Techs-on-Call Computer Repair Notes

I have seen a rather nasty virus lately: poweliks. Of the 4 times I have seen it in the past week, 2 were related to the Cryptowall malware. Poweliks is very hard to detect and once it is on your computer, it can actively hide from many antivirus and antimalware programs. Poweliks has the following tale-tell signs:

• Several legitimate Windows files will have high CPU usage. Some variants load several dllhost.exe files (most likely the 32-bit version). Some will constantly load other legitimate files.
• The registry will be modified so that certain keys are not accessible with the regedit.exe program or antivirus or antimalware software.
• There is no actual virus file. The file itself is stored in the registry and using a few tricks (and what I call design flaws of Windows), it loads the file straight from the registry. Sometimes the tricked used will make it impossible for anything except Windows to read the bad registry key.

Continue reading →

Sometimes, a virus or malware will modify the registry so that when you log in, a malicious file is processed instead of the standard windows file. There are several types of viruses that do this. Fortunately, the fix for all is the same. This is different than when Windows immediately restarts in Safe Mode. If that happens, you have malware that you will need to remove without Windows running.

Continue reading →

I encounter a problem that happened when you right-click a program. As soon as you right-clicked a program, a pop-up box appeared that said “There was a problem starting C:\users\owner\AppData\local\Temp\[random letters]\[different random letters]\wow.dll. A dynamic link library (DLL) initialization routine failed”. Or something like that.

Repeated searches of the registry for wow.dll found absolutely nothing. There was no trace of wow.dll in any of the startup entries. Internet searches weren’t very helpful either. I had already cleared all the temporary files, or so I thought, and so I thought the malware was removed.

It turns out there was a hidden, system folder that had its permissions taken away so that it was difficult to find and delete. After using Explorer to show hidden and system files, I had to right-click to get the permissions of the folder and take ownership of the now visible folder with the random letters. The error message came back, but I was still able to select the folder properties. After changing permissions and taking ownership of the folder, I discovered there was a wow64.dll file in that folder. Very sneaky. I deleted all those files and folders and the error message went away. Next I checked the registry for any references to wow64.dll and cleared those out.

The lesson is to always check for hidden, system files when you cannot figure out where the malware file is.

After I cleared out the malware, I did find this article which is also helpful. http://weirdwindowsfixes.blogspot.com/2013/06/wowdll-right-click-error.html

Here is a new trick of malware, booting only to the command prompt. Since malicious software changes daily to stay ahead of antivirus programs it has a one-day window to cause havoc. Further, the black hats are always two-steps ahead. They probably know Windows better than the programmers at Microsoft do. This new trick is to boot into a command prompt and not load the explorer.exe file. Most programs that start when you boot are loaded only when the explorer.exe file does. Many antivirus real-time scanners and update procedures are only loaded when explorer.exe is. By preventing that file to open, the antivirus does not update. If the antivirus does not update, it does not know about the new malware on the computer.

The fix is simple enough. You will first need to remove the file that starts the malware. Try safe mode first. Although a new trick of some malware is to cause the computer to immediately reboot when starting in safe mode so you may need to use the Windows Vista/7/8 DVD to manually remove the file in the places malware like to hide.

Once the malware is removed, open the registry editor: regedit.exe. Navigate to the registry hive HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Look for the keys shell and ParseAutoexec. The ParseAutoexec key is probably set to 1, that is the default value. You might want to change it to 0 so that the autoexec.bat is not run by default. If you see the shell key, you should either delete it or change the value to explorer.exe. If the shell key is absent, Windows defaults to global entry. Next, check the global entry by navigating to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon hive and make sure the shell key’s value is explorer.exe.

After that, in the command prompt run the explorer.exe file and then do a malware scan to clean out any remnant files.