Nasty new PC virus out there - Powerliks.

**SoonerDave** · 09-27-2014, 12:18 PM

Came across a rather nasty new virus on my laptop this week - called "Poweliks" - and its a fairly new beast that hides in your Windows registry rather than through any unauthorized files. If you suspect a virus, but your antivirus tool says it doesn't find one, it could be Poweliks. I've posted a summary of information about it at The Virtual Developer. THought I'd post it here because as I researched it, most of the information is very new (as in within the last month or two) and not very many antivirus vendors are presently equipped to detect it. It's a nasty one. Casual inspection will almost certainly *not* find this one.

**tfvc.org** · 09-27-2014, 03:04 PM

I wonder if Spybot Hijackthis or Adwcleaner would help remove since they scan registry. Spybot does make a registry backup when it is first launched (Or at least gives that option).

**Mel** · 09-27-2014, 03:14 PM

The recent PBS program NOVA was about stuff like this. It's called "Rise of the Hackers". Very scary stuff. China and Iran seem to be the big 2 in waging cyber war against us.

**tfvc.org** · 09-27-2014, 03:27 PM

My friend got one of those ransomwares last week that encrypted her user foldertree. I ended up having to reimage her drive. She was lucky that she had a backup of some of her stuff on her root folder so she didn't lose everything. This was not a week after spending several hours cleaning up a ton or spy/ad/browser wares. Her 18 year old son is not allowed on her computer anymore, and hopefully the changes to her group policies I made will help prevent this kind of crap in the future.

**SoonerDave** · 09-27-2014, 03:31 PM

Originally Posted by eatokc.com

I wonder if Spybot Hijackthis or Adwcleaner would help remove since they scan registry. Spybot does make a registry backup when it is first launched (Or at least gives that option).

Most registry scanning tools to this point are looking for things like BHO's (Browser Helper Objects) or startup commands tied to known malware/adware/virus files, but if they use standard Windows API's to read the Registry they could very easily overlook Poweliks.

Without getting grossly technical, Poweliks hides itself in the Windows registry, but under a name with a special character that the standard registry methods typically used by Windows programs cannot interpret, so a "conventional" scan will very likely fly right past Poweliks. If you use the regular Windows registry editing tool, you might be able to *see* where the virus is hiding out, but not be able to delete it - for the same reason.

As I noted in the blog post, RogueKiller and FARBAR Scan/Recovery tool can positively identify and possibly kill Poweliks. I identified it with FARBAR and killed it with RogueKiller, and in the last twelve hours or so, all my symptoms of infection have disappeared - huge svchost.exe working sets, random "Host Process for Windows Has Stopped Working" crash messages - and my PC is quiet and decidedly less stressed.

I have to believe antivirus vendors will have to adjust their products - perhaps substantially - to *really* look for these "second generation" threats. Viruses that drop no file payload and stick executable content into the freaking registry are just not part of the design of most antivirus products right now.