1 2 Previous Next 10 Replies Latest reply on Oct 21, 2014 12:17 PM by selvan

    Possible unidentified virus file: Dkzbhjgkyhj.exe

    freondude

      Hello folks,

       

      Many instances of file name Dkzbhjgkyhj.exe are running in Task Manager and described as Google Chrome. File installs in C:\Users\<localuser>\AppData\LocalLow\Microsoft\Jneewttr\outxddfepma. I can only delete files in Safe Mode. However, after reboot, the files auto reinstall within the \Jneewttr folder in a different location under \LocalLow. I have no idea what is installing it. Once it installed under \Sun and another time installed in \Apple Computer. Searching Google for the file name or the folder that installs have given no results. The multiple instances running in Task Manager are eating resources and slowing down my system. In an effort to eradicate this anomaly, I uninstalled Chrome which did nothing. Reinstalled and re-uninstalled to no avail. File comes up clean when scanned by McAfee Antivirus Plus . SpyBot S&D ver2.4 (free version) does not identify it as an issue. OS is Windows 7 Professional.

       

      Any idea what this file really is, what it's doing, and how to get rid of it for good?

      Respectfully,

      Fred

       



        • 1. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
          catdaddy

          Moved to Malware Discussion> Home User Assistance- By Moderator

          • 2. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
            catdaddy

            freondude,

                                 I would recommend running the Latest McAfee Getsusp Tool To get the detection in the McAfee GTI Data base. Please add your Email Address under "Preferences" before scanning. Then run the Latest Stinger (Read how to use). Follow up by running Malwarebytes ( Free ) To keep if Free, DO NOT accept any Free Trial Offers/Or activate during the Download Process.

             

                                 These Superb Tools and More can be found here:Anti-Spyware/Malware & Hijacker Tools

             

            All the best,

            Catdaddy

            McAfee Volunteer Moderator

            • 3. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe

              File name is most likely random and insignificant - submit as suggested by CD. You might also want to use rootkitremover.  Free Tools | McAfee Downloads

              • 4. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
                catdaddy

                freondude,

                                  Also I noticed you have SpyBot S&D installed Version 2.4 (Free). Please make certain there is no RTS module installed/enabled,(Tea Timer) as it will Conflict/Possibly Corrupt your McAfee Installation. Leaving you open for infection. This program is no longer considered to be compatible with McAfee.

                • 5. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
                  selvan

                  Hi freondude

                  Can you upload the file to VirusTotal (www.virustotal.com) and see if there are any detection. Also right click the file and verify its Signatures (Right click > Properties > Digital Signatures tab)

                  • 6. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
                    freondude

                    Thanks the tip on getting it checked at virustotal.com. The file passed with flying colors as a legitimate Google Chrome file. Now my problem remains that this file has multiple instances of itself running and eating resources even after the uninstallation of Google Chrome. I cant delete it from the Task Manager faster than it can replicate. I tried the rootkit remover and Stinger and they found nothing. Seems my problem lies in Google Chrome itself so I will get on their boards and raise the red flag

                    • 7. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
                      Hayton

                      Whatever this is I don't think it's anything to do with Google Chrome, or you wouldn't be seeing it under Microsoft or Apple locations in your file system. If it's not being detected by any of the anti-virus programs then either it's a brand new piece of malware that they haven't seen and analysed yet, or it's a rogue process being spawned by a legitimate program (which I think is unlikely).

                       

                      Can you post the URL of this or another VirusTotal report so we can examine the associated file metadata? As you say, Googling that file name produces no results; and as SafeBoot said, the name may well be a random generation of characters and so different for each infection.

                       

                      In the meantime I would advise two things : run Malwarebytes Free, which is stricter about PUPs than McAfee, and download and run Autoruns from SysInternals. Take some time to look at all the processes and programs that get loaded at startup, and you might see what's spawning this particular process.

                      • 8. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
                        freondude

                        My Task Manager currently has 64 processes running... yeah abit high. This is on an Alienware M15 Laptop. Pretty robust hardware although the video card fan is constantly revving up. I've run the Autoruns and need to get familiar with what I'm looking at. Will run Malwarebytes in abit...

                        -------------------------------------------------------------------------------- ----

                        Let me know if this is the right stuff below... sure looks lengthy:

                        -------------------------------------------------------------------------------- ----

                        File Details from Virustotal.com on file hyzzkawilf.exe ("Dkzbhjgkyhj.exe" on my computer)

                        SHA256:  70010eba09129858af32f03079e70e974ebff8700f5f93dca2ec8a6b0991e2ac
                        File name:  hyzzkawilf.exe

                        Detection ratio:  0 / 54

                        Analysis date:  2014-10-20 19:36:17 UTC ( 5 hours, 8 minutes ago )

                         

                        Copyright

                        Copyright 2012 Google Inc. All rights reserved.

                         

                        Publisher Google Inc

                        Product Google Chrome

                        Original name chrome.exe

                        Internal name chrome_exe

                        File version 36.0.1985.143

                        Description Google Chrome

                        Signature verification   Signed file, verified signature  

                        Signing date 4:20 AM 8/7/2014

                        Signers
                        [+] Google Inc
                        Status   Valid
                        Valid from 1:00 AM 1/29/2014
                        Valid to 12:59 AM 1/30/2016
                        Valid usage Code Signing
                        Algorithm SHA1
                        Thumbrint FCAC7E666CC54341CA213BECF2EB463F2B62ADB0
                        Serial number 29 12 C7 0C 9A 2B 8A 3E F6 F6 07 46 62 D6 8B 8D

                         

                        [+] VeriSign Class 3 Code Signing 2010 CA

                        Status   Valid
                        Valid from 1:00 AM 2/8/2010
                        Valid to 12:59 AM 2/8/2020
                        Valid usage Client Auth, Code Signing
                        Algorithm SHA1
                        Thumbrint 495847A93187CFB8C71F840CB7B41497AD95C64F
                        Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7

                         

                        [+] VeriSign

                        Status   Valid
                        Valid from 1:00 AM 11/8/2006
                        Valid to 12:59 AM 7/17/2036
                        Valid usage Server Auth, Client Auth, Email Protection, Code Signing
                        Algorithm SHA1
                        Thumbrint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
                        Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A

                         

                        Counter signers
                        [+] Symantec Time Stamping Services Signer - G4
                        Status   Valid
                        Valid from 1:00 AM 10/18/2012
                        Valid to 12:59 AM 12/30/2020
                        Valid usage Timestamp Signing
                        Algorithm SHA1
                        Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
                        Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50

                         

                        [+] Symantec Time Stamping Services CA - G2

                        Status   Valid
                        Valid from 1:00 AM 12/21/2012
                        Valid to 12:59 AM 12/31/2020
                        Valid usage Timestamp Signing
                        Algorithm SHA1
                        Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
                        Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B

                         

                        [+] Thawte Timestamping CA

                        Status   Valid
                        Valid from 1:00 AM 1/1/1997
                        Valid to 12:59 AM 1/1/2021
                        Valid usage Timestamp Signing
                        Algorithm MD5
                        Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
                        Serial number 00

                         

                        PE header basic information
                        Target machine Intel 386 or later processors and compatible processors

                         

                        Compilation timestamp 2014-08-07 02:31:49

                        Entry Point 0x00049C8F

                        Number of sections 6

                        PE sections
                        Name Virtual address Virtual size Raw size Entropy MD5

                         

                          .text 4096 413952 414208 6.65 49a56b6a978ffd8ac63e420c920cf1af 

                          .rdata 421888 192550 193024 4.03 6747701f328edd30b2ac9a0a6c1ee2d8 

                          .data 618496 22528 7680 3.78 76a2a94dc85136c1fe41630d85191609 

                          .tls 643072 2 512 0.00 bf619eac0cdf3f68d496ea9344137e8b 

                          .rsrc 647168 218624 218624 6.29 dabf6dcb91eb2239ae7b37a92cb1c76e 

                          .reloc 868352 18792 18944 6.61 de2a71c0ca8647d64cd389e101ae9b2b 

                        PE imports
                        [+] ADVAPI32.dll

                         

                        RegCreateKeyExW

                         

                        RegCloseKey

                        CopySid

                        LookupPrivilegeValueW

                        GetSecurityInfo

                        RegDisablePredefinedCache

                        RegQueryValueExW

                        ConvertStringSidToSidW

                        CreateWellKnownSid

                        OpenProcessToken

                        DuplicateToken

                        RegOpenKeyExW

                        SetSecurityInfo

                        SystemFunction036

                        SetTokenInformation

                        ConvertSidToStringSidW

                        GetTokenInformation

                        DuplicateTokenEx

                        GetUserNameW

                        RegQueryInfoKeyW

                        RegEnumKeyExW

                        CreateRestrictedToken

                        GetLengthSid

                        CreateProcessAsUserW

                        SetEntriesInAclW

                        RevertToSelf

                        RegSetValueExW

                        RegDeleteValueW

                        RegSetValueExA

                        EqualSid

                        SetThreadToken

                        [+] KERNEL32.dll

                         

