Jump to content

cmd.exe, conhost.exe & 27 Chrome.exe files auto run when I open Chrome! Computer is so slow!!


Recommended Posts

Hey guys,

I need help. My computer has been SUPER laggy, to a point of where my mouse lags and when I type and the computer is becoming unusable. 

I took a look at my Task Manager and I see cmd.exe, conhost.exe and (27) chrome.exe files start running as soon as I run Chrome. But, when I close all Chrome.exe files, the computer is still super laggy. 

Here is a iCloud video I took of my task manager showing the excessive power usages.

https://share.icloud.com/photos/0eTUFKpQcbgh3Y0t9SyYn5dfg 

I did a few scans from different applications.

- ESET Regular Scan: Nothing.

- ESET Online Scanner: Nothing.

- Malware Bytes: Nothing.

- Malwarebytes AdwCleaner: Nothing

- Junkware Removal Tool (JRT) by Malwarebytes: A few things found, I attached the log file.

- RogueKiller Anti-Malware V15.0.8.0: A few things found, I attached the log file.

- Rkill 2.9.1: Nothing found.

- TDSSKiller: Nothing found.

- Norton Power Eraser: Nothing found.

- Combo Cleaner: A few things found, after I deleted them. Problem still continues.

I don't know what's going on but several days ago my website was infected (it would be redirected elsewhere) and whenever users visited the website it redirected to a random site, I'm not too sure if that has any connection.

Every time I terminate the additional chrome.exes and cmd.exe and conhost.exe - Chrome, itself crashes along with the installed extensions.

I also made a 1min video show casing it: https://screencast-o-matic.com/watch/criUVXViKLY 

I also attached both files from Farbar Recovery Scan Tool.

Combo Cleaner Results.PNG

Addition.txt FRST.txt JRT_.txt RogueKiller Results.txt

Link to comment
Share on other sites

10 hours ago, moeetee said:

I took a look at my Task Manager and I see cmd.exe, conhost.exe and (27) chrome.exe files start running as soon as I run Chrome. But, when I close all Chrome.exe files, the computer is still super laggy. 

First, note that only Eset moderators can view forum attachments.

How do you start Chrome? Via desktop toolbar shortcut icon or from desktop shortcut icon? In either case, it appears something has hijacked normal Chrome startup and instead appears to be running a .bat script. 

To start diagnosis, type "Chrome" less the quote marks into the Win 10 desktop toolbar Search box. Then select Open from the Chrome app display window. Do you see cmd.exe and multiple Chrome instances running as you described above?

Link to comment
Share on other sites

1 hour ago, itman said:

First, note that only Eset moderators can view forum attachments.

How do you start Chrome? Via desktop toolbar shortcut icon or from desktop shortcut icon? In either case, it appears something has hijacked normal Chrome startup and instead appears to be running a .bat script. 

To start diagnosis, type "Chrome" less the quote marks into the Win 10 desktop toolbar Search box. Then select Open from the Chrome app display window. Do you see cmd.exe and multiple Chrome instances running as you described above?

Chrome is clicked through a desktop icon. I typed it in and clicked on Chrome and still see it.

Link to comment
Share on other sites

1 minute ago, moeetee said:

Chrome is clicked through a desktop icon. I typed it in and clicked on Chrome and still see it.

Using Win Task Manager or Process Explorer, do you see cmd.exe running?

Link to comment
Share on other sites

I would also create an Eset HIPS ask rule to monitor cmd.exe execution. Screen shots to do so are shown below.

If this rule is not triggered after the system is started and you observe cmd.exe running, it would be indicative of something starting cmd.exe at system startup time. Eset HIPS ask rules time out if not responded to and default to Allow mode. The Eset HIPS log however will show whatever started cmd.exe.

Cmd_Rule_1.png.e3498457fd119575d67f2f8aadd76033.png

Cmd_Rule_2.png.cc7bc30fc1963c915af92a335aefc010.png

Cmd_Rule_3.png.6c5ecac2198f12e5b74abfe4d7b459f3.png

Cmd_Rule_4.png.84a7a954e5a4734a0ee9b01a62c5d4c0.png

Edited by itman
Link to comment
Share on other sites

24 minutes ago, itman said:

Using Win Task Manager or Process Explorer, do you see cmd.exe running?

Here and Click on the Detail's tab.

Task Manager Process.PNG

Link to comment
Share on other sites

1 minute ago, moeetee said:

Here and Click on the Detail's tab.

Proceed with creation of the Eset HIPS rule I posted. Once that is created; BTW verify that the rule was indeed created properly by re-opening Eset HIPS rules and verifying the rule exists, reboot and see if Eset detects whatever is running cmd.exe on your device.

Link to comment
Share on other sites

17 minutes ago, itman said:

Proceed with creation of the Eset HIPS rule I posted. Once that is created; BTW verify that the rule was indeed created properly by re-opening Eset HIPS rules and verifying the rule exists, reboot and see if Eset detects whatever is running cmd.exe on your device.

Got it.

 

How's this?

https://screencast-o-matic.com/watch/crivouViNDE

Link to comment
Share on other sites

I just restarted the PC and when I clicked on my Chrome desktop icon, I received the popup and I clicked deny twice. I also still see 20 Chrome.exe files running though.

Chrome cmd picture.PNG

Link to comment
Share on other sites

3 hours ago, moeetee said:

I just restarted the PC and when I clicked on my Chrome desktop icon, I received the popup and I clicked deny twice. I also still see 20 Chrome.exe files running though.

Here's a thread similar to your situation: https://www.techpowerup.com/forums/threads/processes-under-google-chrome-solved.239268/ . From this, we can conclude that its normal to see many chrome.exe processes running.

As far as cmd.exe, chrome.exe is starting it per your Eset alert. The Commandline shown indicates what it is doing. What that is doing is noted here: https://stackoverflow.com/questions/39683339/how-to-invoke-chrome-native-message-host-without-arguments

Quote

It's part of the protocol and can't be disabled. The command line on Windows is something like this:

C:\Windows\system32\cmd.exe /c YOURHOSTAPP.exe chrome-extension://.................../  
--parent-window=6752474 < \\.\pipe\chrome.nativeMessaging.in.e11ed8be274e1a85 
> \\.\pipe\chrome.nativeMessaging.out.e11ed8be274e1a85

 

My best guess is you have a Chrome extension installed that is triggering this cmd.exe startup. Questionable if the cmd.exe is doing anything malicious since Eset now injects its Deep Behavior Inspection .dlls into to monitor all its activities. I do consider a cmd.exe startup from Chrome as suspect activity however.

All you can do at this point is:

1. Uninstall Chrome. Reboot. Then reinstall Chrome.

2. Remove all your existing Chrome extensions. Then one by one re-add them until you find the extension starting this cmd.exe child process startup.

Might be easier to perform no. 1). Just be careful when adding new extensions. Do them one at a time and test for this cmd.exe child process start up activity.

When you are done testing, you can leave the Eset HIPS rule in place and just disable it. This way its available if needed again.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

As itman said only moderators can see your attachments, which would help speed up this process for you. Both bleepingcomputer and malwaretips offer assistancewith FRST scans as well. It does appear you have a corrupt or malicious chrome extension so you should be on the way to resolving your problem. Once you identify it you should also likely submit whichever extension it is since so many products aren't detecting it.

For reference if needed;

Virus, Trojan, Spyware, and Malware Removal Help Forum - BleepingComputer.com

Windows Malware Removal Help & Support | MalwareTips Community

Link to comment
Share on other sites

Thanks guys! I did not know Chrome.exe ran so many .exe files. I did a CPU clean up i.e., alot of dust around the fans and new thermal paste and computer is running fine!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...