11-10T09:31:38.907

Answers

2

I see on my computer dllhost.exe running from C:\Windows\System32, while yours is running from C:\Windows\SysWOW64, which looks somewhat suspicious. But the problem can still be caused by some 32-bit product installed on your computer.
Check also the Event Viewer and post here any suspicious messages.

My guess is that you are infected or that Windows has become very unstable.

The first step is to see whether the problem arrives when booting into Safe mode. If it doesn't arrive there, then the problem is (maybe) with some installed product.

If the problem does arrive in Safe mode, then the problem is with Windows. Try running sfc /scannow to verify system integrity.

If no problems are found, scan using :

If nothing helps, try a boot-time antivirus such as :

To avoid burning real CDs, use Windows 7 USB DVD Download Tool to install the ISOs one-by-one on a USB key to boot from.

If all fails and you do suspect an infection, the safest solution is to format the disk and reinstall Windows, but try all other possibilities first.

harrymc

Posted 2014-10-30T18:02:01.663

Reputation: 306 093

There are some steps here I'll begin trying. The machine is well-maintained and has been stable until this behavior showed up (we were alerted to the problem by 10 GB of temp files written in a few days' time). I think the file being in \SysWOW64 is OK as I've confirmed the same file exists on other Win7 machines. – I say Reinstate Monica – 2014-11-05T20:05:13.860

1

If you suspect an installed startup product, Autoruns is a handy utility for turning them off in bunches and then back on again, rebooting each time.

– harrymc – 2014-11-05T20:10:13.570

I've repeatedly and extensively examined the Autoruns entries and found nothing suspicious. What gets me is this behavior showed up out of the blue. – I say Reinstate Monica – 2014-11-05T20:13:20.620

What did you find in the 10GB Temp folder? – harrymc – 2014-11-05T20:13:58.890

Thousands of folders with 4 character names and random files in them. Since the call for help was due to C: being out of disk space, once I found that much temp data I did what a good tech does and deleted it. It was only after noticing how rapidly the disk space went down that I started suspecting something out of the ordinary. – I say Reinstate Monica – 2014-11-05T20:15:24.313

If it's still happening, you could use Process Monitor to find out the writing process. Or is it dllhost.exe?

– harrymc – 2014-11-05T20:19:01.783

I did run ProcMon and the data was coming from dllhost.exe. The screenshot in my question shows only the Temporary Internet Files location, but it included the %TEMP% folder as well. – I say Reinstate Monica – 2014-11-05T20:21:46.133

Was there any maintenance done lately such as updating an installed product or Windows Update (the most dangerous of all)? You could try a system restore back to an earlier date. See also this Mark Russinovich blog on how to analyze a dllhost.exe problem. But if it's really an infection all you can do is run every antivirus under the sun and if they all fail nuke the computer (which is always the safest).

– harrymc – 2014-11-05T20:44:53.437

LOL. I in fact chided the user for not having recently installed updates...it looked as though he hadn't installed the latest round of Patch Tuesday updates. Breaking news here...ComboFix detects Poweliks malware...which I've had my eye on as a possible culprit, although this is the first positive detection on the system. – I say Reinstate Monica – 2014-11-05T20:58:22.703

If it's Poweliks then your user isn't very careful about opening email attachments. Even if eradicated, scan again with several well-known antivirus products in case it brought in some friends. And fully patch his computer including all installed applications. – harrymc – 2014-11-06T08:10:32.440

-1 This does not answer the question. This should be a comment. – kinokijuf – 2014-11-11T22:17:10.087

1@kinokijuf: Thanks for leaving a comment justifying the downvote. To my defense I note that this is the accepted answer, since an antivirus I recommended found the infection when many others failed. – harrymc – 2014-11-12T08:20:49.787

6

It's a Fileless, Memory-Injecting, DLL Trojan!

The credit for pointing me in the right direction goes to @harrymc so I've awarded him the answer flag & bounty.

As far as I can tell, a proper instance of DLLHOST.EXE always has the /ProcessID: switch. These processes don't because they're executing a .DLL that has been injected directly into memory by the Poweliks trojan.

According to this writeup:

...[Poweliks] is stored in an encrypted registry value, and loaded at boot time by a RUN key calling rundll32 process on an encrypted JavaScript payload.

Once [the] payload [is] loaded in rundll32, it tries to execute an embedded PowerShell script in interactive mode (no UI). That PowerShell scripts contains a base64-encoded payload (another one) which will be injected into a dllhost process (the persistent item), which will be zombified and act as a trojan downloader for other infections.

As noted in at the beginning of the above-referenced article, recent variants (mine included) no longer start from an entry in the HKEY_CURRENT_USER\...\RUN key but are instead hidden in a hijacked CLSID key. And to make it even harder to detect there are no files written to disk, only these Registry entries.

Indeed (thanks to harrymc's suggestion) I found the trojan by doing the following:

  1. Boot to Safe Mode
  2. Use Process Explorer to suspend all of the rouge dllhost.exe processes
  3. Run a ComboFix scan

In my case the Poweliks trojan was hiding in the HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} key (which is has to do with the Thumbnail Cache). Apparently when this key is accessed it executes the trojan. Since thumbnails are used a lot this had the effect of the trojan coming to life almost as quickly as if it had an actual RUN entry in the Registry.

For some additional technical details, see this TrendMicro blog post.

I say Reinstate Monica

Posted 2014-10-30T18:02:01.663

Reputation: 21 477

-1

If you want to do these kind of forensic analyst of running processes, services, network connection, ... I recommend you to use also ESET SysInspector. It gives you better view about running files, also you can see not only dllhost.exe, but files linked with argument for this file, path for auto startup programs, ... Some of them may be services, it also take their names, you see it in nice colorized application.

One big advance is that it also give you AV results for all files listed in log, so if you have infected system, there is a big chance to find a source. You can also post here xml log and we can check it. Of course, SysInspector is part of ESET AV in Tools tab.

Dolmayan

Posted 2014-10-30T18:02:01.663

Reputation: 92

I installed and ran ESET SysInspector but it's not telling me anything Process Explorer and Process Monitor haven't told me so far, although I do like how SysInspector makes some of this information easier to access. – I say Reinstate Monica – 2014-10-30T18:46:01.990

Asked: 2014-10-30T18:02:01.663

Viewed: 31 312 times

Active: 2018-09-29T18:53:43.440