Something trying to open in Chrome, i dont have chrome

[JRockZ]

So I just noticed today that something popped up saying chrome could not open or something like that,,, then I checked my taskmanager and saw all these zgkhhxeatx.exe entries trying to load and register something,,, I do not have chrome on my C: drive I never had it installed! it may have been on my storage drive in some old systems I have backed up though. Anyhow I figured out that it was something running at start up and heres the entries I found from CCleaner start up list.
No HKCU:Run Lhnjmig Microsoft Corporation regsvr32.exe /s "C:\Users\Brze\AppData\Local\NPE\Lhnjmig.dll"
I disabled the entry from starting and everything is fine,,, When I went to the service from my taskmanager it brought me inside a few folders in my LocalLow folder then something like erniesbrowserlist or something like that, I don't have an ernie or know an ernie,,, am I safe with this disabled or do I need to run something to scrub whatever these files are in the local low folder/s?
The only thing I have done or installed on this pc in the last 24hrs was I updated my flash player and my java because both were out of date.
Im sure someone knows what this stuff is but searches brought up nothing!!

 

[cottonball]

JRockZ,

Let's see what the following shows...

Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system.
Save it to your Desktop.
Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.

Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).

:ar: Please provide the FRST.txt in your reply.
The first time the tool is run, it also creates another log: Addition.txt

:ar: Also post the Addition.txt in your reply.

 

[JRockZ]

Nortons nagging me on it,,, False positive?

 

[cottonball]

Yes.

Please, temporarily disable Norton, or make it allow FRST to run.

 

[cottonball]

JRockZ,

It is rather difficult to work without sufficient information, and I do not work via Private Messages.

You have a Poweliks entry showing in the brief info provided. Recent (Nov 2014) info on this malware shows that it employs a new autostart mechanism and removes users’ privileges in viewing the Registry’s content.



Let's see if the following takes care of it...

Please download Malwarebytes Anti-Rootkit:
Download > Malwarebytes Anti-Rootkit Download
•Save to your Desktop.
•Double-click the icon to start the tool.
(Warning! Malwarebytes Anti-Rootkit needs to be run from an account with Administrator rights.)
•In the Introduction screen, click: Next
•On the Update Database screen, click Update to download the latest definitions, and then click: Next
•Once the update is complete select Next, and click: Scan
•When the scan is finished, if no malware is found select: Exit
•If malware is detected, check all items and click: Cleanup
•Reboot your computer.

:ar: Please open the MBAR folder and provide the content of the following reports in your reply:
mbar-log-{date} (xx-xx-xx).txt
system-log.txt

 

[JRockZ]

ok here you go! thanks!

 

[cottonball]

Did you use Cleanup and reboot? Or, did you just Scan?

Need to see the reports after the Cleanup and reboot.

Also, please include both reports requested:

:ar: mbar-log-{date} (xx-xx-xx).txt
:ar: system-log.txt


Also, have you run Nolrton Power Eraser (NPE) recently?

 

[JRockZ]

Did you use Cleanup and reboot? Or, did you just Scan?

Need to see the reports after the Cleanup and reboot.

Also, please include both reports requested:

:ar: mbar-log-{date} (xx-xx-xx).txt
:ar: system-log.txt


Also, have you run Nolrton Power Eraser (NPE) recently?

Used clean up and reboot,,,,, Attached the log above that it took then and now attaching after a rescan and nothing found. that's all ive had time for here are the logs.

I did start power eraser but I did not run it I came here before I let it scan, I may have also run it once before a month or two ago but I forget for sure if I did or did not.

AND tonight after starting the PC I have been getting a pop up that something again is trying to start in my locallow folder I Did a re-boot and so far that's not popped back up,,, if it does I will post a screen shot but its user account control saying something's wanting to start, not something I tried to start or run.

 

[cottonball]

Well, this type of issue does not lend itself to guessing. The best tool for the job is the Farbar Recovery Scan Tool, and attach its results.

Otherwise, all I can do is speculate that there is 'something' in C:\Users\*\AppData\LocalLow\etc., etc.

If you wish to run FRST, feel free to do so, and there will be something to work with to develop a script and take care of whatever it shows.

If you do not wish to do so, someone else will have to assist you, I will not.

Your system, your choice.

 

[JRockZ]

Cottonball,
I did run that and attached the logs for you earlier! Here again! I have re run farbar just now and the txt files are attached!
I appreciate your helping Thank you very much!

 

[cottonball]

Thanks.

I see the problem.

Have to analyze both reports with other than a quick glance...


Will be back tomorrow evening and prepare a script for you to run.

 

[JRockZ]

Thanks.

I see the problem.

Have to analyze both reports with other than a quick glance...


Will be back tomorrow evening and prepare a script for you to run.

Thank you Sir iam about to leave on a 3day road trip to Denver I will have to check back on Saturday so no rush!
You Rock!

 

[cottonball]

JRockZ,

This will be waiting when you come back:

:info: EmieBrowserModeList is related to Microsoft's Enterprise Mode Site List Manager Tool for IE11.
Did you install this tool?
https://msdn.microsoft.com/en-us/library/dn640687.aspx


:info: Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

start
closeprocesses:
C:\Users\Blaze\AppData\LocalLow\EmieBrowserModeList\liwngvfynxi
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  [Not Found]
C:\Users\Blaze\AppData\Local\NPE\Lhnjmig.dll
C:\Users\Blaze\IP_Log_Data.js
CustomCLSID: HKU\S-1-5-21-566604803-3814173722-1313262255-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path
EmptyTemp:
Reboot:
end

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please runFRST64, and press the Fix button, just once, and wait.