                        GetStdHandle

                         

                        GetDriveTypeW

                        ReleaseMutex

                        WaitForSingleObject

                        LockResource

                        CreateJobObjectW

                        SignalObjectAndWait

                        GetFileAttributesW

                        SetInformationJobObject

                        GetProcessId

                        DeleteCriticalSection

                        GetCurrentProcess

                        GetConsoleMode

                        UnhandledExceptionFilter

                        LoadLibraryExW

                        FreeEnvironmentStringsW

                        GetThreadContext

                        GetLocaleInfoW

                        SetStdHandle

                        GetCPInfo

                        InterlockedExchange

                        WriteFile

                        GetTimeZoneInformation

                        GetSystemTimeAsFileTime

                        HeapReAlloc

                        GetStringTypeW

                        SetEvent

                        LocalFree

                        FormatMessageW

                        ResumeThread

                        InitializeCriticalSection

                        LoadResource

                        TlsGetValue

                        QueryDosDeviceW

                        FormatMessageA

                        GetFullPathNameW

                        DebugBreak

                        GetEnvironmentVariableW

                        SetLastError

                        GetUserDefaultUILanguage

                        GetUserDefaultLangID

                        OutputDebugStringW

                        GetModuleFileNameW

                        IsDebuggerPresent

                        HeapAlloc

                        RaiseException

                        HeapSetInformation

                        LoadLibraryExA

                        GetUserDefaultLCID

                        EnumSystemLocalesW

                        InterlockedDecrement

                        MultiByteToWideChar

                        TerminateJobObject

                        SetFilePointerEx

                        RegisterWaitForSingleObject

                        InterlockedExchangeAdd

                        CreateThread

                        SetEnvironmentVariableW

                        GetSystemDirectoryW

                        SetNamedPipeHandleState

                        SetUnhandledExceptionFilter

                        CreateMutexW

                        IsProcessorFeaturePresent

                        SetHandleInformation

                        DecodePointer

                        SetEnvironmentVariableA

                        TerminateProcess

                        SearchPathW

                        GetModuleHandleExW

                        SetCurrentDirectoryW

                        VirtualQueryEx

                        SetEndOfFile

                        GetCurrentThreadId

                        InterlockedIncrement

                        WriteConsoleW

                        InitializeCriticalSectionAndSpinCount

                        HeapFree

                        EnterCriticalSection

                        LoadLibraryW

                        GetVersionExW

                        GetExitCodeProcess

                        QueryPerformanceCounter

                        GetTickCount

                        TlsAlloc

                        VirtualProtect

                        FlushFileBuffers

                        RtlUnwind

                        FreeLibrary

                        CreateRemoteThread

                        GetWindowsDirectoryW

                        TzSpecificLocalTimeToSystemTime

                        WriteProcessMemory

                        OpenProcess

                        GetStartupInfoW

                        ReadProcessMemory

                        CreateDirectoryW

                        WaitForMultipleObjects

                        VirtualProtectEx

                        GetProcessHeap

                        CreateFileMappingW

                        AssignProcessToJobObject

                        WaitNamedPipeW

                        ExpandEnvironmentStringsW

                        GetModuleHandleA

                        ResetEvent

                        GetComputerNameExW

                        IsValidLocale

                        DuplicateHandle

                        GetProcAddress

                        ReadConsoleW

                        CreateEventW

                        CreateNamedPipeW

                        GetFileType

                        TlsSetValue

                        ExitProcess

                        LeaveCriticalSection

                        GetNativeSystemInfo

                        GetLastError

                        SystemTimeToFileTime

                        LCMapStringW

                        VirtualAllocEx

                        GetSystemInfo

                        GetConsoleCP

                        FindResourceW

                        UnregisterWaitEx

                        CompareStringW

                        GetProcessTimes

                        GetEnvironmentStringsW

                        lstrlenW

                        VirtualFree

                        GetQueuedCompletionStatus

                        SizeofResource

                        GetCurrentDirectoryW

                        VirtualFreeEx

                        GetCurrentProcessId

                        CreateIoCompletionPort

                        ProcessIdToSessionId

                        GetCommandLineW

                        WideCharToMultiByte

                        HeapSize

                        TransactNamedPipe

                        CreateSemaphoreW

                        InterlockedCompareExchange

                        EncodePointer

                        SuspendThread

                        QueryPerformanceFrequency

                        ReleaseSemaphore

                        MapViewOfFile

                        TlsFree

                        SetFilePointer

                        ReadFile

                        RtlCaptureContext

                        CloseHandle

                        GetACP

                        GetModuleHandleW

                        GetLongPathNameW

                        GetProcessHandleCount

                        IsValidCodePage

                        GetTempPathW

                        PostQueuedCompletionStatus

                        CreateProcessW

                        Sleep

                        VirtualAlloc

                        GetOEMCP

                        [+] SHLWAPI.dll

                         

