Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Large Number of Fake Google Chrome Processes Running [Solved]


  • This topic is locked This topic is locked

#16
TwoFourSix

TwoFourSix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Hi, here's the log file produced by the latest FRST run.  I checked the LocalLow directory after the run and it looks like the Temp subdirectory did not get cleaned out. 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:28-06-2015 01
Ran by The Green Dream at 2015-07-07 08:54:20 Run:2
Running from C:\Users\The Green Dream\Desktop
Loaded Profiles: The Green Dream &  (Available Profiles: The Green Dream)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
 CreateRestorePoint:
 CloseProcesses:
 C:\Users\The Green Dream\AppData\LocalLow\EmieBrowserModeList
 C:\Users\The Green Dream\AppData\LocalLow\EmieUserList
 C:\Users\The Green Dream\AppData\LocalLow\EmieSiteList
 CMD: ipconfig /flushdns
 CMD: netsh advfirewall reset
 CMD: netsh advfirewall set allprofiles state on
 Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
 Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
 CMD: bitsadmin /reset /allusers
 CMD: DEL %TEMP%\*.* /F /S /Q
 CMD: RD /S /Q %TEMP%
 RemoveProxy:
 Reboot:
 end
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\The Green Dream\AppData\LocalLow\EmieBrowserModeList => moved successfully.
C:\Users\The Green Dream\AppData\LocalLow\EmieUserList => moved successfully.
C:\Users\The Green Dream\AppData\LocalLow\EmieSiteList => moved successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh advfirewall reset =========

Ok.

========= End of CMD: =========

=========  netsh advfirewall set allprofiles state on =========

Ok.

========= End of CMD: =========

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

 

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

 

========= End of Reg: =========

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{8E868DBD-F1C3-4CAF-A347-0802D5D3032C} canceled.
1 out of 1 jobs canceled.

========= End of CMD: =========

=========  DEL %TEMP%\*.* /F /S /Q =========

Deleted file - C:\Users\THEGRE~1\AppData\Local\Temp\CVHLauncher(201507062144281900).log
C:\Users\THEGRE~1\AppData\Local\Temp\FXSAPIDebugLogFile.txt
The process cannot access the file because it is being used by another process.
Deleted file - C:\Users\THEGRE~1\AppData\Local\Temp\msohtmlclip1\01\clip_colorschememapping.xml
Deleted file - C:\Users\THEGRE~1\AppData\Local\Temp\msohtmlclip1\01\clip_themedata.thmx

========= End of CMD: =========

=========  RD /S /Q %TEMP% =========

C:\Users\THEGRE~1\AppData\Local\Temp\FXSAPIDebugLogFile.txt - The process cannot access the file because it is being used by another process.

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1737765885-1117587993-3094924587-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1737765885-1117587993-3094924587-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1737765885-1117587993-3094924587-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1737765885-1117587993-3094924587-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

 

The system needed a reboot..

==== End of Fixlog 08:55:50 ====


  • 0

Advertisements


#17
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

The command %Temp% will only look at the directory that corresponds to the System variable for a Temp directory location for your user account.  It does not look everywhere else on the system to delete all Temp directories and / or the file(s) those directories hold.
 
You can see what physical locations the System shortcuts point to by typing them into the address bar of Explorer.
 

 

How is your system running now?


  • 0

#18
TwoFourSix

TwoFourSix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Hi debreeze,

 

You are right about the “Temp” variable.  It seems to be defined as …/AppData/Local/Temp.  Looking under …/AppData/LocalLow/Temp  though, I have a directory called “hxdngtn” created the day and time the computer was infected, and under It there is an extensive directory structure with folders with names mimicking the names of legitimate folders elsewhere on the computer (Desktop, Documents, Fonts, Local, Low, Program Files (x86), …).  All of these top-level folders are empty with the exception of the Local folder which in turn has a Google/Chrome/UserData structure under it and then under UserData, many files and folders.  All files and folders bear the same exact time as the “hxdngtn” folder.  Is there any reason why I should not delete “hxdngtn” and everything under it?

 

As far as the computer’s performance, it is working great, maybe a little slow at startup, but perfectly fine otherwise.  Many, many thanks to you for getting it to this point.  Is there anything else that I need to do or run?  If not, what should I do to help keep this from happening again in the future?

 

Thanks,

TwoFourSix


  • 0

#19
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

LocalLow should not have a Temp directory; you should be able to delete that especially the "hxdngtn" folder.
 

All right!! :D Your logs are clean and you're good to go now!! :thumbsup: We've got some final steps left to do to clean up our tools and get your system in good running condition and then you are on your way. I must say though, even though we met through less than ideal circumstances, it has been really great to work with you. :) Just run through the steps from the Cleanup of Tools to the Program Update Checker. That's it. Thanks. :cool:


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.
If you did not do so at the end of its scan, please uninstall ESET Online Scanner at this time.  You can use the Control Panel 'Add / Remove Programs' or 'Programs and Features' utility to uninstall it.

  • Download Delfix from here to your desktop and double click it to start the program
  • Ensure Remove disinfection tools is ticked
    Also tick:
  • Activate UAC
  • Create registry backup
  • Purge system restore
  • Reset system settings
  • DelFixSelectall_zps0f04cec4.png
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.


Keep Windows Updated
Microsoft issues updates to Windows to close vulnerabilities as they are discovered. Staying updated helps protect your system from current exploits.

  • Click Start and then click Control Panel.
  • Click on the View by: in the upper right corner and select Large Icons (you can change this back later if you like).
  • Scroll down and click on Windows Update.
  • Click on Change settings.
  • Under Important Updates, click on Install updates automatically (recommended).
  • Select (click on) the other options on this page.
  • Select a day and time to have windows install the updates.
  • Click on Ok to change the settings.
  • If you want to change the view of the Control Panel display, click on the View by: in the upper right hand corner and select an option you prefer.

Keep other Important Programs Updated
Along with keeping Windows updated, it is a good idea to keep important programs updated. Java and Adobe Reader both need to be kept updated to the latest versions; malware writers utilize exploits in the unpatched versions to their advantages.

Java
No Java on your system so good for you (yes, there is life without Java but coffee, that's a different story!)

Adobe Reader
Adobe Reader is the second most targeted (by malware) common software. If all you ever do with Adobe Reader is view PDF files, then please consider replacing it with a lighter, free PDF reader that is not exploitable. One that we recommend is Sumatra PDF.

To update Adobe Reader:

  • Launch your Adobe Reader.
  • Click Help and then click on About Adobe Reader from the menu list.
  • If the version is 11.0.04 then you are up to date. If it is less than this and you are keeping Adobe Reader, you should update to the latest version.
  • The best place to get Adobe Reader is from Adobe (click on Adobe to go there now).
  • Click on Download in the menu bar on top of the Adobe web page.
  • Click on Adobe Reader in the list on the right hand side of the page.
  • On the next page, click on the check mark (to turn it off) beside the option to include the McAfee scanner in the download and install. Make sure the check is NOT marked (this is another example of Foistware).
  • Click the Install Now button and follow the directions on next page.
  • If you are prompted to Save the installer file, choose to save it to your desktop. Once it is saved, right click on the file and select Run as Administrator.
  • When the installation is finished, you can delete the installer file on your desktop.

Consider a program that will check for out-of-date programs on your system
Some programs don't have update checks built in or make you run the application to start the check for updates process. An easier way to stay on top of the current versions of your installed programs is to use a version checking program like Heimdal Free from Heimdal Security (you can get the software from here and read more about it on the same page).


You are now done! :yeah:

Now some information on programs to help keep you safe:

First, an Antivirus program. You NEED one; free is just as good as paid-for as long as you keep them updated. ONLY use one at a time as having more than that will cause system problems. Here are some free ones to check out:
Microsoft Security Essentials
Avast! Free Antivirus

Next, a firewall is a must have now-a-days. The built in firewall in Windows 7 is fine (just make sure it is turned on (Start > Control Panel > Windows Firewall)). Or, if you like, you could choose one of the free ones listed here:
Emsisoft Online Armor  -  installs as trialware which converts to freeware in 30 days
Zone Alarm Free Firewall  -  installer includes foistware so read the options very carefully

=== options ====
Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing.  By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system.  You can read the details about this program here.

Also, consider adding MalwareBytes Antimalware to your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won't have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
 How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online
 

I'll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!


  • 0

#20
TwoFourSix

TwoFourSix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Hi debreeze,

 

I cleaned up the .../AppData/LocalLow/Temp directory and then emptied the recycle bin.  I then downloaded and ran the delfix program and have pasted the log file below.  I am working through implementing your various suggestions (and those of the articles you have pointed me to) on protecting my computer.  I think all looks good on the computer (let me know if you disagree).  Many thanks to you for all of your help and advice!  Not only do I feel I have a healthy system but I have learned a lot.

 

Regards,

TwoFourSix

 

# DelFix v1.010 - Logfile created 09/07/2015 at 23:48:12
# Updated 26/04/2015 by Xplode
# Username : The Green Dream - THEGREENDREAM
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\The Green Dream\Desktop\FRST-OlderVersion
Deleted : C:\Users\The Green Dream\Desktop\Addition-06-20-15.txt
Deleted : C:\Users\The Green Dream\Desktop\adwcleaner_4.207.exe
Deleted : C:\Users\The Green Dream\Desktop\esetsmartinstaller_enu.exe
Deleted : C:\Users\The Green Dream\Desktop\Fixlog-07-05-15.txt
Deleted : C:\Users\The Green Dream\Desktop\Fixlog.txt
Deleted : C:\Users\The Green Dream\Desktop\FRST-06-20-15.txt
Deleted : C:\Users\The Green Dream\Desktop\FRST64.exe
Deleted : C:\Users\The Green Dream\Desktop\Search.txt
Deleted : C:\Users\The Green Dream\Downloads\adwcleaner_4.207.exe
Deleted : C:\Users\The Green Dream\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\The Green Dream\Downloads\FRST64 (1).exe
Deleted : C:\Users\The Green Dream\Downloads\FRST64.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #73 [Scheduled Checkpoint | 05/26/2015 21:41:25]
Deleted : RP #74 [Windows Update | 06/07/2015 13:37:56]
Deleted : RP #75 [Windows Update | 06/12/2015 12:55:58]
Deleted : RP #76 [Scheduled Checkpoint | 07/01/2015 17:36:36]
Deleted : RP #78 [Restore Point Created by FRST | 07/05/2015 13:39:49]
Deleted : RP #80 [Restore Point Created by FRST | 07/07/2015 12:54:34]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


  • 0

#21
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Glad to have been of help and that you learned from this experience.  

 

Come back anytime you need assistance; Geeks to Go not only has malware removal but assistance with programs and OS / hardware.  Great bunch of people here helping others.  :wave:

 

Enjoy your summer; surf safely!! :prop:


  • 0

#22
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP