3

Multiple instances (between 3 and 15) of this of this process Wslxrqjet.exe are running on my Windows 8 system at all times. Windows Task Manager 'Description' field for all instances is "Google Chrome". Yet I have uninstalled Google Chrome from my system.

Location of the executable on my system is C:\Users\RickReeves\AppData\LocalLow\Browseforchange\egdpdkynurp\gfuxocjp\Wslxrqjet.exe (840 kb).

Constantly changing program memory entry is 37,676.

Of course I tried deleting it, but since it is an active process, I can't delete it.

A Google search for this file reveals NOTHING.

Does anyone have any information regarding this program such as how to remove?

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
Rick Reeves
  • 31
  • 2
  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Deer Hunter Dec 12 '14 at 07:23
  • @DeerHunter This question does not address security, merely an unknown process, hence why I added 'malicious' to the tile in my edit. Not sure why it is unacceptable to you. – cremefraiche Dec 12 '14 at 07:33
  • @cremefraiche - when editing please take care to fix all the issues you can find, including typos and grammar. – Deer Hunter Dec 12 '14 at 07:40
  • Reference: https://meta.security.stackexchange.com/a/1570/13820 – Deer Hunter Dec 12 '14 at 07:44
  • 2
    Browseforchange is a browser extension where everytime you shop on a supported site, a small amount is donated to the charity (sounds more like phishing). Check IE if you have the extension installed? – void_in Dec 12 '14 at 07:50
  • @void_in - this should be an answer, it seems. There are tons of tutorials on the extension's removal out there, you could provide a link to one. – Deer Hunter Dec 12 '14 at 07:56
  • @DeerHunter I thought I should wait for the OP to confirm that it is indeed the extension problem. If he confirms, then I would write it as an answer. – void_in Dec 12 '14 at 09:43
  • This is not an answer... I don't have the rep yet to post a comment, so... Does VirusTotal tell you anything? https://www.virustotal.com/ "VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." – Ed Daniel Dec 12 '14 at 10:05

2 Answers2

1

Removing the process should be pretty easy: change the security on the EXE to deny the Execute permission (this can be done on a file with running processes), and then run taskkill /f /im Wslxrqjet.exe to terminate all instances of the running process as simultaneously as possible. New instances won't be able to start (unless something reset the permissions on the file). You can then delete the EXE.

Another option would be to create a new user with admin rights, log out of your account, log into the other user, and delete the file out of your usual account. You could also shut down and boot the machine off different media (such as a Linux live image on Windows install/recovery disk), mount the C: drive, and delete the file from there. There are lots of ways to handle this.

You can also try investigating the process while it's running. See which process launched each instance, who it's running as, and more by using a tool like Process Explorer (free download, part of Microsoft's Sysinternals suite). See what the process is doing by checking its network activity, file handles, and so on using Resource Monitor (built into Windows, gives more details than Task Manager) or - for tons of detail - Process Monitor (also free, part of Sysinternals). Even if it is malicious - not guaranteed - it's had long enough to run that it's probably done it's harm at this point. However, if you want to prevent it from doing anything while you examine it, use Resource Monitor or Process Explorer to "Suspend" the processes.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

Unless you know full info about the malware, or your AV itself removes it,It cannot be fully determined for sure that you have removed the traces. Even if you are able o delete that particular instance, if will re-spawn with a different name,

By the looks of your problem, the malware in install per-user wise rather than system-wide. (Because the extension/malware reside in localappdata)

The easiest way to get rid of problem is create the new user account. And then make sure you are not installing that plugin again.

If you can share more details I can give a better answer.

Ashutosh Raina
  • 369
  • 3
  • 8