Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Google Chrome processes


  • Please log in to reply
16 replies to this topic

#1 jsimonso

jsimonso

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 11:25 AM

Windows 7 PC just started running very slowly.  Noticed numerous (sometimes up to 25) processes named "mmxctdbwkm.exe" running, spawning, re-spawning constantly.  Norton 360 popups indicating "Google Chrome using excessive memory resources" - task manager shows processes having descriptions "Google Chrome" which obviously they are not as Google Chrome is not installed on this PC!  Files are under C:\users\John\appdata\LocalLow\.... I would like to follow the procedure in the link below as it describes my problem fairly accurately.  However, the process appears to require 2-way collaboration and information sharing so wanted to check first before diving in.  Thank you in advance for your help.

 

http://www.bleepingcomputer.com/forums/t/551186/fake-google-chrome-running-multiple-processes-in-task-manager/

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:56 AM

Posted 26 December 2014 - 11:52 AM

Start with the scanning for Poweliks. If it is found and removed there will be more cleanup of other malware to do.
 
Please download Powelikscleaner (by ESET) and save it to your Desktop. (let me know if poweliks was found and removed as shown in the last image)
1.  Double-click on ESETPoweliksCleaner.exe to start the tool.
2.  Read the terms of the End-user license agreement and click Agree.
3.  The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
 
newtool1_zpsa1caa06e.png
 
4.  If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
 
newtool2_zps0e6d39b1.png

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 12:01 PM

Thanks.  I will be heading home from work in a couple of hours.  Will follow your instructions then.



#4 buddy215

buddy215

  • Moderator
  • 13,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:56 AM

Posted 26 December 2014 - 12:33 PM

If poweliks is or is not one of the culprits use the programs below.

 

Hold down Control and click on this link to open ESET OnlineScan in a new window. (Eset can take more than an hour to run so plan accordingly)

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR REVIEW.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download


  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 01:37 PM

Started 1st procedure.  Unable to download the tool.  Message from IE:  "Your current security settings do not allow this file to be downloaded".

I then disabled Norton 360 virus auto-protect & firewall for 15 minutes.  Then retried.  Same result.



#6 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 02:00 PM

Update:
1.  Downloaded Powelikscleaner from another computer & transferred to infected computer via external harddrive.
2.  Disabled Norton 360 for 15 minutes.
3.  Ran utility.  Found infection & cleaned it (trying to figure out how to attach the log)
4.  Rebooted computer
5.  Noticed same set of processes are still present on system
6.  Ran utility a second time - indicated no infection present.  So this must be something else...   Moving on to second set of procedures.



#7 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 02:23 PM

Update - started second procedure.  The malware apparently is affecting IE's ability to download and run 3rd party plug-ins and content.  So, again, i'm using a separate/uninfected computer to download the standalone ESET installer and transfer via USB drive to the infected computer.  The ESET scan has begun downloading itself.

 

** Any hints how to attach files on this forum are appreciated.  I haven't found out how to do that yet.



#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:56 AM

Posted 26 December 2014 - 02:38 PM

Files cannot be attached here in Am I Infected.

You will need to copy the log results and paste them into a reply.

 

 

Attachments are allowed only certain forums.

For reference, here is a list of which sub-forums allow the use of attachments.

 

Operating Systems Forum
Windows 95/98/ME
Windows XP Home and Professional
Windows NT/2000/2003/2008
Windows Vista
Windows 7
Windows 8

 

Hardware Forum
Internal Hardware

Security Forum
Virus, Trojan, Spyware, and Malware Removal Logs



#9 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 03:02 PM

Got it, thanks.  ESET is progressing now.  I will reply once all of the recommended steps from 2nd procedure have been competed.  Here is the text log from ESETPoweliksCleaner.

 

I attempted to paste in the log files directly but they are too big.  So i'm truncating by eliminating all of the "INFO" messages ....

