Jump to content

cmd.exe, conhost.exe & 27 Chrome.exe files auto run when I open Chrome up?!


Go to solution Solved by moetee,

Recommended Posts

Hey guys,

My computer has been SUPER laggy. To a point of where my mouse lags and when I type.

I took a look at my Task Manager and I see cmd.exe, conhost.exe and (27) chrome.exe files start running as soon as I run Chrome. 

I did a Malware Bytes and ESET Smart Security scan and no viruses were found.

I don't know what's going on but several days ago my website was infected and whenever users visited the website it redirected to a random site, I'm not too sure if that has any connection.

Every time I terminate the additional chrome.exes and cmd.exe and conhost.exe - Chrome itself crashes along with the installed extensions.

I made a 1 min video show casing it: https://screencast-o-matic.com/watch/criUVXViKLY 

 

I also attached both files from Farbar Recovery Scan Tool.

FRST.txt Addition.txt

Link to post
Share on other sites

Hello @moetee    

My name is Maurice.  Let me know what nickname you prefer to go by.

Both Malwarebytes for Windows and ESET Security are top notch security apps.  You report 

Quote

I did a Malware Bytes and ESET Smart Security scan and no viruses were found.

Lets begin by focusing on Chrome browser & insuring to clear all cache & history & insure it does NOT start with reloading prior session + other measures to beef it up.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.9f59b1a99e5e32db2619eeab22b5a72f.png

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[   6    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Sincerely.

Link to post
Share on other sites

4 hours ago, Maurice Naggar said:

Hello @moetee    

My name is Maurice.  Let me know what nickname you prefer to go by.

Both Malwarebytes for Windows and ESET Security are top notch security apps.  You report 

Lets begin by focusing on Chrome browser & insuring to clear all cache & history & insure it does NOT start with reloading prior session + other measures to beef it up.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.9f59b1a99e5e32db2619eeab22b5a72f.png

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[   6    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Sincerely.

Hello Maurice,

 

You can just call me Moe.

Thank you so much for those tips. I did everything.

I attached the Log for your reference. Nothing was found.

I am looking at my Task Manager and I still see 24 chrome.exe running and cmd.exe files.

Task Manager.PNG

AdwCleaner[S03].txt

Link to post
Share on other sites

Here is a iCloud video I took of my task manager showing the excessive power usages.

https://share.icloud.com/photos/0eTUFKpQcbgh3Y0t9SyYn5dfg

 

Anyone? I did a few scans from different applications.

- ESET Regular Scan: Nothing.

- ESET Online Scanner: Nothing.

- Malware Bytes: Nothing.

- Malwarebytes AdwCleaner: Nothing

- Junkware Removal Tool (JRT) by Malwarebytes: A few things found, I attached the log file.

- RogueKiller Anti-Malware V15.0.8.0: A few things found, I attached the log file.

- Rkill 2.9.1: Nothing found.

- TDSSKiller: Nothing found.

- Norton Power Eraser: Nothing found.

- Combo Cleaner: A few things found, after I deleted them. Problem still continues.

 

 

Random Outlook.exe High in Power Usage.PNG

Combo Cleaner Results.PNG

JRT_.txt RogueKiller Results.txt

Link to post
Share on other sites

Hello Moe.

Please do not run any other tools on your own while this case is here in this sub-forum.

Please just stick with my quidance.

I regret to say that I could not get the Roguekiller report to display properly.  That showed a lot of non-printable characters.

Please do not run tools on your own.

.

It might be that the Microsoft Outllok app needs a repair or even a new install. That is a maybe.

Outlook may just perhaps need some regular housekeeping, such as delete the Trash folder.

If you are haing persistent issue on Outlook, I would urge you to ask for expert help on the Outlook sub-forum of the Microsoft Answers help board.

MS Office might be having its own issues. This is one event from the system log.

Quote

Error: (07/28/2021 02:19:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Microsoft Office Click-to-Run Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

.

NORDVPN may be having its own issues.

Error: (07/28/2021 02:19:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program NordVPN.exe version 1.0.2.17 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

.

Here on this Malwarebytes sub-forum I can guide you in hunting for malware.  Anything beyond that scope, I will need to point you elsewhere.

You have already scaneed with a big slew of tools.  and that includes 3 Malwarebytes programs. 4 if I were to count MBAR !

REMINDER:  This pc has ESET Security + Malwarebytes for Windows. Two top-tier security tools.  Between those two, that is plenty enough to find and remove any malware infection. !   Lets not go running other "apps".

.

Next action items.

[  A ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[  B  ]

Uninstall Bonjour from Apple.  You do not need it.  Which by the way entangles itself into the Windows Winsock stack.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.

Locate "Bonjour     Version: 3.1.0.1" on the list.   Click the line once with your mouse pointer.

Now do a RIGHT-click on it  and then select Uninstall.    and follow thru to have it uninstalled.

When done, close the window for Programs and Features.

[   C     ]

What follows is a special custom fix script with specific goals.

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  MOETEE  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows DISM tool to check the OS state.  It will rebuild the Winsock. 

It will remove a handful of scheduled tasks for MS Office, like update checks & telemetry tasks.  You do not need those.

It will remove a handful of non-existent contextmenu handlers ( apps removed in the past) that can slowdown Windows File Explorer. 

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   

Fixlist.txt


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

click line More info information on that screen
and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.    Persistence & patience are called for here.

Cheers.

Link to post
Share on other sites

34 minutes ago, Maurice Naggar said:

Hello Moe.

