How to determine what is running in DLLHOST.EXE that's missing /ProcessID switch?

Question

I have multiple dllhost.exe processes running on my Windows 7 computer:

Every one of these image's command line is missing (what I am thinking is) the requisite /ProcessID:{000000000-0000-0000-0000-0000000000000} command line option:

Question: How can I determine what's actually running in this process?

It's my belief that if I can identify the actual application doing the work inside these dllhost.exe processes I'll be able to determine if my system is infected or not (see below).

---

Why I'm Asking/What I've Tried:

These DLLHOST.EXE instances look suspicious to me. For example, several of them have a lot of open TCP/IP connections:

Process Monitor shows and absurd amount of activity. Just one of these processes generated 124,390 events in under 3 minutes. To make matters worse, several of these dllhost.exe processes are writing approximately 280 MB of data per minute to the user's TEMP and Temporary Internet Files folders in the form of folders and files with random four character names. Some of these are in use and cannot be deleted. Here's a filtered sample:

I know this is probably malicious. Unfortunately, blasting the system from orbit must only be done after exhausting all other options. To that point, I've done:

1. Malwarebytes full scan
2. Microsoft Security Essentials full scan
3. Thoroughly reviewed Autoruns and submitted files I don't recognize to VirusTotal.com
4. Thoroughly reviewed HijackThis
5. TDSSKiller scan
6. Reviewed this SuperUser question
7. Followed these instructions: How To Determine Which Application Is Running Within a COM+ or Transaction Server Package
8. For each of the DLLHOST.EXE processes, I've reviewed the DLLs and Handles view in Process Explorer for any .exe, .dll or other application-type files for anything suspicious. Everything checked out though.
9. Ran ESET Online scanner
10. Ran Microsoft Safety Scanner
11. Booted to Safe Mode. The command switch-less dllhost.exe instance is still running.

And aside from a few minor adware detections, nothing malicious is popping up!

---

Update 1
<<Removed as irrelevant>>

Update 2
Results of SFC /SCANNOW:

Answer 1

I see on my computer dllhost.exe running from C:\Windows\System32, while yours is running from C:\Windows\SysWOW64, which looks somewhat suspicious. But the problem can still be caused by some 32-bit product installed on your computer.
Check also the Event Viewer and post here any suspicious messages.

My guess is that you are infected or that Windows has become very unstable.

The first step is to see whether the problem arrives when booting into Safe mode. If it doesn't arrive there, then the problem is (maybe) with some installed product.

If the problem does arrive in Safe mode, then the problem is with Windows. Try running sfc /scannow to verify system integrity.

If no problems are found, scan using :

• AdwCleaner
• ComboFix

If nothing helps, try a boot-time antivirus such as :

• Dr.Web
• F-Secure
• Panda

To avoid burning real CDs, use Windows 7 USB DVD Download Tool to install the ISOs one-by-one on a USB key to boot from.

If all fails and you do suspect an infection, the safest solution is to format the disk and reinstall Windows, but try all other possibilities first.

Answer 2

It's a Fileless, Memory-Injecting, DLL Trojan!

The credit for pointing me in the right direction goes to @harrymc so I've awarded him the answer flag & bounty.

As far as I can tell, a proper instance of DLLHOST.EXE always has the /ProcessID: switch. These processes don't because they're executing a .DLL that has been injected directly into memory by the Poweliks trojan.

According to this writeup:

...[Poweliks] is stored in an encrypted registry value, and loaded at boot time by a RUN key calling rundll32 process on an encrypted JavaScript payload.

Once [the] payload [is] loaded in rundll32, it tries to execute an embedded PowerShell script in interactive mode (no UI). That PowerShell scripts contains a base64-encoded payload (another one) which will be injected into a dllhost process (the persistent item), which will be zombified and act as a trojan downloader for other infections.

As noted in at the beginning of the above-referenced article, recent variants (mine included) no longer start from an entry in the HKEY_CURRENT_USER\...\RUN key but are instead hidden in a hijacked CLSID key. And to make it even harder to detect there are no files written to disk, only these Registry entries.

Indeed (thanks to harrymc's suggestion) I found the trojan by doing the following:

1. Boot to Safe Mode
2. Use Process Explorer to suspend all of the rouge dllhost.exe processes
3. Run a ComboFix scan

In my case the Poweliks trojan was hiding in the HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} key (which is has to do with the Thumbnail Cache). Apparently when this key is accessed it executes the trojan. Since thumbnails are used a lot this had the effect of the trojan coming to life almost as quickly as if it had an actual RUN entry in the Registry.

For some additional technical details, see this TrendMicro blog post.

Answer 3

If you want to do these kind of forensic analyst of running processes, services, network connection, ... I recommend you to use also ESET SysInspector. It gives you better view about running files, also you can see not only dllhost.exe, but files linked with argument for this file, path for auto startup programs, ... Some of them may be services, it also take their names, you see it in nice colorized application.

One big advance is that it also give you AV results for all files listed in log, so if you have infected system, there is a big chance to find a source. You can also post here xml log and we can check it. Of course, SysInspector is part of ESET AV in Tools tab.