 

First run (found & cleaned) - 533kb

[2014.12.26 12:48:22.360] - Begin

snip .... snip .... snip

[2014.12.26 12:48:22.360] -
[2014.12.26 12:48:22.360] - INFO: OS: 6.1.7601 SP1
[2014.12.26 12:48:22.360] - INFO: Product Type: Workstation
[2014.12.26 12:48:22.360] - INFO: WoW64: True
[2014.12.26 12:48:22.360] - INFO: Machine guid: DF1450F2-D2F0-4B6F-84A1-52E77D0F7D55
[2014.12.26 12:48:22.360] -
[2014.12.26 12:48:23.723] - INFO: Scanning for system infection...
[2014.12.26 12:48:23.723] - --------------------------------------------------------------------------------
[2014.12.26 12:48:23.723] -

 

snip .... snip .... snip

 

[2014.12.26 12:48:23.816] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-61553961-2762106452-785047371-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]

snip .... snip .... snip

 

[2014.12.26 12:48:30.368] - INFO: Cleaning status: 0
[2014.12.26 12:48:33.732] - End



#10 buddy215

buddy215

  • Moderator
  • 13,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:56 AM

Posted 26 December 2014 - 04:03 PM

You can reset internet settings to default. Poweliks sometimes is able to change those settings so just reset them.

 

To fix this, press the Windows key (windows-key.jpg) on your keyboard, and while holding it down, also press the R key on your keyboard. This will open the Run dialog box as shown below.
 

run-dialog.jpg


In the Open: field in the Run dialog box, type the text inetcpl.cpl, as shown in the image above, and then press the OK button. Once you press OK, the Internet Properties screen will open.

When the Internet Properties screen is open, click on the Security tab and you will be shown the security settings for Internet Explorer as shown below.
 

inetcpl-control-panel.jpg

Now click on the Reset all zones to default level button as indicated by the blue arrow in the image above. After you press the reset button, click on the Apply button and then the OK button to save your changes and close the Internet Properties screen.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 04:26 PM

ESET is done.  Found 4 issues.  ESET scan took ~2 hours due to slow SATA drive.  Moving on to remaining scans in 2nd post.

 

C:\Program Files (x86)\di9TheBestDeals\175.dll a variant of Win32/AdWare.AddLyrics.BH application cleaned by deleting - quarantined
C:\Program Files (x86)\di9TheBestDeals\g7TheBestDealsx.exe a variant of Win32/AdWare.AddLyrics.AY application cleaned by deleting - quarantined
C:\Program Files (x86)\di9TheBestDeals\x2TheBestDealsMu175.dll a variant of Win32/AdWare.AddLyrics.BB application cleaned by deleting - quarantined
C:\Users\John\AppData\Local\Temp\lfxiwim.dll a variant of Win32/Kryptik.CUAF trojan cleaned by deleting - quarantined
C:\Users\John\AppData\Local\{D277F064-0DD9-4135-B5A0-F9E5CAABCC5B}\Moreifhypr.dll a variant of Win32/Kryptik.CUAF trojan cleaned by deleting - quarantined
 



#12 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 04:33 PM

Correction, that's 5 issues discovered.  The first three i had a hunch about.  The only change to the computer right before getting this issue was an iTunes upgrade - first one in 18 months.  I stopped using iTunes that long ago but followed procedure to export iTunes library to son's new MAC required that i upgrade it on the PC first.  Malwarebytes running now...



#13 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 05:13 PM

All procedures have been completed and the former behavior is gone.  Thank you very much for the most-useful and timely information.



#14 buddy215

buddy215

  • Moderator
  • 13,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:56 AM

Posted 26 December 2014 - 05:49 PM

You're welcome...enjoyed working with you.

 

Be sure to check all Adobe products such as Reader and Flash, Java (not java script), browsers and Windows for

to get the latest security updates for those programs that malware most often takes advantage of.

Opening a malicious email attachment is another popular way for malware to infect the computer.

 

Happy surfin' !


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 jsimonso

jsimonso
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 26 December 2014 - 06:06 PM

Will do.  One thing that is bothersome is that Norton 360 did not detect or pick this up.  It has not failed me in over 18 months, but did this time.  I suppose there is no 1-stop shop for all that is Malware prevention but when it comes to doling out money for subscriptions I guess you just have to pick your poison and trust your provider is up to the task.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users