I have an urgent problem that I need help with. I think it’s related to a virus or trojan. I apologize for the long post, but I want to give a full description.
I am running Windows 7 64-bit Ultimate Edition. I use Norton Anti-Virus and Norton Firewall. My browsers are Chrome, Internet Explorer and Firefox. Everything is updated with the latest patches, no exceptions.
I typically work with all 3 browsers open, but I do most of my browsing in Firefox. I was in fact browsing the web in Firefox when the problem happened.
A description of the event follows. I am sorry that the messages and process names are inexact, but I am going by memory. I was trying to screenshot these things for my records, but my computer blue-screened before I could save, and I lost them.
- I was browsing in Firefox tonight when my computer beeped and a window popped up saying something had stopped working. It was a window from UAC (User Account Control) asking my permission to do something. I do not recall the exact message.
- I clicked the “Cancel” button a few times, but the window kept popping up and the computer kept beeping, so I finally clicked “OK”. I know it was my mistake and I shouldn’t have done it, but I was in the middle of some work and the message was completely meaningless to me. I was unable to tell if it was from malware or a legitimate Windows message, so I clicked "OK" to make it go away.
- After I clicked OK, the message went away. I noticed a Command Window flashing open briefly and then closing, then everything was back to normal. I continued browsing.
- About 5 minutes later, I noticed that my CPU temperature was going up. I have a utility that graphs CPU/Videocard temperatures on my desktop; that’s how I noticed.
- I checked Task Manager and noticed that multiple copies (6-10) of a process that I had never seen before were running. The best I recall the name is “vmwujrva.exe”. I will call it “rogue process” from here on when referring to it, because I am not 100% sure if that was the exact name. These identical rogue processes were peaking the CPU, causing the temperature to rise.
- I immediately searched for the process name in Google to find out what it was, but Google returned no hits.
- I tried to end the processes in Task Manager, but they kept respawning faster than I could end them. There were always about 6-10 of them running, no matter how fast I killed them in Task Manager.
- I right clicked the process in Task Manager and chose "Open File Location", and saw that the process was from an executable file with the same name, located in the directory: Users\MyName\AppData\LocalLow\Adobe. I tried to delete the directory but got an error saying that a file was in use by Chrome and could not be deleted.
- I shut down Chrome, verified that chrome.exe was no longer running, then tried deleting the directory again. No success, same error message.
- I then started two utilities I have: Process Explorer and Process Monitor, both from Sysinternals. I found out that the rogue process was signed by Google Inc., and that at least one of them had a TCP connection open to some site called btrill.com. Process Explorer identified it as a Chrome process, even though Chrome was not running at the time.
- Finally, I noticed that my Start Menu had changed. Specifically, I had Firefox pinned to the Start Menu, but it was no longer there.
- At this point I decided to reboot the computer, hoping to quickly delete the directory containing the rogue process executable, before the directory was locked by the process. After rebooting, I immediately deleted that directory. However, I noticed a few minutes later that the multiple copies of the same rogue process again appeared in Task Manager. This time they were running from a different directory, namely Users\MyName\AppData\LocalLow\EmieUserList.
- I again tried shutting down the processes in Task Manager, but they kept respawning. I noticed that as I shut them down and they respawned, my memory usage kept going up. I was at 12GB used out of 16GB total, when my computer blue screened, losing all screenshots and records that I was in the process of saving.
- At the blue screen it told me it was writing a core dump to disk, but this process only went to 90% and then stuck there for 5 minutes. Finally, I interruipted it by rebooting through power cycling the computer.
- This time I booted to Safe Mode. I immediately selected “System Restore” and saw that the last restore point was from November 1. I restored from that restore point, and then booted in normal mode.
- Since then, the rogue process has not appeared. My computer appears to be back to normal.
I have since taken these additional steps:
- Used Control Panel to remove the programs Chrome and Firefox, then reinstalled Firefox from the Mozilla site. I have not reinstalled Chrome yet, but plan to do so soon.
- Ran a complete system scan with Norton Anti Virus. It reported no viruses or trojans.
- Downloaded and ran Malwarebytes. It reported no problems.
I am pretty sure that I have a virus of some kind, because the behavior with the constantly respawning process (whose name can’t be found on Google’s Search Engine), its TCP connection to btrill.com, the constantly increasing memory use, the blue screen – all seem virus-like to me.
Although doing a system restore from a previous restore point has fixed the problem of that rogue process spawning, I understand that system restore only reverts changes back from the registry, and any other changes made by the virus probably remain unfixed. Also, the virus itself must still be there, since neither Norton or Malwarebytes found it and deleted it.
Can anyone suggest what might be going on and how to fix it? What can I do to further investigate the problem, and confirm one way or the other that it really was a virus?