Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Google Chrome (jhtrmnotfjhv.exe) processes


  • This topic is locked This topic is locked
10 replies to this topic

#1 pantojaf

pantojaf

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 23 October 2014 - 10:19 AM

Hello.  I believe I'm having a similar issue to the one resolved in the following post:

 

http://www.bleepingcomputer.com/forums/t/545472/fake-google-chrome-browserexe-processes/

 

Google Chrome is not installed on my PC, but the Task Manager continues to show 3 instances of the Google Chrome process named "jhtrmnotfjhv.exe" running.  If I end the processes, they just reappear.  I ran Malwarebytes, Spybot, and SuperAntiSpyware but no suspicious files were detected.  The file was originally saved in "c:/users/%username%/appdata/locallow/macromedia/jognafav/udrswncoq". I surmised after some online research that all of the content in subfolder "jognafav" was bogus, so I logged in as an administrator and removed the entire folder.  However, when I logged back in as myself an identical version of this folder (and all its contents) reappeared in "c/users/%username%/appdata/locallow/temp".  I'm convinced this process is affecting my PC's performance as I've noticed changes in the past few days.  Can you please help?  I downloaded the DSS tool and generated the requested logs.  These are attached for your review.

 

Thank you.  

Attached Files



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:21 AM

Posted 23 October 2014 - 11:36 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 pantojaf

pantojaf
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 23 October 2014 - 01:35 PM

Hello, Jürgen.  Thank you for offering your assistance.  As instructed, I ran the FRST tool and have attached the requested output.

Attached Files



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:21 AM

Posted 23 October 2014 - 01:55 PM

Hi, 

warning.gif Malware Warning

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER.



Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    HKU\S-1-5-21-498130996-2109607521-2642557349-1000\...\Run: [Noofebn] => regsvr32.exe /s "C:\Users\Freddie\AppData\Local\Apps\Noofebn.dll" <===== ATTENTION
    C:\Users\Freddie\AppData\Local\Apps\Noofebn.dll
    EmptyTemp:
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.


After the Reboot:

Step 2

Please uninstall some programs:
  • Windows Vistaw7.png: Open Programs and Features by clicking the Start button hidden2.png  and then clicking Programs and Features.
  • Search and select the following programs one by one and click on Uninstall

    BrowserSafeguard

Step 3

Please download adwcleaner.png AdwCleaner (by Xplode) and save it to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.
Step 4

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

Edited by deeprybka, 23 October 2014 - 01:58 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 pantojaf

pantojaf
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 23 October 2014 - 09:28 PM

Hi, Jürgen.  I completed steps 1-4 and have attached the 4 files for your review.

Attached Files



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:21 AM

Posted 24 October 2014 - 12:58 AM

Hi,
please do the following:

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    Task: {1EC7FAEE-B141-4B07-BFE7-78A6D2143D2B} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
    Task: {511461D5-FA70-4B58-9A38-EB96CB787FB9} - System32\Tasks\4872 => Wscript.exe C:\Users\Freddie\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
    Task: {5770D597-E42D-4420-BF4E-CA5B92EDED96} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
    Task: C:\Windows\Tasks\SpeedyPC Pro.job => C:\Program Files (x86)\SpeedyPC Software\SpeedyPC\SpeedyPC.exe <==== ATTENTION
    Task: C:\Windows\Tasks\SpeedyPC Registration3.job => C:\Program Files (x86)\Common Files\SpeedyPC Software\UUS3\UUS3.dll <==== ATTENTION
    Task: C:\Windows\Tasks\SpeedyPC Update Version3.job => C:\Program Files (x86)\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe <==== ATTENTION
    AlternateDataStreams: C:\Users\Public\DRM:احتضان
    C:\Program Files (x86)\ClickPotatoLite\
    C:\Users\Freddie\AppData\Local\yaggoymeo\
    URLSearchHook: HKCU - (No Name) - {7aeb3efd-e564-43f1-b658-5058a7c5743b} - No File
    SearchScopes: HKLM - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://astromenda.com/results.php?f
    SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
    BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL No File
    BHO: No Name -> {56bc31de-97ab-4563-8599-ad5d4e9800f9} ->  No File
    BHO-x32: No Name -> {56bc31de-97ab-4563-8599-ad5d4e9800f9} ->  No File
    Toolbar: HKCU - No Name - {7AEB3EFD-E564-43F1-B658-5058A7C5743B} -  No File
    Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} -  No File
    ShellExecuteHooks-x32:  - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} -  No File [ ]
    2014-10-22 11:25 - 2011-12-21 23:10 - 00000000 ____D () C:\Windows\System32\Tasks\NCH Software
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.

After the Reboot:

Step 2


Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

Step 3

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 pantojaf

pantojaf
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 24 October 2014 - 09:09 AM

Hi, Jürgen.  I completed steps 1-3 and have attached the 4 requested files.  Thank you.

Attached Files


Edited by pantojaf, 24 October 2014 - 09:09 AM.


#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:21 AM

Posted 24 October 2014 - 10:47 AM

Looking good, ESET hasn't found any active malware. :)

warning.gif SpyBot S&D Warning

MVPS.org is no longer recommending SpyBot S&D due to very poor testing results (scroll down and read under Freeware Antispyware Products).
My advice is to get rid of this program. To do so:

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for SpyBot, right-click the entry and click Uninstall.

This is optional, but please consider it.
 
That's it! abklatsch.gif
Your logs look clean to me at the moment. :thumbup2:
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif
Thank you!


Clean Upcleanupm.PNG

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download delfix.pngDelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:

 

Adobe Reader X

 

Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 pantojaf

pantojaf
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 24 October 2014 - 03:56 PM

Hi, Jürgen.  What a wonderful first experience with this forum.  Thank you so much for your expertise.

 



#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:21 AM

Posted 24 October 2014 - 04:06 PM

Hi, Jürgen.  What a wonderful first experience with this forum.  Thank you so much for your expertise.


You are more than welcome! abklatsch.gif
Take care!


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:21 AM

Posted 25 October 2014 - 06:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users