Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very strange process in Process Explorer


  • Please log in to reply
9 replies to this topic

#1 Wanderingo

Wanderingo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 04 September 2016 - 01:31 PM

Hi everyone,

 
Last night I checked Process Explorer on my Windows 8.1 computer and I was very surprised to see a process with a Google logo and chinese characters for a name running at the bottom. Furthermore the other fields like company name where blank. As soon as I opened PE and saw this, PE crashed. I was so surprised that I didn't get a screenshot, and now I can't find any trace of anything strange with my system!
 
I've tried GMER, process hacker and Comodo Killswitch, but my system comes up as perfectly clean. I'm starting to wonder wheter it was just  bug in PE that caused it, but I'd like to hear everyones thoughts on the matter. Has something similar ever happened to any of you?


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:43 PM

Posted 04 September 2016 - 03:13 PM

Welcome to BC...

 

I doubt anyone will respond that has experienced the same.

 

You can check to see if there is anything unusual in your Google Chrome add-ons...assuming you have Google Chrome installed.

 

You can find and remove malware and adware using the programs below.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR  REVIEW.

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 sosak

sosak

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 27 December 2016 - 01:41 PM

The same happened to me today and I reacted very similary to Wanderingo - gapeing on it trying to trace the process using the process explored which has frozed immediately.

 

Malwarebytes Premium 3.0. nor Eset Antivirus haven't found anything.

 

Any update on this please?

 

Cheers!



#4 buddy215

buddy215

  • Moderator
  • 13,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:43 PM

Posted 28 December 2016 - 01:46 PM

sosak....Welcome to BC..

 

Give the two programs AdwCleaner and JRT a try. Use the instructions in my first post.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 sosak

sosak

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 28 December 2016 - 03:00 PM

Hi buddy215 mate,

 

thank you for your reply, I tried AdwCleaner now and it foudn 7 threads - here are both, search and clean logs [it's been in czech so I tried to translate logs content as accurate as possible]:
 

 

# AdwCleaner v6.041 - Log created on 28/12/2016 at 20:42:44
# Updated on 16/12/2016 z Malwarebytes
# Database : 2016-12-26.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (X64)
# Username : sosak - POČÍTAČ
# Launched from : C:\Users\sosak\Desktop\PC CLEANUP TOOLS\AdwCleaner.exe
# Mode: Scaning
 
 
 
***** [ Services ] *****
 
No harmfull services found.
 
 
***** [ Folders ] *****
 
Folder found: C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default\Extensions\chklaanhfefbnpoihckbnefhakgolnmc
 
 
***** [ Files ] *****
 
File found: C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chklaanhfefbnpoihckbnefhakgolnmc_0.localstorage
File found: C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chklaanhfefbnpoihckbnefhakgolnmc_0.localstorage-journal
 
 
***** [ DLL ] *****
 
No harmfull DLLs found.
 
 
***** [ WMI ] *****
 
No harmfull keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled tasks ] *****
 
Scheduled task found: Chrome Cleanup Tool logs upload retry
 
 
***** [ Registers ] *****
 
Key found: HKLM\SOFTWARE\Classes\AppID\{9C81D00A-3DAA-48AB-90C7-8252119ABB93}
Key found: HKLM\SOFTWARE\Classes\AppID\{1DA17428-323D-48FF-857C-98CFEE48BFD5}
 
 
***** [ Internet Browsers ] *****
 
No harmfull items for Firefox browser found.
Chromium setting found: [C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - chklaanhfefbnpoihckbnefhakgolnmc
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1818 Bajty] - [28/12/2016 20:42:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1891 Bajty] ##########
 

 

 

 

 

# AdwCleaner v6.041 - Log created on 28/12/2016 at 20:45:28
# Updated on 16/12/2016 z Malwarebytes
# Database : 2016-12-26.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (X64)
# Username : sosak - POČÍTAČ
# Executed from : C:\Users\sosak\Desktop\PC CLEANUP TOOLS\AdwCleaner.exe
# Mode: Cleaning
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder removed: C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default\Extensions\chklaanhfefbnpoihckbnefhakgolnmc
 
 
***** [ Files ] *****
 
[-] File removed: C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chklaanhfefbnpoihckbnefhakgolnmc_0.localstorage
[-] File removed: C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chklaanhfefbnpoihckbnefhakgolnmc_0.localstorage-journal
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled tasks ] *****
 
[-] Task removed: Chrome Cleanup Tool logs upload retry
 
 
***** [ Registers ] *****
 
[-] Key removed: HKLM\SOFTWARE\Classes\AppID\{9C81D00A-3DAA-48AB-90C7-8252119ABB93}
[-] Key removed: HKLM\SOFTWARE\Classes\AppID\{1DA17428-323D-48FF-857C-98CFEE48BFD5}
 
 
***** [ Browsers ] *****
 
[-] [C:\Users\sosak\AppData\Local\Google\Chrome\User Data\Default] [extension] Removed: chklaanhfefbnpoihckbnefhakgolnmc
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleaned
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1643 Bytes] - [28/12/2016 20:45:28]
C:\AdwCleaner\AdwCleaner[S0].txt - [1970 Bytes] - [28/12/2016 20:42:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1789 Bajty] ##########


#6 sosak

sosak

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 28 December 2016 - 03:14 PM

Hi buddy215,

 

here is Junkware Removal Tool scan result:
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Professional x64 
Ran by sosak (Administrator) on st 28.12.2016 at 21:07:33,86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 17 
 
Failed to delete: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VI7W51AO (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HK6E7UB3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RO5X311X (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\sosak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TO6PZ72R (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HK6E7UB3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RO5X311X (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TO6PZ72R (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VI7W51AO (Temporary Internet Files Folder) 
 
 
 
Registry: 3 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{5E9BA19F-E032-4A60-9A60-64552215D6C9} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on st 28.12.2016 at 21:09:02,91
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Have you noticed something interesting please?
 
