Big SVCHOST.EXE process? "Host Process" crashes? Maybe POWELIKS is presentIt's been a long time since I posted here, mostly because the Subversion migration project I was working before was essentially abandoned. But this week, I opted to restart this effort due to a particularly nasty first-hand experience I've had with a *really* nasty "second generation" virus called Poweliks.
As a software developer by trade and focused on Windows of paycheck necessity, you learn to deal with virus risks. In that time, I've learned to find and rid myself of most "normal" viruses with a few good tools and some experienced observation. But not this time.
My machine had been acting strangely for a few weeks - strange in ways that made me suspect a virus - but every online and CD-based external diagnostic tool I fired found nothing. Then, last night, still convinced something was awry, the FARBAR recovery/scan tool found the gremlin - called "POWELIKS!"
Given it's relative youth "in the wild," I thought I'd post at least a general summary of what I've found about this nasty beast, and give some folks a starting point in dealing with it. I hope its helpful.
This is not your run-of-the-mill virus!
This makes Poweliks dangerous and nasty for multiple reasons. First, the fact that it carries no immediately detectable payload means that it is virtually invisible to nearly all conventional antivirus tools. Second, as it is running, it carries no typical viral signature that many if not most antivirus products are designed to detect. Thirdly, the information about Poweliks suggests its designed to open remote channels to servers in Russia for the remote delivery of payloads that could do next to anything.
Do I have Poweliks?
I spent the better part of a day with various rescue tools and self-booting Linux-based repair CD's trying to find the source of my then-unknown problem. None of the tools I used noticed Poweliks. That's the scary part of this - Poweliks is, apparently, so new that most antivirus vendors have not yet caught up with it, meaning that lots of computers out there could be infected with it. Only a few bloggers and vendors have created tools that can start to deal with Poweliks.
What to do?!?
If you suspect a viral infection, but your antivirus tool doesn't show a problem, check out the FARBAR scan and recovery tool at Bleeping Computer. This tool will scan for a variety of rootkits and other malware, but it can also detect Poweliks. That's how I found it. Once FARBAR runs, review its logs files and see if it finds a "Poweliks!" signature hiding in your registry.
If you find Poweliks, go grab a copy of RogueKiller, from Adlice Software. This little gem is capable of targeting Poweliks and (hopefully) killing its roots, but its author is (as of this writing) updating it to find and kill variants he's already discovered. Mind you - this is not a tool for the faint-hearted. It will kill processes it recognizes as malevolent, then list in various tabs other system characteristics that may be indicative of a virus, but may be OK. It does a good job of making a basic assessment of which is which by coding entries in red (almost certainly bad news), orange (may or may not be bad news), or green (almost certainly OK). Highlight the entries, and hit the "Delete" button, and inspect the results. There's a forum with all manner of tutorials and info about using RogueKiller to rid yourself of Poweliks.
If you're feeling adventurous, you may be able to delete some of the core registry entries for Poweliks yourself. Doing so isn't possible using the conventional Windows registry editor, because the Poweliks dropper embeds a NULL value into the key name that conceals the evil payload, meaning that the standard API's used to handle the registry won't be able to find or delete it for you. To solve this part of the problem, go pick up a copy of yet another fantastic SysInternals tool called RegDelNull, which will search your various registry hives for entries with null elements and delete them.