                        PathRemoveFileSpecW

                         

                        [+] USER32.dll

                         

                        GetWindowThreadProcessId

                         

                        GetAsyncKeyState

                        GetUserObjectInformationW

                        AllowSetForegroundWindow

                        wsprintfW

                        CharUpperW

                        IsWindow

                        CloseDesktop

                        FindWindowExW

                        SetProcessWindowStation

                        CreateWindowStationW

                        SendMessageTimeoutW

                        MessageBoxW

                        GetProcessWindowStation

                        GetThreadDesktop

                        CreateDesktopW

                        CloseWindowStation

                        [+] USERENV.dll

                         

                        GetProfileType

                         

                        [+] VERSION.dll

                         

                        VerQueryValueW

                         

                        GetFileVersionInfoW

                        GetFileVersionInfoSizeW

                        [+] WINMM.dll

                         

                        timeGetTime

                         

                        [+] WTSAPI32.dll

                         

                        WTSQuerySessionInformationW

                         

                        WTSFreeMemory

                        [+] chrome_elf.dll

                         

                        SignalChromeElf

                         

                        CreateFileW

                        PE exports
                        ClearCrashKeyValueImpl

                         

                        CrashForException

                        DumpProcess

                        DumpProcessWithoutCrash

                        InjectDumpForHangDebugging

                        InjectDumpProcessWithoutCrash

                        IsSandboxedProcess

                        SetCrashKeyValueImpl

                        Number of PE resources by type
                        RT_ICON 50

                         

                        RT_GROUP_ICON 8

                        GOOGLEUPDATEAPPLICATIONCOMMANDS 1

                        RT_MANIFEST 1

                        RT_VERSION 1

                        Number of PE resources by language
                        ENGLISH US 61

                         

                        ExifTool file metadata
                        CodeSize

                         

                        414208

                        SubsystemVersion

                         

                        5.1

                        OfficialBuild

                         

                        1

                        LinkerVersion

                         

                        12.0

                        ImageVersion

                         

                        0.0

                        FileSubtype

                         

                        0

                        FileVersionNumber

                         

                        36.0.1985.143

                        LanguageCode

                         

                        English (U.S.)

                        FileFlagsMask

                         

                        0x0017

                        FileDescription

                         

                        Google Chrome

                        CharacterSet

                         

                        Unicode

                        InitializedDataSize

                         

                        453632

                        FileOS

                         

                        Win32

                        MIMEType

                         

                        application/octet-stream

                        LegalCopyright

                         

                        Copyright 2012 Google Inc. All rights reserved.

                        CompanyShortName

                         

                        Google

                        FileVersion

                         

                        36.0.1985.143

                        TimeStamp

                         

                        2014:08:07 03:31:49+01:00

                        FileType

                         

                        Win32 EXE

                        PEType

                         

                        PE32

                        InternalName

                         

                        chrome_exe

                        FileAccessDate

                         

                        2014:10:20 20:36:22+01:00

                        ProductVersion

                         

                        36.0.1985.143

                        UninitializedDataSize

                         

                        0

                        OSVersion

                         

                        5.1

                        FileCreateDate

                         

                        2014:10:20 20:36:22+01:00

                        OriginalFilename

                         

                        chrome.exe

                        Subsystem

                         

                        Windows GUI

                        MachineType

                         

                        Intel 386 or later, and compatibles

                        CompanyName

                         

                        Google Inc.

                        ProductShortName

                         

                        Chrome

                        ProductName

                         

                        Google Chrome

                        ProductVersionNumber

                         

                        36.0.1985.143

                        LastChange

                         

                        287914

                        EntryPoint

                         

                        0x49c8f

                        ObjectFileType

                         

                        Executable application

                        • 9. Re: Possible unidentified virus file: Dkzbhjgkyhj.exe
                          freondude

                          I seemed to have stopped the file from running... I simply renamed the file extension. I was surprised I could rename a file that was in use but I'll take what small victory I can. In Task Manager, the multiple instances of the file slowly dropped off the list. For the past 30 minutes, it has not reappeared. My video card fan is no longer spinning at top speed in protest. Do I consider this a solution? Hardly. It is an effective short term bandaid though.

                          1 2 Previous Next