Nasty Virus looks like Google Chrome multiple processes

Norton Security | Norton Internet Security
1

This apparently is a new virus. Somehow Trojan.AdClicker and Trojan.Poweliks got through to my system. Norton created FixPowerliks to fix Trojan.Poweliks and Norton Power Eraser cleans up Trojan.AdClicker. Those programs do fix Trojan.AdClicker and Trojan.Poweliks.

I believe it happened at the same time these virus got through but there is another virus. It makes the system think it is a valid Google Chrome executable. Upon boot-up it replicates itself and spawns off multiple process that steal memory and slow your PC down dramatically.

Norton does not detect this and allows it to run (and allowed it to get through). I did open a case and explained what I had seen. Apparently other manufactures virus detection do not see this either. Norton will need to find a way to screen for this and fix it.

In my case it called itself jatpuwrlohjp.exe. It appears to give itself different names as I saw some other complaints about it.

This for reference as another user saw it:

Many instances of file name Dkzbhjgkyhj.exe are running in Task Manager and described as Google Chrome. File installs in C:\Users\<localuser>\AppData\LocalLow\Microsoft\Jneewttr\outxddfepma. I can only delete files in Safe Mode. However, after reboot, the files auto reinstall within the \Jneewttr folder in a different location under \LocalLow. I have no idea what is installing it. Once it installed under \Sun and another time installed in \Apple Computer. Searching Google for the file name or the folder that installs have given no results. The multiple instances running in Task Manager are eating resources and slowing down my system. In an effort to eradicate this anomaly, I uninstalled Chrome which did nothing. Reinstalled and re-uninstalled to no avail. File comes up clean when scanned by McAfee Antivirus Plus . SpyBot S&D ver2.4 (free version) does not identify it as an issue. OS is Windows 7 Professional.

Any idea what this file really is, what it's doing, and how to get rid of it for good?

I had the very same thing except it called itself a different name. in my case it called itself jatpuwrlohjp.exe and put it under C:\Users\<localuser>\AppData\LocalLow\EmieUserList - A hidden directory you can not normally see with explorer.

It stores itself under C:\Users\<localuser>\AppData\LocalLow and it will be some other path name and executable name. You can right click one of the processes and tell it to show location. Then you will see the hidden directory it sets up.

 

Here was a proposed solution, but it does not fully cure it:

I seemed to have stopped the file from running... I simply renamed the file extension. I was surprised I could rename a file that was in use but I'll take what small victory I can. In Task Manager, the multiple instances of the file slowly dropped off the list. For the past 30 minutes, it has not reappeared. My video card fan is no longer spinning at top speed in protest. Do I consider this a solution? Hardly. It is an effective short term bandaid though.

This does stop the processes. Then you can go and erase the files. The problem is the next time you boot your computer it comes back again. So I thought I would give the virus a virus. What you do is go into C:\Users\<localuser>\AppData\LocalLow where it loaded the executable and change the extension name the earlier user suggested. That will kill the processes. Then I renamed it to a .txt file. I then edited that file and erased everything, and leaving a short piece of text. I then renamed it back to the .exe it was called. What this does is whatever is reloading this thing (I have not found what it is). thinks it is still there the next time it boots. This does seem to outright kill it. It cannot re-spawn itself.

 

I am leaving this as a way to temporarily get past this. I have not seen it come back now. Norton needs to devise a screen and a fix. It is pretty nasty as it dominate your memory resources and hides itself from detection and also regenerates itself. I think this has to be a new virus with no name assigned to it. It makes the system think it is a valid Google Chrome executable and then spawns multiple processes to kill your systems performance. I do not know what else it does or where its source is. Someplace there is a file that allows it to regenerate. I made it think it was still there so it does not regenerate.

 

Hope this helps for those of you who encounter this!!