I have seen a rather nasty virus lately: poweliks. Of the 4 times I have seen it in the past week, 2 were related to the Cryptowall malware. Poweliks is very hard to detect and once it is on your computer, it can actively hide from many antivirus and antimalware programs. Poweliks has the following tale-tell signs:
- Several legitimate Windows files will have high CPU usage. Some variants load several dllhost.exe files (most likely the 32-bit version). Some will constantly load other legitimate files.
- The registry will be modified so that certain keys are not accessible with the regedit.exe program or antivirus or antimalware software.
- There is no actual virus file. The file itself is stored in the registry and using a few tricks (and what I call design flaws of Windows), it loads the file straight from the registry. Sometimes the tricked used will make it impossible for anything except Windows to read the bad registry key.
I received a message when attempting to uninstall a variation of the Conduit search protect. The message was You do not have sufficient permission to uninstall your program. Please contact your system administrator. Since this computer was not in a domain, that message should never appear.
To fix the issue we have to a manual uninstall. First open the registry error and find the hives:
In those keys, look for the name of the program you are attempting to uninstall in the many subhives. Once you find it, look for an entry that says UninstallString. Copy the contents of that key. Now open a command prompt as an Administrator and enter the uninstall command you copied.
If you get an Access Denied message, then you will have to edit the permissions and possible the ownership of the master folder for that program. This master folder is usually in \Program Files\ or \Program Files (x86)\ folder, although some dodgy program may be somewhere else. Set the master program folder’s permission so that Everyone has full access. If this fails, set the ownership of the folder to the current user (and not Administrators) and then edit the folder’s permissions again. Now enter try that uninstall command again.