Not what you are looking for? Ask the experts!
Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7
My Windows 7 computer started to run sluggishly. Window Task Manager reveal many copies of the dllhost.exe *32 processes running (about 30). Scans run by Norton 360 and MBAM showed no infection (cannot remember if I ran the scans after rebooting). My system began to run slowly again. Again, many copies of the dllhost.exe *32 process were running. I tried ending the processes, but only could only gain traction in doing such after disconnecting from the internet. Did not end all of the processes; rebooted instead. Upon restarting, Windows 7 flagged that there was a problem with powershell and gave me the option of looking for a solution online (which I did). Scanned with Norton 360 and found 4 viruses (Trojan.Poweliks!gm three times and Trojan.Viknok.B!inf once); multiple *.tmp files in c:\windows\syswow64 were removed; file getsi.dll from c:\users\..\appdata\locallow was removed. Status in Norton 360 Security History is shown as Quarantined.
I suspect that a script is being run in powershell which infects my computer with Trojan.Powerliks!gm; multiple dllhost.exe *32 processes are started by the script or by the virus. Norton 360 is not preventing the infection (although a small Norton 360 window pops up in the lower right-hand corner of my desktop saying it has blocked an attack).
Currently, I have blocked powershell.exe from running (a copy exists in c:\windows\system32\windowspowershell\v1.0 and in c:\windows\syswow64\windowspowershell\v1.0).
I'm not sure what triggers powershell to run. I connect to the internet, showing Task Manager so that I can monitor the processes, and visit website that I know to be safe. Eventually, the many copies of dllhost.exe *32 are kicked off and I've got to go through the whole process to clean my system again. Does anyone have any ideas? I ran Norton Community Watch to pass information collected to the Community.