Please do not run any other tools on your own while this case is here in this sub-forum.

Please just stick with my quidance.

I regret to say that I could not get the Roguekiller report to display properly.  That showed a lot of non-printable characters.

Please do not run tools on your own.

.

It might be that the Microsoft Outllok app needs a repair or even a new install. That is a maybe.

Outlook may just perhaps need some regular housekeeping, such as delete the Trash folder.

If you are haing persistent issue on Outlook, I would urge you to ask for expert help on the Outlook sub-forum of the Microsoft Answers help board.

MS Office might be having its own issues. This is one event from the system log.

.

NORDVPN may be having its own issues.

Error: (07/28/2021 02:19:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program NordVPN.exe version 1.0.2.17 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

.

Here on this Malwarebytes sub-forum I can guide you in hunting for malware.  Anything beyond that scope, I will need to point you elsewhere.

You have already scaneed with a big slew of tools.  and that includes 3 Malwarebytes programs. 4 if I were to count MBAR !

REMINDER:  This pc has ESET Security + Malwarebytes for Windows. Two top-tier security tools.  Between those two, that is plenty enough to find and remove any malware infection. !   Lets not go running other "apps".

.

Next action items.

[  A ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[  B  ]

Uninstall Bonjour from Apple.  You do not need it.  Which by the way entangles itself into the Windows Winsock stack.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.

Locate "Bonjour     Version: 3.1.0.1" on the list.   Click the line once with your mouse pointer.

Now do a RIGHT-click on it  and then select Uninstall.    and follow thru to have it uninstalled.

When done, close the window for Programs and Features.

[   C     ]

What follows is a special custom fix script with specific goals.

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  MOETEE  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows DISM tool to check the OS state.  It will rebuild the Winsock. 

It will remove a handful of scheduled tasks for MS Office, like update checks & telemetry tasks.  You do not need those.

It will remove a handful of non-existent contextmenu handlers ( apps removed in the past) that can slowdown Windows File Explorer. 

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   

Fixlist.txt 3.56 kB · 4 downloads


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

click line More info information on that screen
and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.    Persistence & patience are called for here.

Cheers.

Wait all my password logins saved in my Chrome browser will be deleted?

Link to post
Share on other sites

15 minutes ago, Maurice Naggar said:

Thank you.   The run is good. 

Windows' SFC Windows Resource Protection found corrupt files and successfully repaired them.

How does the situation look at this point?  I do not believe that this pc has a "infection".

The computer is still very slow. 

I added a ESET rule for me to be notified in once a cmd.exe is opened when I click Chrome. I blocked 3x attempts of cmd.exe.

I also came across this, https://www.youtube.com/watch?v=YZ6xXhs0EMk I also noticed Chrome.exe running once never saw any sub-processes. 

However, MBAMService.exe is super high in usage, as well as NordVPN.

So if there is no infections, is this a CPU ram issue? Do I have adequate CPU? I have 16gig ram installed.

 

 

RAM.PNG

Link to post
Share on other sites

As far as Task Manager & looking at its % percentage display ..............disregard at the beginning.  WAIT 2 minutes.

On Chrome browser, look at all extensions on it.   Disable all extensions.  Then, you can enable a few at a time to see whcih one(s) are causing issue.

Just start by disabling all extensions on Chrome.

in Chrome, press ALT+F then Settings

Click Extensions on the left.

Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.

 

Link to post
Share on other sites

13 minutes ago, Maurice Naggar said:

As far as Task Manager & looking at its % percentage display ..............disregard at the beginning.  WAIT 2 minutes.

On Chrome browser, look at all extensions on it.   Disable all extensions.  Then, you can enable a few at a time to see whcih one(s) are causing issue.

Just start by disabling all extensions on Chrome.

in Chrome, press ALT+F then Settings

Click Extensions on the left.

Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.

 

I disabled all Chrome extensions but now there is 10 Chrome.exe files. 

Computer is still laggy as hell man. It's driving me crazy!

Process.PNG

Link to post
Share on other sites

What you may notice on Task Manager display.   If it is showing 10 lines listing Chrome.exe  that means there are or were 10 tabs open on Chrome.

Task Manager lags behind in updating & showing proper counts, when you close some tabs.

.

IF Chrome is the major issue at hand, then

Please try using a different web browser. Your pc runs Windows. So it must also have ( likely) EDGE browser.

if Chrome is "having an issue" in standard mode:

You can force Chrome to start in reduced mode, called Incognito mode, by putting a parameter at startup.

First, close any prior instances of Chrome via Task Manager.

Then press Windows-key+R for the RUN option and then put a command line similar to this {do use COPY & PASTE}

chrome.exe -incognito


 

Starting Chrome in Incognito mode may work for you, and allow you to make "changes" or tweaks in it.

Note also, Incognito mode is also an option in the Chrome menu {as long as it can start}.

NB NOTE:  To this point, I have seen no indicator that points to a malware infection !

plus, let's dont forget, you yourself have run a whole big slew of other security scans.

Link to post
Share on other sites

  • Solution
On 8/2/2021 at 12:18 PM, Maurice Naggar said:

Good morning.  Hello.  Have you applied my tip from Friday afternoon ?

Hi! I cleaned the entire PC which had many dust on the fan, cleaned our the thermal paste and added a new one, got a new mouse and I see no lag. Thanks for all your help!

Link to post
Share on other sites

Hello. Glad you were able to take care of the hardware.
To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Adwcleaner you may keep.    All best wishes.  Stay safe.
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.