Jump to content

Recommended Posts

Hello,

This is my first time coming here and it seemed to be helpful but I can't find what I need about my exact situation. I've checked out another forum (https://forums.malwarebytes.com/topic/226720-gexe-removal/) about this topic and it seems to have helped so far but I'm noticing the difference that this is an actual trojan (spyware or malware I'm not too advanced to know which one). Main issue is my main anti-virus program, I use McAfee, can't detect it and for some reason my windows 10 defender won't allow me to start a scan from it. (I presume it's because McAfee is seen as the default and overrides it)

What has me concerned is where it's detected in my computer. To someone as inexperienced as I am these locations (my clouds, sound profiles, and keyboard) make it seem like someone has been using it as a way to log my actions and snoop around my files. Another thing I would like to address is that I've been getting security breach notifications from my gmail about others trying to access it from third-party or non-google apps (primarily from the oriental and Asian regions). Along with my minecraft account getting hacked during this same time period.

I have no way of actually telling what else one or many people have access to and I find it difficult to change my passwords if there's a chance of me being keylogged. (I have changed some of my passwords and activated 2-factor on some stuff, but I still get security notifications.)

I'd really appreciate the help.

g locations.PNG

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This problem of process G at shutdown is not necessary malware, it could be a good executable, but more than likely a hidden window that does not close normally. To find this hidden window do the following:

Download GUIPropView from either of the following links, ensure to get the correct version for your system

https://www.nirsoft.net/utils/guipropview-x64.zip

https://www.nirsoft.net/utils/guipropview.zip

Unzip GUIPropView to its own folder on Desktop (preferred place) open the folder and double click on GUIPropView.exe to run the tool. Expand the tool soit is full screen size..

Once opened the tool window populates, from the tool bar select "TopLevel" make sure "Display Hidden Windows" is checkmarked, once done the tool window repopulates to include hidden windows.

Hold down Ctrl key and select all entries that have G listed under "Title" column, when all selected and highlighted blue, select > File > save selected items. name and save that text file to your Desktop or a place of your choice, attach that file to your reply.

p.s.
You may be interested in reading this topic that deals with the issue.
https://forums.malwarebytes.com/topic/226720-gexe-removal/?page=2

Link to post
Share on other sites

Hello Nasdaq,

First, thanks for your assistance it is very much appreciated. Second, the picture provided is a snipping of my processes (including hidden) using guiprop and the locations provided are where the g.exe resides.

I was following that linked topic up to the point where I couldn't find the location of g.exe was originally coming from. Given the locations it has "taken home" in I can't really disable any of the programs other than my clouds without rendering my computer somewhat unable to be a computer. I would like to point out I can make every window visible and close them except for 3. What appears to be 2 of the cmd prompts and my Adobe cloud. 

With 12 locations and so many looking to be crucial it really looks like someone is using it as a backdoor although it could easily not. I'm a bit at loss of what to do next.

If you need anymore details I will try my hardest to provide them. Looking forward to your help.

Link to post
Share on other sites

Have you tried to close all browsers, Windows before closing the computer.

If all is well then one of the programs is the culprit.

p.s.

I cannot completely read the information on the image you posted in your post.

===

I can look at what is running if you like.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions

 

Edited by nasdaq
Link to post
Share on other sites

Here's a clearer version of the guiprop if that's what you meant (if you wanted me to expand it just mention it and I'll send it as soon as I can). I also attached both txt logs. As for your question I have tried closing all my active processes like Chrome, steam, etc. and at one time I also tried closing as many of the g.exe processes I could (forgot to mention I couldn't close the one in my keyboard either), but I still had the pause with the g.exe when I went to shut down my system.

Less blue g locations.PNG

Addition.txt FRST.txt

Link to post
Share on other sites

Hi,

I see nothing wrong with your logs.

I also tried closing as many of the g.exe processes I could (forgot to mention I couldn't close the one in my keyboard either), but I still had the pause with the g.exe when I went to shut down my system.

I can only suggest one thing.
Again close all the programs except or course the one that is objecting.

run guiprop and see what is being reported.

p.s.
You can also disable all your Chrome extensions. It may help.
 

Link to post
Share on other sites

Hi,

This is a long shot but worth looking at "g.exe Removal - Windows ... Mininized..... Chrome_WindgetWin_

Remove and re-install Chrome

Your copy of Chrome may have been compromised

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>

Hope that helps.

 

 

Link to post
Share on other sites

Sorry for the long delay. I started to change my passwords and whoever has been accessing my account is trying to react to them. For some reason they keep trying to get into my twitch so I'm not sure if they're trying to make a link or what, but my two factor is going off like every 2-3 minutes at the moment of this response. I'll get right on that redownload now. Thanks for your patience.

Link to post
Share on other sites

Hi,

Open your chrome settings

Click the Password Right Arrow

Below the View and manage saved passwords in your Google Account.

Click the 3 vertical dots on the Right of Saved Passwords
This will open the Save passwords function.

Follow the instructions.

===

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.