teks14
asked on
spawning process creates chr.exe files
I have a computer that when you boot (even in safe mode), keeps loading instances of chr.exe (I see them in the task manager) - no other programs can be run - (ComboFix, MalwareBytes - nothing)
I took the drive out of the PC, attached it to a USB cable and attached it to another PC so i could run a Virus scan on the D drive - it found a lot of 'Trojans', but when i ran the scan a second time, it came back clean
I put the HD back in the original computer and the same thing happens
Any thoughts?
I took the drive out of the PC, attached it to a USB cable and attached it to another PC so i could run a Virus scan on the D drive - it found a lot of 'Trojans', but when i ran the scan a second time, it came back clean
I put the HD back in the original computer and the same thing happens
Any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very weird, (logged is as Admin in SAFE mode) i ran http://www.eset.com/us/online-scanner as 'SSharma' and 'DrKlahn' suggested - which by doing so allowed me to then run MBAM and ComboFix (both finding A LOT of garbage)... however, during ComboFix's last reboot, instead of logging back in as ADMIN, i missed pressing F8 to get into SAFE mode and wound up logging into one of the User accounts - I then noticed that the 'spawning' of the .exe files started AGAIN. This time the exe was named something different, but somehow related to the User Profile that i logged in as....
Starting over in SAFE MODE as ADMIN....Ugh!!!
Starting over in SAFE MODE as ADMIN....Ugh!!!
Also get a copy of Microsoft Autoruns, which will reveal everything loaded and started at startup time. It may be helpful in identifying whatever is starting the problem.
Remember, Process Explorer also shows the Heirarchy of spawned applications, so if this is a dropper of some sort, you might get more information from the parent process as well.
Autoruns let's you see each startup process by user, so it can help you explain the behaviour you're seeing: one user has already cleared the virus, the other not.
While hunting viruses, make sure you keep your PC disconnected from the Internet; viruses use websites to download their code into your computer, and re-download it after you've deleted it...
While hunting viruses, make sure you keep your PC disconnected from the Internet; viruses use websites to download their code into your computer, and re-download it after you've deleted it...
@teks14,
Just like any other removal tool MBAM and Combofix should also be run in Normal Mode. If you are facing some issues running them in Normal Mode then we would advice you use Rogue Killer before running the full system scan
I would strongly recommend you to go through the articles from Younghv
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-A id-for-Mal ware)
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great -name)
https://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
I hope that would help.
Sudeep
Just like any other removal tool MBAM and Combofix should also be run in Normal Mode. If you are facing some issues running them in Normal Mode then we would advice you use Rogue Killer before running the full system scan
I would strongly recommend you to go through the articles from Younghv
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-A
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great
https://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
I hope that would help.
Sudeep
ASKER
Eset On-Line Scanner seems to free up the system from the manifestation of the EXE files enough for me to run MBAM and ComboFix - but I wound up having to run these 3 tools (ESET, MBAM, ComboFix in this order) under EACH user profile
Using Process Explorer, determine the exact path to this chr.exe executable file. Then you can try to delete it. It won't delete if it's running, so you have to kill all running instances before you delete.
If you can't stop the processes, or they keep spawning uncontrollably, I suggest you (again) attach your disk through USB to the other PC and delete it from there.
An extra tip: instead of just deleting, sometimes you get better results by going a step further, and making it impossible for the process to be created there again by the virus. I usually do this simply by creating a directory at that same location, with the exact same name chr.exe (directories can have extensions, too!). This confuses the virus - they are usually ready to delete any strange chr.exe they find, but their command will fail because it's a directory, not a file.