spawning process creates chr.exe files

teks14
teks14 used Ask the Experts™
on
I have a computer that when you boot (even in safe mode), keeps loading instances of chr.exe (I see them in the task manager) - no other programs can be run - (ComboFix, MalwareBytes - nothing)

I took the drive out of the PC, attached it to a USB cable and attached it to another PC so i could run a Virus scan on the D drive - it found a lot of 'Trojans', but when i ran the scan a second time, it came back clean

I put the HD back in the original computer and the same thing happens

Any thoughts?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Software Engineer
Commented:
This is one I have not seen.  I'd try a couple of different online scanners against the drive and see if they can find more.

Symantec (horribly slow, but finds more things)
Eset
BitDefender

Depending on how much time and effort has been put into configuring this system, at some point it becomes a more profitable use of time to extract the important files to loadable media, completely wipe the hard drive and reload the operating system.  My experience is that at the six hour point, it is time to call a halt and reload.

Hopefully another expert knows exactly what the problem is and can advise how to eliminate it.
Sudeep SharmaTechnical Designer
Commented:
Few references I could find on net are below:
http://www.threatexpert.com/report.aspx?md5=52e14d911198fffe93ba220a28c190c4
http://www.threatexpert.com/report.aspx?md5=a99f1b6f5e14037b8724cd66bed806b0

I would suggest you to run online scan with ESET Online scanner:
ESET online scan
http://www.eset.com/us/online-scanner

and request the admin to add this post to Anti-Virus and Anti-Spyware Section as well. You would get the expert advice on it

Commented:
I suggest you use SysInternals "Process Explorer" (available as a free download from Microsoft). This is a Task Manager replacement that let's you see a lot mor info about each process running on your system.

Using Process Explorer, determine the exact path to this chr.exe executable file. Then you can try to delete it. It won't delete if it's running, so you have to kill all running instances before you delete.

If you can't stop the processes, or they keep spawning uncontrollably, I suggest you (again) attach your disk through USB to the other PC and delete it from there.

An extra tip: instead of just deleting, sometimes you get better results by going a step further, and making it impossible for the process to be created there again by the virus. I usually do this simply by creating a directory at that same location, with the exact same name chr.exe (directories can have extensions, too!). This confuses the virus - they are usually ready to delete any strange chr.exe they find, but their command will fail because it's a directory, not a file.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
Very weird, (logged is as Admin in SAFE mode) i ran http://www.eset.com/us/online-scanner as 'SSharma' and 'DrKlahn' suggested - which by doing so allowed me to then run MBAM and ComboFix (both finding A LOT of garbage)... however, during ComboFix's last reboot, instead of logging back in as ADMIN, i missed pressing F8 to get into SAFE mode and wound up logging into one of the User accounts - I then noticed that the 'spawning' of the .exe files started AGAIN. This time the exe was named something different, but somehow related to the User Profile that i logged in as....

Starting over in SAFE MODE as ADMIN....Ugh!!!
Dr. KlahnPrincipal Software Engineer

Commented:
Also get a copy of Microsoft Autoruns, which will reveal everything loaded and started at startup time.  It may be helpful in identifying whatever is starting the problem.
Most Valuable Expert 2011
Top Expert 2011

Commented:
Remember, Process Explorer also shows the Heirarchy of spawned applications, so if this is a dropper of some sort, you might get more information from the parent process as well.

Commented:
Autoruns let's you see each startup process by user, so it can help you explain the behaviour you're seeing: one user has already cleared the virus, the other not.

While hunting viruses, make sure you keep your PC disconnected from the Internet; viruses use websites to download their code into your computer, and re-download it after you've deleted it...
Sudeep SharmaTechnical Designer

Commented:
@teks14,

Just like any other removal tool MBAM and Combofix should also be run in Normal Mode. If you are facing some issues running them in Normal Mode then we would advice you use Rogue Killer before running the full system scan

I would strongly recommend you to go through the articles from Younghv

http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

I hope that would help.

Sudeep

Author

Commented:
Eset On-Line Scanner seems to free up the system from the manifestation of the EXE files enough for me to run MBAM and ComboFix - but I wound up having to run these 3 tools (ESET, MBAM, ComboFix in this order) under EACH user profile

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial