Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unrecognized runaway process, suspect virus, please help.


  • Please log in to reply
1 reply to this topic

#1 Rebecca_A

Rebecca_A

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 November 2014 - 09:25 AM

I have an urgent problem that I need help with. I think it’s related to a virus or trojan. I apologize for the long post, but I want to give a full description.

 

I am running Windows 7 64-bit Ultimate Edition. I use Norton Anti-Virus and Norton Firewall. My browsers are Chrome, Internet Explorer and Firefox. Everything is updated with the latest patches, no exceptions.

 

I typically work with all 3 browsers open, but I do most of my browsing in Firefox. I was in fact browsing the web in Firefox when the problem happened.

 

A description of the event follows. I am sorry that the messages and process names are inexact, but I am going by memory. I was trying to screenshot these things for my records, but my computer blue-screened before I could save, and I lost them.

 

  1. I was browsing in Firefox tonight  when my computer beeped and a window popped up saying something had stopped working. It was a window from UAC (User Account Control) asking my permission to do something. I do not recall the exact message.
  2. I clicked the “Cancel” button a few times, but the window kept popping up and the computer kept beeping, so I finally clicked “OK”. I know it was my mistake and I shouldn’t have done it, but I was in the middle of some work and the message was completely meaningless to me. I was unable to tell if it was from malware or a legitimate Windows message, so I clicked "OK" to make it go away.
  3. After I clicked OK, the message went away. I noticed a Command Window flashing open briefly and then closing, then everything was back to normal. I continued browsing.
  4. About 5 minutes later, I noticed that my CPU temperature was going up. I have a utility that graphs CPU/Videocard temperatures on my desktop; that’s how I noticed.
  5. I checked Task Manager and noticed that multiple copies (6-10) of a process that I had never seen before were running. The best I recall the name is “vmwujrva.exe”. I will call it “rogue process” from here on when referring to it, because I am not 100% sure if that was the exact name. These identical rogue processes were peaking the CPU, causing the temperature to  rise.
  6. I immediately searched for the process name in Google to find out what it was, but Google returned no hits.
  7. I tried to end the processes in Task Manager, but they kept respawning faster than I could end them. There were always about 6-10 of them running, no matter how fast I killed them in Task Manager.
  8. I right clicked the process in Task Manager and chose "Open File Location", and saw that the process was from an executable file with the same name, located in the directory: Users\MyName\AppData\LocalLow\Adobe. I tried to delete the directory but got an error saying that a file was in use by Chrome and could not be deleted.
  9. I shut down Chrome, verified that chrome.exe was no longer running, then tried deleting the directory again. No success, same error message.
  10. I then started two utilities I have: Process Explorer and Process Monitor, both from Sysinternals. I found out that the rogue process was signed by Google Inc., and that at least one of them had a TCP connection open to some site called btrill.com. Process Explorer identified it as a Chrome process, even though Chrome was not running at the time.
  11. Finally, I noticed that my Start Menu had changed. Specifically, I had Firefox pinned to the Start Menu, but it was no longer there.
  12. At this point I decided to reboot the computer, hoping to quickly delete the directory containing the rogue process executable, before the directory was locked by the process. After rebooting, I immediately deleted that directory. However, I noticed a few minutes later that the multiple copies of the same rogue process again appeared in Task Manager. This time they were running from a different directory, namely Users\MyName\AppData\LocalLow\EmieUserList.
  13. I again tried shutting down the processes in Task Manager, but they kept respawning. I noticed that as I shut them down and they respawned, my memory usage kept going up. I was at 12GB used out of 16GB total, when my computer blue screened, losing all screenshots and records that I was in the process of saving.
  14. At the blue screen it told me it was writing a core dump to disk, but this process only went to 90% and then stuck there for 5 minutes. Finally, I interruipted it by rebooting through power cycling the computer.
  15. This time I booted to Safe Mode. I immediately selected “System Restore” and saw that the last restore point was from November 1. I restored from that restore point, and then booted in normal mode.
  16. Since then, the rogue process has not appeared. My computer appears to be back to normal.

 

I have since taken these additional steps:

 

  1. Used Control Panel to remove the programs Chrome and Firefox, then reinstalled Firefox from the Mozilla site. I have not reinstalled Chrome yet, but plan to do so soon.
  2. Ran a complete system scan with Norton Anti Virus. It reported no viruses or trojans.
  3. Downloaded and ran Malwarebytes. It reported no problems.

 

I am pretty sure that I have a virus of some kind, because the behavior with the constantly respawning process (whose name can’t be found on Google’s Search Engine), its TCP connection to btrill.com, the constantly increasing memory use, the blue screen – all seem virus-like to me.

 

Although doing a system restore from a previous restore point has fixed the problem of that rogue process spawning, I understand that system restore only reverts changes back from the registry, and any other changes made by the virus probably remain unfixed. Also, the virus itself must still be there, since neither Norton or Malwarebytes found it and deleted it.

 

Can anyone suggest what might be going on and how to fix it? What can I do to further investigate the problem, and confirm one way or the other that it really was a virus?



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:04 AM

Posted 05 November 2014 - 08:21 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes Anti-Malware to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.



If you already have MBAM 2.0 installed:

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


How to get logs:
(Export log to save as txt)


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.



(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.


p22002970.gifDownload 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"



p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users