If for some reason the tool needs a restart, please let the system restart normally. After that let the tool complete its run.

When done, the tool creates a report on the Desktop called: Fixlog.txt

:ar: Please post the Fixlog.txt in your reply.

 

[JRockZ]

JRockZ,

This will be waiting when you come back:

:info: EmieBrowserModeList is related to Microsoft's Enterprise Mode Site List Manager Tool for IE11.
Did you install this tool?
https://msdn.microsoft.com/en-us/library/dn640687.aspx


:info: Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

start
closeprocesses:
C:\Users\Blaze\AppData\LocalLow\EmieBrowserModeList\liwngvfynxi
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  [Not Found]
C:\Users\Blaze\AppData\Local\NPE\Lhnjmig.dll
C:\Users\Blaze\IP_Log_Data.js
CustomCLSID: HKU\S-1-5-21-566604803-3814173722-1313262255-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path
EmptyTemp:
Reboot:
end

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please runFRST64, and press the Fix button, just once, and wait.

If for some reason the tool needs a restart, please let the system restart normally. After that let the tool complete its run.

When done, the tool creates a report on the Desktop called: Fixlog.txt

:ar: Please post the Fixlog.txt in your reply.

I do not remember installing EmieBrowserModeList but it is possible I did,, I think maybe I used it to root a phone? or something like that? maybe when I was trying to hotspot my phone? im not 100% sure but I do remember a time back in nov when I was having internet issues so I was trying to connect my cell as a wifi hot spot,,, (that is not supported by my cell provider),,, if that maybe what I did, I did it late at night when I was half asleep Dohh! which was a bad idea but I had to be able to get online that next morning for a few important reasons concerning my job!
Again really appreciate your help I did as you said and here is my
Fixlog.txt

 

[cottonball]

JRockZ,

Did not expect you until today...

Looks as if the script did its job.

How is the system running? Are you having any more issues?

 

[JRockZ]

JRockZ,

Did not expect you until today...

Looks as if the script did its job.

How is the system running? Are you having any more issues?

cottonball,
I wasn't sure how long it would take me to do a turn around trip to Denver thought I was going to be back Saturday but i was back in about 49hrs,, I didn't want to reply back to soon, have been using the PC some to see what if anything came up BUT All does seem to be well so far nothing odd has happened yet anyhow lol.
Really appreciate your help you rock!
Thanks again!

 

[cottonball]

It appears like we are in the same time zone. What state are you in?
It would take me about three days to go to Denver from western Illinois.
Do not drive more than 300 miles in a day.
...old and slow...


Take you time, and do use the machine for a few more days.

Around Thursday or Friday, post back with an update, and also the following:

Please use the SecurityCheck Download
Save to your Desktop.
Double-click: SecurityCheck.exe
Follow the onscreen instructions inside the black box.

When done, a Notepad report opens automatically, called: checkup.txt

:ar: Please post the checkup.txt in your reply, but, do not take any corrective actions!

 

[JRockZ]

It appears like we are in the same time zone. What state are you in?
It would take me about three days to go to Denver from western Illinois.
Do not drive more than 300 miles in a day.
...old and slow...


Take you time, and do use the machine for a few more days.

Around Thursday or Friday, post back with an update, and also the following:


:ar: Please post the checkup.txt in your reply, but, do not take any corrective actions!

LOL Yes im in Dallas (but also from Illinois Grew up north of Chicago) , Central time zone,,, 12hrs to Denver 12 back 800mi ea way,, no stopping! I just did a turnaround run,
So far all seems well I will post on security check details in a few days
Thanks!

 

[JRockZ]

It appears like we are in the same time zone. What state are you in?
It would take me about three days to go to Denver from western Illinois.
Do not drive more than 300 miles in a day.
...old and slow...


Take you time, and do use the machine for a few more days.

Around Thursday or Friday, post back with an update, and also the following:

Please use the SecurityCheck Download
Save to your Desktop.
Double-click: SecurityCheck.exe
Follow the onscreen instructions inside the black box.

When done, a Notepad report opens automatically, called: checkup.txt

:ar: Please post the checkup.txt in your reply, but, do not take any corrective actions!

Just got whalloped! Heres a few images and an export of recent intrusion list through Norton,,, not sure what format MFC is but maybe you know how to read/open it. Browser crashed as posting this and more hits coming in as I post toolkit website33 something,,, gonna reboot

EDIT:
Sorry posted that in a panic as I wanted to catch what was going on,,,, so far after a reboot things seem ok,,, only thing I have done on my PC today was browse a couple sites I normally browse,,, I wa son yahoo home page on one tab and on FB on another sending an email..... that's all I have done today really, checked online emails and a couple discussion forums.
Let me know any info you need Cotton,,, should I run the program above you suggested? SecurityCheck.exe

 

[JRockZ]

Hey Cotton,
Im on the road another day or so,,, anyhow no more issues,, since the above I ran malware bytes and it found that Lhnjmig.dll and I quarantined/deleted it and since then ive had no issues, have not run security check yet when you get a chance any suggestions from here would be helpful!
Thanks again for all your help!