Poweliks – Dllhost.exe Resource Infection

Symptoms: Windows computer is horribly sluggish and unable to do anything. Checking task manager shows over 10+ “dllhost.exe” or “dllhost.exe *32 COM Surrogate, CPU at 100% commit, with ram hitting its limit. Restarting the computer into safe mode shows the same issue and computer is slow to respond.

Other common programs started by Poweliks include:
– dllhst3g
– cmmon32
– regsvr32
– dpnsvr
– dplaysvr
– powershell

Resolution: Your computer is highly infected with a trojan virus, commonly known as “poweliks”.

The Trojan then checks if the compromised computer has the PowerShell or .NET frameworks. Then the Trojan decrypts a PowerShell script from its encrypted JavaScript. It runs this Powershell script to execute a binary program. This program connects to the following remote locations: 178.89.159.34, 178.89.159.35

The Trojan may then perform the following activities:
– Receive commands from the remote attacker
– Delete the binary program

Follow the below steps to remove this:

1. Reboot your computer into safe mode with networking
– Tapping F8 on reboot and then selecting safe mode with networking
– Run (Windows+R) >> msconfig >> boot tab >> check safe boot, bullet network >> click ok and restart the computer

2. Clear temp app data by running “%temp%” and deleting the whole contents of it
– Run (Windows+R) >> %temp% >> unhide files >> delete all contents >> hide files

3. End all task for dllhost.exe (and all other common programs started by poweliks)
– Open task manager (Cltr+Alt+Delete OR Cltr+Shift+Esc)
– End the task for every single dllhost.exe process

4. Run Roguekiller
– Place a check mark next to all non-green content in all the tabs that were found in the scan
– Before clicking delete, MAKE SURE ALL DLLHOST.EXE (including variants) TASK HAS BEEN ENDED (the infection will come back if it isn’t)

5. Restart the computer and verify processes in task manager

6. Ensure that ONLY 1 dllhost.exe is running and not multiple(s)

7. If multiple dllhost.exe is still present and taking up lots of CPU resource, repeat step 3

8. If after repeating step 6, the infection is still present, run eSET’s standalone Poweliks Cleaner or/and Norton’s Poweliks Removal Tool