I have seen a rather nasty virus lately: poweliks. Of the 4 times I have seen it in the past week, 2 were related to the Cryptowall malware. Poweliks is very hard to detect and once it is on your computer, it can actively hide from many antivirus and antimalware programs. Poweliks has the following tale-tell signs:

  • Several legitimate Windows files will have high CPU usage. Some variants load several dllhost.exe files (most likely the 32-bit version). Some will constantly load other legitimate files.
  • The registry will be modified so that certain keys are not accessible with the regedit.exe program or antivirus or antimalware software.
  • There is no actual virus file. The file itself is stored in the registry and using a few tricks (and what I call design flaws of Windows), it loads the file straight from the registry. Sometimes the tricked used will make it impossible for anything except Windows to read the bad registry key.

So how do you get rid of it? Fortunately it is not too hard once you know. The best tool I’ve seen so far is the Eset Poweliks cleaner. I would run that first. Another very helpful program called RogueKiller can detect the virus but not always remove it. After using the Eset Poweliks cleaner, I would run RogueKiller. It is best to run this program in safe mode without networking.

The way the program works is that it attempts to shut down any bad programs running. After that you will need to scan your computer. Let RogueKiller attempt to delete every bad entry and maybe some of the possibly bad entries. If it fails to delete a file or registry hive, you will have to do it manually. This means editing the permission to a file or registry hive.

The process is the same for both. Attempt to set the Everyone permission on the file or registry hive first. If Windows will not let you, go to a higher folder or registry hive and set the Everyone permission on all child objects. Then delete the file or registry hive. Do not delete the individual registry keys, they will come back soon after you do.

The locations where in the registry where poweliks likes to hide and modify the registry are:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
  • HKEY_USERS\(any hive)\Software\Classes\CLSID\(any hive)
  • Look for a key with a lot of strange data in it.

There are other alternatives. You can create a new user account and transfer all the files over to that account. If there are not many files to transfer, this might be the best way to go.

After you remove Poweliks, you will need to delete all temporary files. This will take a long time. Sometimes it has taken me 45 minutes to clean up the temporary files Poweliks caused to be created. You can use the disk cleanup program that came with Windows or download CCleaner. You need to do that before you scan with an anti-malware or antivirus program.