Cheers,
 
sosak


#7 buddy215

buddy215

  • Moderator
  • 13,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:43 PM

Posted 28 December 2016 - 03:55 PM

Removed an extension from Chrome....JSONView for Chrome

Removed some search toolbar and misdirect search when using Bing/ IE

 

Other than that...no info for what else was removed...

 

Are you experiencing any problems that could be adware or malware related?

 

Suggest using CCleaner regularly....installing an ad blocker if you don't have one and blocking ad/ tracking cookies aka third party cookies.

 

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

How to disable third-party cookies in all major web browsers

 

Adblock Plus - Chrome Web Store

If you install Adblock Plus...click on its ABP icon and choose Filter Preferences. UNcheck the box next to Allow some non-intrusive advertisements.

 

Check for security related issues by running this scan:

  • download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 sosak

sosak

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 28 December 2016 - 05:49 PM

Hi buddy215,

 

here is the log from security check tool:
 

SecurityCheck by glax24 & Severnyj v.1.4.0.46 [22.09.16]
WebSite: www.safezone.cc
DateLog: 28.12.2016 23:40:58
Path starting: C:\Users\sosak\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: sosak
VersionXML: 3.67is-25.12.2016
___________________________________________________________________________
 
Windows 7(6.1.7601) Service Pack 1 (x64) Professional Lang: 0405
Installation date OS: 02.02.2015 13:49:20
LicenseStatus: Windows® 7, Professional edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
SystemDrive: C: FS: [NTFS] Capacity: [232.7 Gb] Used: [179 Gb] Free: [53.7 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18426 Warning! Download Update
Online installation. Last version available when Windows update is enabled throught the Internet.
User Account Control enabled
Notify before download
Windows Update (wuauserv) - The service has stopped
Centrum zabezpečení (wscsvc) - The service is running
Vzdálený registr (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Vzdálená plocha (TermService) - The service has stopped
Vzdálená správa systému Windows (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Malwarebytes (enabled and up to date)
ESET NOD32 Antivirus 9.0.407.0 (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Brána Windows Firewall (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
ESET NOD32 Antivirus 9.0.407.0 (enabled and up to date)
Malwarebytes (enabled and up to date)
Windows Defender (enabled and out of date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
ESET NOD32 Antivirus v.9.0.376.1
--------------------------- [ OtherUtilities ] ----------------------------
VLC media player v.2.2.4
TeamViewer 12 v.12.0.71503 Warning! Download Update
Wireshark 2.0.2 (64-bit) v.2.0.2 Warning! Download Update
OpenOffice 4.1.1 v.4.11.9775 Warning! Download Update
TeamViewer 12 (TeamViewer) - The service is running
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.30 v.7.30.105
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 102 (64-bit) v.8.0.1020.14 Warning! Download Update
Uninstall old version and install new one (jre-8u112-windows-x64.exe).
Java 8 Update 31 (64-bit) v.8.0.310 Warning! Download Update
Uninstall old version and install new one (jre-8u112-windows-x64.exe).
Java SE Development Kit 8 Update 102 (64-bit) v.8.0.1020.14 Warning! Download Update
Uninstall old version and install new one (jdk-8u112-windows-x64.exe).
Java SE Development Kit 8 Update 31 (64-bit) v.8.0.310.13 Warning! Download Update
Uninstall old version and install new one (jdk-8u112-windows-x64.exe).
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Acrobat Reader DC - Czech v.15.020.20042
------------------------------- [ Browser ] -------------------------------
Google Chrome v.55.0.2883.87
Mozilla Firefox 43.0.1 (x86 en-US) v.43.0.1 Warning! Download Update
Opera Stable 42.0.2393.94 v.42.0.2393.94
----------------------------- [ EmailClient ] -----------------------------
Mozilla Thunderbird 45.5.1 (x86 cs) v.45.5.1
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.55.0.2883.87
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe v.9.0.407.0
ESET Service (ekrn) - The service is running
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe v.9.0.407.0
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.1.0.388
Windows Defender (WinDefend) - The service is running
----------------------------- [ End of Log ] ------------------------------
 

 

thank you very much for your help mate. At the moment it looks it runs just fine.

 

The only thing I worried about is the crazy chinese letters named process I saw there running. I haven't seen it there since yesterday when I saw it first and last time - thus I hope it's not sitting somewhere silently waiting for action ;-)

 

Eset NOD32 antivirus as well as Malwarebytes Premium 3.0 says constantly that everything is fine so let see ;-)

 

Thank you very much for your help and time!



#9 buddy215

buddy215

  • Moderator
  • 13,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:43 PM

Posted 28 December 2016 - 06:05 PM

You're welcome....if that pops up again...try to copy the process description and do a web search using it.

 

Be sure to take care of what was found in that last scan....especially uninstalling all of the Java programs...old Java programs are malware magnets.

Most don't need Java. If you are not sure whether it is needed or not for some game or other just delete until you are told it is needed.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 sosak

sosak

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 28 December 2016 - 06:42 PM

Thanks again :-)

 

The malware process description looked like "overflowed" description of another process displayed by by Process Explorer (as the description was like "ekern.exe >25%" which was concatinated status of eset antivirus kernel process).

 

I was trying to google it out but this thread we are talking in was the only relevant result I found - and that by using descriptive search expression of my problem like "chinese letters process malware" - if it would show up again I'll take visual snapshot first.

 

Regarding Java warnings in previous post - those are Java JRE and JDK installations I'm using for development - they are installed and utilized by me fully awarely.

 

Cheers and have a good step into year 2017! ;-)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users