Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with adware after running g2mdlhlpx.exe


  • Please log in to reply
7 replies to this topic

#1 rpoblad

rpoblad

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:20 AM

Posted 31 August 2014 - 09:02 PM

I found an executable in my profile.  The name was g2mdlhlpx.exe.  I thought I knew what this was but I was wrong. 

 

After I clicked on it there was no visual feedback but I believe I got an adware infection.   When I use IE to access certain web pages, various words in the page are turned in to web links that are underlined twice.  The links go to adds that have “AdChoices” grayed out in the top banner of the popup. 

 

I have run Malware bites and AdwCleaner.  I reset IE.  I didn’t see anything in add remove programs to remove.  I can’t get rid of this doing the things I know.   Please help.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:20 PM

Posted 01 September 2014 - 12:54 AM

The file g2mdlhlpx.exe is not a virus. It is installed when you run Citrix GoToMeeting.

 

This was detected by Zone Alarm, Norton / Symantec, and a few other programs.

 

The problem dates back a few years, and if it is not harming you, it can be left, or removed if you do not use Citrix GoToMeeting.

 

Thank You -



#3 rpoblad

rpoblad
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:20 AM

Posted 01 September 2014 - 01:19 AM

I don't use GoToMeeting. I have read on the web that this file name has also been used for adware install.
It is possible that this has nothing to do with my current adware infection. I am infected however. I can tell for sure that thus us so by going to a website and seeing text on the screen that gets turned into links for ads.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:20 PM

Posted 01 September 2014 - 01:47 AM

OK -

The information was posted on the .exe you listed -

 

Please read the information with care and take your time.

Download all programs to Desktop, and Copy and Paste all logs -

 

Please download and run RKill by Grinler.

  • A black DOS box will appear for a short time and then disappear.
  • This is normal and indicates the tool ran successfully.
  • At most the tool will usually run for about 2 minutes

Please Copy and Paste the log back here.

 
Do not reboot your computer until you complete the next step.

 

 NOW :

  • Download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
     * Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button (only once)
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button only once for accuracy.
  • A report (AdwCleaner[R0].txt) will open in Notepad for your review.
  • Check the listed removals and see if you are OK with them.
  • If you have questions, post the Report log back here.

 Next

  • Click on the Clean button only once for accuracy
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK finally to allow AdwCleaner to Restart the computer and complete the removal process.
  • After rebooting, a log report (AdwCleaner[S0].txt) will open automatically.
    Copy and Paste the contents of that log in your next reply.

Note: With most Adware / Junkware / PUPs it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In many cases, using the uninstaller of the adware not only removes the adware more effectively, but it also restores any changed configuration. After uninstallation, then you can run specialized tools like AdwCleaner and JRT to fix any remaining entries they may find.

 

 

 

Download Screen317 Security Check from Here or Here and save it to your Desktop.
 * Double-click SecurityCheck.exe
 * Follow the onscreen instructions inside of the black box.
 * A Notepad document should open automatically called checkup.txt
 * Please Copy/Paste the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to

 

 

Please download MiniToolBox  to desktop to run it.
 Checkmark the following boxes:

  • List content of Hosts
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
 Click Go and Copy / Paste the result. (result.txt)

 

 

 

Download .MalwareBytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.0.exe to start the installation of Malwarebytes Anti-Malware.
  • Follow the instructions on your screen to complete the installation. You can find the complete installation procedure here.
  • Click Scan at the top of the screen and hit Detection and Protection.
  • Choose Custom Scan and click Scan Now.
  • Check the box next to Scan for rootkits.
  • MalwareBytes Anti-Malware will now check for the latest updates. Click Update Now if new updates are available.
  • Your computer is now being scanned, please do not use your computer during the scan.
  • If no threats were found, click View detailed log.
  • Click Export and save the log as a .txt file on your Desktop or another location.
  • If the scan detected any threats, click Apply Actions. ?To complete any actions taken you will be prompted to restart your computer...click on Yes.
  • After reboot, start Malwarebytes Anti-Malware again and click the History Tab at the top and select Application Logs.
  • Check the box next to Scan Log. Choose the most current scan and click View.
  • Click Export and save the log as a .txt file on your Desktop or another location.

Providing the MalwareBytes' Anti-Malware log file.
Attach the log file you just saved to your next reply for further review.

 

 

 

Thank You -

EDIT - A current reply from VirusTotal (after a quick check) gave this >>

Only 1 of the 41 detect it, and it says it is a posible_worm32.


Edited by noknojon, 01 September 2014 - 02:48 AM.


#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:20 PM

Posted 01 September 2014 - 06:35 AM

Your topic of  SocialPrivacy Ads (not in add/remove programs) was just closed today by gringo, as you are no longer replying to him.

This topic can be reopened if you send a message to a moderator or back to gringo_pr,

 

 

*************************************************************************************************************************************************************

 

Also is this a decent reply to your question to gringo ??

 

Are the double-underlined words that you are referring to like the example provided in This topic (Post #1)?

 If so, this is called In-text advertising and it is very common.

Kontera and Vibrant are two of the more popular advertising networks that provide in-text advertising and information services.

 

======= < This is a typical example (without the pop up)

 

See full post >>>> HERE <<<<

 

 

 (Credit to quietman7 for the text)



#6 rpoblad

rpoblad
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:20 AM

Posted 01 September 2014 - 11:03 AM

Yes, gringo suggested I open a new topic.

 

I now wonder if I just happened to stumble across a devious web site when I did a search for "g2mdlhlpx.exe".

 

One of the hits was hxxx://xxx.tech-faq.com/g2mdlhlpxexe.htmlMod Edit:  Unlinked - Hamluis.

 

When I went to this page, I saw text of the page get updated after a few seconds with text that had double underlined links under it. This looked very similar but not identical to the infection that gringo helped me get rid of. So I thought I had caught my adware disease again.  However, I observed that this web page has the exact same behavior on my iPhone with safari.   It seems that this site may be a honey bucket to make people think they are infected and to then get them to try the fix they offer and then to get infected for real.

 

So I am thinking that I may not have been re-infected since I did not try any of the fixes that the web page offered.   Thoughts?


Edited by hamluis, 01 September 2014 - 05:34 PM.


#7 rpoblad

rpoblad
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:20 AM

Posted 01 September 2014 - 11:10 AM

You asked me

 

"Are the double-underlined words that you are referring to like the example provided in This topic (Post #1)?

If so, this is called In-text advertising and it is very common."

 

The answer is yes, infact exactly the same.  The thing that was confusing is that my real adware infection had a very similar behavior.  That one only affected IE.    I think my fear and concern has been resolved.    You may close this.  Thanks for the quick and very relivant resopnse.   You got this one spot on almoste immediately.  I'm impressed, (again).   

 

The mose recent web page I went, to specifically said that g2mdlhlpx was bad and offered me a fix if I just wanted to download it.  I think the people who put put that page had soeme devious intent.  If so, it was pretty subtle and tricky.  Who knows ---



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:20 PM

Posted 01 September 2014 - 05:13 PM

>> You got this one spot on almoste immediately.  I'm impressed, (again). << quietman7 got the full reply if you follow it (I just follow him)....

>> I think the people who put put that page had soeme devious intent. <<  Yes. You wind up with several "Antimalware" programs that are worse than your infection...

The topic will remain open to help others, but you can stop "Following" it now or you will get any responses / questions posted ......

A current reply from VirusTotal (after a quick check) gave this >> Only 1 of the 41 detect it, and it says it is a posible_worm32. << I stand by this ..

Regards -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users