"Windows Process Manager" Virus hogging resources (processing power and RAM) in the background

muhtaseem96

Prominent
Oct 29, 2017
6
0
510
http://puu.sh/yahkC/fe1da6fcdd.png
As you can see in the screen clip, there's this "Windows Process Manager" thing with multiple "clients" running in the background and it consumes a huge amount of RAM and processing power. http://puu.sh/yahBg/aaf2bebc2b.png
There are multiple instances that can take up to 500 MBs of RAM if left without ending the task. Opening file location leads to this folder
http://puu.sh/yahG4/3f6cff59bf.png
I've tried using ReasonCore Security alongside regular Windows Defender checks to try and get rid of it but to no or limited effect. I recall Windows defender showing me warnings of Trojan infection if this info helps
http://puu.sh/yahLI/a4647d00a1.png

Any help would be greatly appreciated, thank you
 
Solution
Have you also received an error message saying “The Requested Resource is in Use”? If your answer is yes, then it might be that you are dealing with some kind of rootkit. Download Malwarebytes (there is such tool as Malwarebytes Anti-Rootkit Beta version that you should try as well) and identify its location. If you are interested in fixing your computer manually, you can also check these steps:

https://ugetfix.com/ask/how-to-fix-the-requested-resource-is-in-use-error/

SumTingW0ng

Prominent
Aug 6, 2017
92
0
610


Run these following tools at full scan

Emsisoft Emergency Kit

Malwarebytes Anti Malware

HitmanPro

ESET Online Scanner

Kaspersky TDSSKiller
 

muhtaseem96

Prominent
Oct 29, 2017
6
0
510


http://puu.sh/yaipO/1a76ebbe62.png
I tried but it says something about the requested resource being already in use. I remember I'd been having this same error for several antivirus programs I'd tried for free earlier and ReasonCore Security was the only one that didn't. How would this be fixed?

 

muhtaseem96

Prominent
Oct 29, 2017
6
0
510


Hey, Emsisoft seems to have worked so far as after running its full scan, there is no sign of "Windows Process Manager" in my task manager but I will see if I need to run the other antivirus since I'll monitor my PC for a bit in the meantime. Thank you so much!
 

JoshRoss

Estimable
Jul 11, 2017
228
0
5,260
Have you also received an error message saying “The Requested Resource is in Use”? If your answer is yes, then it might be that you are dealing with some kind of rootkit. Download Malwarebytes (there is such tool as Malwarebytes Anti-Rootkit Beta version that you should try as well) and identify its location. If you are interested in fixing your computer manually, you can also check these steps:

https://ugetfix.com/ask/how-to-fix-the-requested-resource-is-in-use-error/
 
Solution

SumTingW0ng

Prominent
Aug 6, 2017
92
0
610


Did you run full scan on all the tools I listed? On Emsisoft, you have to choose custom scan to perform a full system scan not malware scan aka smart mode scan.
 

muhtaseem96

Prominent
Oct 29, 2017
6
0
510


I tried booting in safe mode but it still gives the same "requested resource is in use" error when I try to use Malwarebytes as well as the Malwarebytes Anti-Rootkit Beta version. While using Emsisift to scan for viruses while in Safe Mode, something caused Emsisoft to crash and I wonder if it had to do with the virus which is probable at this point
http://puu.sh/yb4eu/4d50ef145e.png
 

muhtaseem96

Prominent
Oct 29, 2017
6
0
510


Yes I have, but it won't let me run those due to the "Requested Resource is in Use" error even while in Safe Mode. The only antiviruses that seem to even run at all are Windows Defender, ReasonCore Security and Emsisoft. Thank you though, I will check that link
 

everest_home

Prominent
Dec 2, 2017
1
0
510
This IS a rootkit+trojan and backdoor.

You may have to reformat. This particular virus is annoyingly nasty. I ran in to it out of my own stupidity. Simply put there are no current, at time of posting, definitions to kill it by any vendor.

Allow me to restate. At this point of posting NO antivirus can completely remove this. I tried literally everything. Emisoft is the only one that did anything at all. Even my paid antivirus did nothing.

There are 4-5 files running at all times.
There are two windows process managers running at all times.
There are two 'windows services' running as well that you won't recognize(easily noticed if you know the OS).
There is another executable that replaces missing files if you manage to delete anything(not running, runs once at start).
The names of the 3rd, 4th and 5th processes are randomly generated along with the folders they rest in.

You can not terminate via CMD or Powershell because all run as a child process of Services.exe which is a windows service. If you terminate it /t /f you WILL bluescreen. Also the PIDs are false and randomly generated each time. You may also notice one exe saying it's linked to a PID that doesn't exist and can't be terminated. You can also neither force delete or suspend their processes.

I was able to eliminate the process manager executables that were in a locked folder in user/name/app data/local, and they did not come back. However I could not eliminate the other two processes that were running because removing either would simply be replaced on restart by the 5th executable I could not locate.

ALL parts send data out over your network connection unless you can block it with a REAL firewall, not the windows garbage. The troubling thing is the windows process exes would launch multiple exes and ALL would send data out at an alarming rate. I can not say what they were sending other that they were sending data. None of my personal accounts have been attempted at, but I also have 2step on everything important. Also the IPs it was sending data too were likely false or behind a VPN since there was no single IP receiving a lot of information. Reported them all the same.

In the end I could not eliminate the 3 remaining exes and was forced to reformat. I tried contacting Avast to get a definition created for this thing, but I got no reply from them. Very disappointed in that fact.

Emisoft was able to detect one part after getting rid of the first two, but would then crash/hang on that third file indefinitely on detection. I left it running all day and it was still hung on the file after. I tried a few times in/out of safe mode and the root account with no luck.

If you're running Windows 10 you can download an ISO from Microsoft directly and you'll only need your serial to install. This was my route except my computer is bios activated so no serial needed. I would suggest using another machine to do this on.. I can't guarantee that the virus doesn't have the ability to hop to another device.
 

kleinevampir

Prominent
Dec 16, 2017
2
0
510
This guy is right. I'm not as technical as him, but I've tried a few different anti-viruses, anti-malware programs...they take a lot of time but they don't do much. I tried a few programs to force delete it too, but not even those dedicated programs could delete the folder it's in. Of course I can't just end the process. It won't let me do anything to the folder. I even tried /d in the command prompt, manually typing out the folder, and it still said access denied. As much as I'd love to beat this thing, it seems I just cannot do it. Oh, ComboFix won't even run btw. Norton's power eraser got CLOSE to getting rid of it, but in the end the dang thing managed to jam up that too, and it came up with an error. The first time I ran it, I thought for a second it might have worked. But when it came to actually deleting it, error. And I know that it sends out data...hopefully Norton is doing something to keep this thing at bay until I can get my hands on the OS CD so I can just reformat. I hate to admit defeat after over a day of fighting this thing, but...It seems like no piece of software I can get my hands on is capable of getting rid of it.

 

shadowh

Prominent
Dec 20, 2017
3
0
510


i just got this virus this morning and have tried everything. the trojan will not even let me boot in safe mode or reset my pc. I beleive I've found the files responsible for this but i do not have permissions to delete them from my system 32. I've noticed also that it combats any attempts to delete it as well by not letting you run antivirusis a second time. at least for me. I'm forced to reinstall them and then perform another scan in hopes to delete it. I dont think there is a solution at this time. btw im pretty sure i got this virus after trying to download fl studio from piratebay so just be careful guys. hang in there
 

m.jiaji02

Prominent
Dec 16, 2017
4
0
510

The virus is in my app data folder, this is a pretty new virus, so none of the antivirus softwares are able to recognize it.
Did you reinstall your operating system?
 

shadowh

Prominent
Dec 20, 2017
3
0
510

I can't. I'll select "get started" from the recovery options and nothing happens.
 

m.jiaji02

Prominent
Dec 16, 2017
4
0
510

No. I mean reinstalling your windows system after uninstalling it. Have you done it?
 

shadowh

Prominent
Dec 20, 2017
3
0
510

I don't think so. how do you do it?