CivilDeath Posted May 5, 2019 ID:1311296 Share Posted May 5, 2019 Hello, This is my first time coming here and it seemed to be helpful but I can't find what I need about my exact situation. I've checked out another forum (https://forums.malwarebytes.com/topic/226720-gexe-removal/) about this topic and it seems to have helped so far but I'm noticing the difference that this is an actual trojan (spyware or malware I'm not too advanced to know which one). Main issue is my main anti-virus program, I use McAfee, can't detect it and for some reason my windows 10 defender won't allow me to start a scan from it. (I presume it's because McAfee is seen as the default and overrides it) What has me concerned is where it's detected in my computer. To someone as inexperienced as I am these locations (my clouds, sound profiles, and keyboard) make it seem like someone has been using it as a way to log my actions and snoop around my files. Another thing I would like to address is that I've been getting security breach notifications from my gmail about others trying to access it from third-party or non-google apps (primarily from the oriental and Asian regions). Along with my minecraft account getting hacked during this same time period. I have no way of actually telling what else one or many people have access to and I find it difficult to change my passwords if there's a chance of me being keylogged. (I have changed some of my passwords and activated 2-factor on some stuff, but I still get security notifications.) I'd really appreciate the help. Link to post Share on other sites More sharing options...
nasdaq Posted May 6, 2019 ID:1311381 Share Posted May 6, 2019 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === This problem of process G at shutdown is not necessary malware, it could be a good executable, but more than likely a hidden window that does not close normally. To find this hidden window do the following: Download GUIPropView from either of the following links, ensure to get the correct version for your system https://www.nirsoft.net/utils/guipropview-x64.zip https://www.nirsoft.net/utils/guipropview.zip Unzip GUIPropView to its own folder on Desktop (preferred place) open the folder and double click on GUIPropView.exe to run the tool. Expand the tool soit is full screen size.. Once opened the tool window populates, from the tool bar select "TopLevel" make sure "Display Hidden Windows" is checkmarked, once done the tool window repopulates to include hidden windows. Hold down Ctrl key and select all entries that have G listed under "Title" column, when all selected and highlighted blue, select > File > save selected items. name and save that text file to your Desktop or a place of your choice, attach that file to your reply. p.s. You may be interested in reading this topic that deals with the issue.https://forums.malwarebytes.com/topic/226720-gexe-removal/?page=2 Link to post Share on other sites More sharing options...
CivilDeath Posted May 6, 2019 Author ID:1311477 Share Posted May 6, 2019 Hello Nasdaq, First, thanks for your assistance it is very much appreciated. Second, the picture provided is a snipping of my processes (including hidden) using guiprop and the locations provided are where the g.exe resides. I was following that linked topic up to the point where I couldn't find the location of g.exe was originally coming from. Given the locations it has "taken home" in I can't really disable any of the programs other than my clouds without rendering my computer somewhat unable to be a computer. I would like to point out I can make every window visible and close them except for 3. What appears to be 2 of the cmd prompts and my Adobe cloud. With 12 locations and so many looking to be crucial it really looks like someone is using it as a backdoor although it could easily not. I'm a bit at loss of what to do next. If you need anymore details I will try my hardest to provide them. Looking forward to your help. Link to post Share on other sites More sharing options...
nasdaq Posted May 6, 2019 ID:1311487 Share Posted May 6, 2019 (edited) Have you tried to close all browsers, Windows before closing the computer. If all is well then one of the programs is the culprit. p.s. I cannot completely read the information on the image you posted in your post. === I can look at what is running if you like. Download the Farbar Recovery Scan Tool (FRST).Choose the 32 or 64 bit version for your system. and save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. How to attach a file to your reply: In the Reply section in the bottom of the topic Click the "more reply Options" button. Attach the file. Select the "Choose a File" navigate to the location of the File.Click the file you wish to Attach.Click Attach this file.Click the Add reply button. === Please post the logs for my review. Wait for further instructions Edited May 6, 2019 by nasdaq Link to post Share on other sites More sharing options...
