Chrome Multiple Processing

[freese44]

So I have tried all steps laid out on this page for remvoing a Powelik Chrome based Virus. Currently any time I open a Chrome Tab it shows on Task Manager that I hav 8-16 tabs open and my CPU is bottleneck. Never had any issues with my 2700x until I noticed my task manager last night. I have restored chrome, deleted extensions, ran malwarebytes 6+ times. I was able to quarentine items and delete them twice but it is still occuring. I have used Emisoft, ESET, HITMAN, and MB to no avail. Cannot use my DAW programs with my CPU being used by chrome so much. Any further suggestions? ESET said I was totaly clean?

 

[struppigel]

Hello freese44

I am Karsten and will help you with malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.
• Note: On weekends I might be slow to reply

-------------------------------------------------------------------

Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool and save the file to your Desktop. (Note: choose the right version, 64 or 32 bit, for your operating system, only one will run)
• Double-click FRST64.exe to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.

 

[freese44]

Hey there Karsten,
Thanks you for taking the time to respond and assist.
FYI this is occurring when I run MS Edge as well. One tab shows as (10) on TM and is using 6-40% cpu all over the place.
Let me know any other information you might need.

 

[freese44]

example here I have no extensions at all 3 tabs open in chrome..... 1 quizlet.com and 2 tabs of malwartips.com......... recently reset chrome uninstalled and reinstalled and then followed the steps I originally found on this website.

 

[struppigel]

1. Farbar Recovery Scan Tool (FRST) Script

• Download the attached fixlist.txt
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Double-click FRST64.exe to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

 

[freese44]

So far what have we done to my pc? I am by no means in IT but did build this system and I would love to know for my own knowledge what we have been conducting.
Let me know a brief description if possible. Here are the fix logs, I made sure to save it where frst64.exe was, as of rn 1 Chrome tab shows (7) processes but not nearly the same ram usage ...so it looks like we are making headway.

 

[struppigel]

The fix removed scheduled tasks that autorun the malware as well as malware files. Let's see if it created more of these in the meantime.

Re-Scan with Farbar Recovery Scan Tool (FRST)

• Double-Click FRST64.exe to run the programme.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach the logs in your next reply.

 

[freese44]

here we go

 

[struppigel]

It's not in the schedulded tasks anymore.


Step 1: Reinstall Chrome, reset Edge
Please turn off syncing in Chrome if it was enabled:

• type chrome://settings/people into the URL box, press enter
• under the heading People, click Turn Off
• click again Turn Off

Now please reset Edge and uninstall Chrome
Reboot.
Re-install Chrome.

Step 2: RogueKiller AntiMalware

• Please download Roguekiller AntiMalware
• Double-click RogueKiller64.exe to run the programme.
• Accept the terms and conditions.
• Click on Scan.
• You will be presented with 3 Scan options. Below Standard Scan click on Start.
• Wait for the scan to finish.
• Click on Results and Report
• On the lower right corner, click on Open and Text file.
• Notepad will open with a report of your file. Please copy the contents and paste in your next reply.

Let me know if anything is improved

 

[freese44]

RogueKiller Anti-Malware V14.8.6.0 (x64) [Mar 24 2021] (Free) by Adlice Software
mail : Support Form | Contact • Adlice Software
Website : RogueKiller Anti Malware | Free Virus Cleaner Download • Adlice Software
Operating System : Windows 10 (10.0.19042) 64 bits
Started in : Normal mode
User : fordr [Administrator]
Started from : C:\Users\fordr\Downloads\RogueKiller_portable64.exe
Signatures : 20210611_060824, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/06/12 19:39:53 (Duration : 00:05:14)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.Gen0 (Potentially Malicious)] Updater (0) -- (Virtual Desktop, Inc.) "C:\Program Files\Virtual Desktop Streamer\Updater.exe" /runservice -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> XX - Software
[PUP.WinZipDiskTools (Potentially Malicious)] (X64) HKEY_USERS\.DEFAULT\Software\Nico Mak Computing -- N/A -> Found
[PUP.WinZipDiskTools (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-2244229292-2217716104-3509410712-1001\Software\Nico Mak Computing -- N/A -> Found
[PUP.WinZipDiskTools (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-18\Software\Nico Mak Computing -- N/A -> Found
>>>>>> O23 - Services
[PUP.Gen0 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Updater -- (Virtual Desktop, Inc.) "C:\Program Files\Virtual Desktop Streamer\Updater.exe" -> Found
>>>>>> O87 - Firewall
[Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{9828400D-6215-456B-B258-216A40C88B57} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\fordr\appdata\local\programs\nanoleaf smarter series\nanoleaf smarter series.exe|Name=nanoleaf smarter series.exe|Desc=nanoleaf smarter series.exe|Defer=User| (C:\users\fordr\appdata\local\programs\nanoleaf smarter series\nanoleaf smarter series.exe) (missing) -> Found
[Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{203D8DF0-6968-4B45-98A4-B3A57A9B40FA} -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\fordr\appdata\local\programs\nanoleaf smarter series\nanoleaf smarter series.exe|Name=nanoleaf smarter series.exe|Desc=nanoleaf smarter series.exe|Defer=User| (C:\users\fordr\appdata\local\programs\nanoleaf smarter series\nanoleaf smarter series.exe) (missing) -> Found
>>>>>> XX - System Policies
[PUM.Policies (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- 0 -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.Chapak (Malicious)] (folder) rss -- C:\Windows\rss -> Found
[PUP.OnlineIO (Potentially Malicious)] (folder) AdvinstAnalytics -- C:\Users\fordr\AppData\Local\AdvinstAnalytics -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤





Virtual Desktop is a known seemingly trusted program. For VR gaming. I unchecked it on Rouge Killer.

Still showing 8 processes for one tab but in chromes TM everything seems legit!

Edge is showing 5

I take it i should go to Removal in Rouge Killer now? I went ahead and clicked it and removed what it found.

 

[struppigel]

Looks fine to me.
Roguekiller shows a lot of entries that are just suspicious but not necessarily malware, which is why I don't instruct removal immediately.
But if you went ahead with removal already, it's alright.

It is normal that Chrome and Edge have slightly more processes than tabs.
Of course the 35 tabs in the beginning were from the malware. But 8 sounds more reasonable.

Unless you are having any outstanding issues, we are done now and you can delete Roguekiller and FRST.

Below are a few general recommendations for infection prevention.
Please let me know if you have any remaining questions or outstanding issues.

----------------------------------

• Keep your programs always up-to-date, including the operating system, browsers, email programs, everything that you use to interact with the web, and also your antivirus suite.
• Use exactly one antivirus suite. Several will get in the way of each other, fight for resources, and potentially detect each other as malicious due to the way AV has to monitor the system.
• Use browser plugins that prevent ads (aka adblockers) and execution of scripts, e.g., NoScript.
• Be careful with email attachments and links. Those can potentially contain malware or lead to phishing sites.
• Avoid using P2P software. I saw you have Deluge on your system. P2P software is sharing files with lots of other computers. Infected files, especially worms, thrive in this environment.
• Enable to view file extensions in file explorer, so that you can recognize double extensions. These are used by malware to trick you into executing their files, e.g. my_great_movie.mp4.exe

 

[freese44]

Wow you are truly fantastic. I forgot I even had Deluge and uninstalled it, thanks. TBH it is hard to tell if this has solved the issue. Things are running smoothly now for sure, I have one chrome tab and showing (9) in TM, I just never remember it using 30% of my Ram, I have a 32gb system 2400 hertz though.

I have been playing games the whole time we have been dealing with this, with only slight hiccups realted to my GPU drivers being the worst!

I for sure had some malware that was luckily detected. However what truly drew me to post and what started this investigation was this fact.
I was working in Ableton 11 on a porject. A half finished song, never do I typically run my CPU usage in ableton higher than 20%. I have NEVER seen it give me an OVERLOAD symbol, super worrying.
Full live sets with GBs of samples and effects usually push it that high, not this simple half done project..... and never to overload.....thats when I pulled up Task Manager and saw 30 something tabs and started down that road. But now chrome is clean and Ableton is still acting odd. I have not messed with Ryzen settings recently either, just my GPU which is overclocked. RX5708gb

Ableton is CPU core heavy and is now constantly red lining and all over the place when before it was consistant. My thoughts are it could be hardware related? My system is from 2017 and has seen better days. At this point I need to research it more, but thought I would at least ask since you have been so great. Let me know if i need to just do that digging myself.

Chromes Task Manager shows all legit instances of chrome items so Malware wise I think I am all clear.

I use free MalwareBytes edition for security, would you have another suggestion? I would be down with paying a flat fee for a service, not monthly. Just only ever heard good things about MB, but it clearly left my system vunerable. I know never to use McAfee/Norton for background activity and such.

Also do you have a Cashapp or Venmo or something where I can send you something for your time? like just something for lunch you have been so attentive and fantastic I feel like I am getting away with something here, over a weekend at that. DM me about it.

Cheers thanks for the help
Ford

 

[struppigel]

Hi Ford,

Ableton is CPU core heavy and is now constantly red lining and all over the place when before it was consistant. My thoughts are it could be hardware related? My system is from 2017 and has seen better days. At this point I need to research it more, but thought I would at least ask since you have been so great. Let me know if i need to just do that digging myself.

This leaves my field of expertise. Especially when it comes to hardware.
But these are things I would try:

• I would check related audio drivers, either get an old one that worked previously or update to the newest
• If you have a restore point from before the infection, you can use that and see if that helps. However, a restore point during the infection may pull the malware back onto your system, since you indicated that you had poweliks, which is fileless. You need to be sure to use one that is from before.
• Alternatively you can try a windows reset while keeping your files. It should exclude any issues due to bad settings.
• Create a thread in the Windows section and ask the people here. There are quite a view people here who know about stuff I don't.

I use free MalwareBytes edition for security, would you have another suggestion? I would be down with paying a flat fee for a service, not monthly. Just only ever heard good things about MB, but it clearly left my system vunerable. I know never to use McAfee/Norton for background activity and such.

You can also ask this in the forums. I personally think: Malwarebytes is great for dealing with already infected systems. They have great cleaning. For continued protection I will not recommend any specific AV, though. I work for an antivirus company. So, yes I could recommend our AV product, but I am really biased.
However, our forum members have lots of insight to this specific topic as some of them are testing AV products in their free time regularly.

Also do you have a Cashapp or Venmo or something where I can send you something for your time? like just something for lunch you have been so attentive and fantastic I feel like I am getting away with something here, over a weekend at that. DM me about it.

Yeah, I have Kofi. Thank you

Have a great day