It looks like there is a new variant of Poweliks virus out there that is not detected (again) by antivirus software and even the vaunted ESET Poweliks cleaner doesn’t find yet. The symptom is that the computer is super slow and if you look in the Task Manager you see a at least one of these: Presentationhost.exe, Notepad.exe, conhost, Explorer.exe, taking up most of the CPU. If you kill them they just respawn.
In our case, the root cause of the problem was found here:
This is a hidden folder and the file could not be erased while Windows was running. We unhid the folder from Windows and then booted into Recovery Environment to delete the dll and another file in the same folder.
I suppose it’s possible that the folder name is random, but it should always show up in the C:\ProgramData folder.
If this thing mutates a bit, the way to find it is to run the FRST tool from Safe Mode. You’ll need to keep swatting flies in the Task Manager as the various programs keep popping up and slowing down or stopping the procedure. FRST will create a couple of text files in the folder from which it is run. We found our problem in the “Addition.txt” file under the heading of Custom CLSID. The two things we were looking for were something being spawned from the HKU part of the registry and something running from the C:\ProgramData folder. And there it was.
I assume ESET will evolve their tool eventually to find this, but until then, there’s your fix. Enjoy.