CivilDeath Posted May 6, 2019 Author ID:1311529 Share Posted May 6, 2019 Here's a clearer version of the guiprop if that's what you meant (if you wanted me to expand it just mention it and I'll send it as soon as I can). I also attached both txt logs. As for your question I have tried closing all my active processes like Chrome, steam, etc. and at one time I also tried closing as many of the g.exe processes I could (forgot to mention I couldn't close the one in my keyboard either), but I still had the pause with the g.exe when I went to shut down my system. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
nasdaq Posted May 7, 2019 ID:1311607 Share Posted May 7, 2019 Hi, I see nothing wrong with your logs. I also tried closing as many of the g.exe processes I could (forgot to mention I couldn't close the one in my keyboard either), but I still had the pause with the g.exe when I went to shut down my system. I can only suggest one thing. Again close all the programs except or course the one that is objecting. run guiprop and see what is being reported. p.s. You can also disable all your Chrome extensions. It may help. Link to post Share on other sites More sharing options...
CivilDeath Posted May 8, 2019 Author ID:1311748 Share Posted May 8, 2019 These are the only ones I can't close or show. I remember there being one more I couldn't close but I guess I can now. Link to post Share on other sites More sharing options...
nasdaq Posted May 8, 2019 ID:1311812 Share Posted May 8, 2019 Hi, This is a long shot but worth looking at "g.exe Removal - Windows ... Mininized..... Chrome_WindgetWin_ Remove and re-install Chrome Your copy of Chrome may have been compromised Remove Chrome from your Computer and reinstall a fresh copy later. If you remove the syncing of your account you must remove it before you save your bookmarks etc... Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ Before you remove Chrome Export your Bookmarks Chrome will export your bookmarks as a HTML file, which you can then import into another browser. How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks Before you remove Chrome Export your Passwords How to export your saved passwords from Chromehttps://betanews.com/2018/03/09/export-chrome-passwords/ Clear your Chrome cache and cookieshttps://support.google.com/chromebook/answer/183083?hl=en Remove Chrome using the the instructions on this page.https://support.google.com/chrome/answer/95319?hl=en Re-install Chrome and the Bookmarks. <<<>> Hope that helps. Link to post Share on other sites More sharing options...
nasdaq Posted May 13, 2019 ID:1312526 Share Posted May 13, 2019 Are you still with me? Link to post Share on other sites More sharing options...
CivilDeath Posted May 15, 2019 Author ID:1312912 Share Posted May 15, 2019 Yes, sorry got busy for a while. Link to post Share on other sites More sharing options...
nasdaq Posted May 21, 2019 ID:1313694 Share Posted May 21, 2019 Did you have a chance to resync Chrome? Is the problem persisting? Link to post Share on other sites More sharing options...
nasdaq Posted May 26, 2019 ID:1314419 Share Posted May 26, 2019 Are you still with me? Link to post Share on other sites More sharing options...
CivilDeath Posted May 26, 2019 Author ID:1314479 Share Posted May 26, 2019 Sorry for the long delay. I started to change my passwords and whoever has been accessing my account is trying to react to them. For some reason they keep trying to get into my twitch so I'm not sure if they're trying to make a link or what, but my two factor is going off like every 2-3 minutes at the moment of this response. I'll get right on that redownload now. Thanks for your patience. Link to post Share on other sites More sharing options...
CivilDeath Posted May 27, 2019 Author ID:1314491 Share Posted May 27, 2019 Another note: In regards to the link attached for saving my passwords (https://betanews.com/2018/03/09/export-chrome-passwords/) there is no password export option although there is a sync and an import option though I am unsure if the sync is the newer version to the export version. Link to post Share on other sites More sharing options...
nasdaq Posted May 27, 2019 ID:1314517 Share Posted May 27, 2019 Hi, Open your chrome settings Click the Password Right Arrow Below the View and manage saved passwords in your Google Account. Click the 3 vertical dots on the Right of Saved Passwords This will open the Save passwords function. Follow the instructions. === Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 29, 2019 Root Admin ID:1314826 Share Posted May 29, 2019 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts