Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware infection impacting Chrome functionality and using resources


  • Please log in to reply
4 replies to this topic

#1 vgdc7

vgdc7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 May 2018 - 10:51 PM

Hello,

So, a bit embarrassing, but I've got what appears to be an impressively resilient malware strain wreaking havoc.

 

Notable problems caused by it are the creation of several mysterious processes which will be discussed further down, and Chrome being unable to open external links properly, leading only to a blank page.

Additionally, it creates profoundly bizarre invisible windows with bizarre names like "eaaghrji" and similar variants all sharing that "eaa" prefix.

 

Beyond being profoundly annoying and limiting some browser functionality, it doesn't seem to be explicitly malevolent; most things work fine, but it's impressively resilient.

 

It creates the processes "Ebeling.exe" and "Coaxing.exe" at unknown prompting, with Coaxing being able to be created multiple times and having multiple processes running simultaneously, of widely variable processing strain.

I like to think I'm relatively competent in minor bug repair, but this thing's pretty tough.

 

After performing scans with Malwarebytes and Spy Hunter, it did not recognize any threats. As such, I dug a little deeper.

 

I looked at the root folders and processes making the processes, and it led me into my Local directory, to a small (600-ish kb) application called Coaxing. I tried deleting it, but it crawled back from the grave and can do so easily.

 

Ebeling and Coaxing both had homes in the Registry and in a program file I didn't make called Greenman. I deleted that, and there were some others in there that seemed to die peacefully, but Coaxing in particular remains. I found these leads through Spy Hunter recognizing "strange" files, but it couldn't connect online to check its database or what-have-you. I even tried downloading Avast to see if it could come to any conclusion, but nothing doing.

 

I even tried looking at Coaxing's code in Notepad++, and was greeted with what looked to be gibberish I didn't understand. Since it kept regenerating I tried just modifying it to be blank to see if it did anything, but no.

 

When it regenerates, it always comes back with its friends GDIPFONTCACHV1.DAT, too.

I did some more digging, and it looks like it fiddled with my hosts file, and its directory was absolutely stuffed with ad domains. It tried to lock me out of it, since HIjackthis couldn't get in on its own.

 

I also used Hijackthis, and tried doing some virus scans in Safe Mode, to no avail.

 

I cleared my registry with CCleaner as well.

 

Frankly I'm at the end of my rope, as far as doing this myself; I don't know what more I can possibly attempt.

If anyone has some help they could offer I'd really appreciate it. I can't even find any documentation on Coaxing or Ebeling online at all!

 

Thank you for your time.

 

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:47 PM

Posted 29 May 2018 - 09:18 AM

Welcome to BC...]

 

Do you have any software from https://www.greenmangaming.com/    installed on your computer?

 

Use the programs below to clean, remove adware and remove malware. I know you have Malwarebytes installed so just

please run a scan using it and posting results per instructions below.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • launch Malwarebytes and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 vgdc7

vgdc7
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 29 May 2018 - 10:02 AM

I have an update: the thing that seems to cause Coaxing to regenerate is clicking on an external link. It creates a blank new Chrome window, and an instance of Coaxing appears in my processes. I don't know how or why, but that's what I've managed to suss out about it.

Apologies for the bump, but I don't see an Edit button on my posts, so I'm just adding an additional post. 


I have an update: the thing that seems to cause Coaxing to regenerate is clicking on an external link. It creates a blank new Chrome window, and an instance of Coaxing appears in my processes. I don't know how or why, but that's what I've managed to suss out about it.

Apologies for the bump, but I don't see an Edit button on my posts, so I'm just adding an additional post. 

 

My goodness, I didn't even see your post! Thanks so much. I'll get right on that and keep you posted as needs be.

Thanks very much.


Edited by vgdc7, 29 May 2018 - 10:06 AM.


#4 vgdc7

vgdc7
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 30 May 2018 - 08:40 AM

So, a bit under 10 hours of scanning from ESET, the problem is solved. Relief and a touch of chagrin, but I'm glad it's over.

 

I'll give a quick play by play.

 

First off, I tried Malwarebytes again, checking to update its definitions. It gave me a connection error when it tried to connect. It came back clean, since I've been scrubbing with it desperately. I'm not sure how long it's had that issue, but evidently I'd lapsed in my maintenance. I'm uninstalling and reinstalling it.

 

Then came AdW cleaner, which found some stuff, but left Coaxing. The log is in the Pastebin below:

 

https://pastebin.com/D1GKcBeq

 

Finally came ESET. It took a dog's age to finish its scan, but it managed to find Coaxing, along with a bunch of smaller things and take them out. I don't know 100% why ESET was able to catch it where Avast, Malwarebytes, Spy Hunter and the rest couldn't, but I'm thankful nonetheless.

 

A part of me wants to think that it's because it's an evil genius of a virus that stopped Windows Defender, MWB and Spy Hunter from being able to update to catch it because I'd failed to update them or something like that, but that's just a layperson's hypothesis.

 

Whatever the case, I'm extremely thankful for your help. Thank you so much for the assistance.



#5 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:47 PM

Posted 30 May 2018 - 09:04 AM

You posted a much older log from AdwCleaner...suggest you uninstall AdwCleaner by opening it and clicking on Uninstall. That

will delete all the old scan logs. Then download and run per instructions in my first post. Post the new log per instructions...don't use Pastebin..please.

 

# AdwCleaner v4.001 - Report created 25/10/2014 at 05:05:37
# DB v2014-10-23.2

# Updated 20/10/2014 by Xplode

 

Spy Hunter is likely interfering with Malwarebytes and other security programs. Suggest you uninstall it for now. Use Download Revo Uninstaller Freeware


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users