logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

[Solved] FRST Scan Analysis: Dealing with Chromium Host Executable Malware on Laptop

destroy_m 11259 14
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Report a violation of the law
| New topic
  • #1 16765356
    destroy_m
    Level 3  
    Posts: 94
    Rate: 20
    Board Language: polish
    Hello!

    For several days, he was losing my laptop. In the task manager I had the "chromium host executable" process. As I learned, this is malware. I was unable to remove it (unable to close the process + no possibility to delete files without closing processes). I found information that the Autocada desktop answers it. I did not have the possibility to uninstall it, but I uninstalled all Autodesk products, and then deleted as many files as possible. After resetting the computer (hung up), messages (attachment) popped out in turn, and now I am displaying the hourglass at the cursor every now and then. I am asking for help, I have uploaded files from the FRST scan.

    pzdr
    destroy_m
    FRST Scan Analysis: Dealing with Chromium Host Executable Malware on Laptop
    Attachments:
    • FRST.txt (107.31 KB) You must be logged in to download this attachment.
    • Addition.txt (63.51 KB) You must be logged in to download this attachment.
    • Shortcut.txt (70.38 KB) You must be logged in to download this attachment.
  • ADVERTISEMENT
  • Helpful post
    #2 16765625
    dt1
    Admin of Computers group
    Posts: 47933
    Help: 7255
    Rate: 8177
    Board Language: polish
    Fixlist.txt:

    Code: text Expand Select all Copy to clipboard
    (Autodesk Inc.) C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe
(Autodesk, Inc.) C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
(Autodesk, Inc.) C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe
(Autodesk, Inc.) C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe
(Autodesk Inc.) C:\Users\Fifa-Rafa\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe
HKLM-x32\...\Run: [ADSK DLMSession] => C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe [1627032 2014-02-05] (Autodesk, Inc.)
HKLM-x32\...\Run: [ADSKAppManager] => C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgr.exe [529480 2016-02-24] (Autodesk Inc.)
HKU\S-1-5-21-336851867-1116109463-2107188286-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Fifa-Rafa\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.)
HKU\S-1-5-21-336851867-1116109463-2107188286-1000\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1235336 2014-08-28] (Autodesk, Inc.)
HKU\S-1-5-18\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1235336 2014-08-28] (Autodesk, Inc.)
R2 AdAppMgrSvc; C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe [1145928 2016-02-24] (Autodesk Inc.)
R2 Autodesk Content Service; C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [31192 2014-02-07] (Autodesk, Inc.)
HKLM\...\Winlogon: [Userinit] wscript C:\Windows\run.vbs,
HKLM-x32\...\Winlogon: [Userinit] , [X]
HKU\S-1-5-21-336851867-1116109463-2107188286-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Fifa-Rafa\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.)
HKU\S-1-5-21-336851867-1116109463-2107188286-1000\...\Policies\Explorer: [] 
HKU\S-1-5-21-336851867-1116109463-2107188286-1000\...\MountPoints2: {b4d17029-cbf5-11e4-8df9-dc85de3f4c8b} - F:\autorun.exe
AppInit_DLLs-x32: C:\ProgramData\Quotenamron\Santamdex.dll => C:\ProgramData\Quotenamron\Santamdex.dll [257536 2016-04-08] ()
GroupPolicy: Ograniczenia - Chrome  {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-02-04] (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-02-04] (AVAST Software)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
FF NewTab: C:\\ProgramData\\Quotenamrons\\ff.NT
FF DefaultSearchUrl: hxxps://www.google.com/search/?trackid=sp-006
FF SearchEngineOrder.1: Google (avast)
FF Plugin: @microsoft.com/GENUINE -> disabled [Brak pliku]
FF SearchPlugin: C:\Users\Fifa-Rafa\AppData\Roaming\Mozilla\Firefox\Profiles\eggpda5k.default\searchplugins\google-avast.xml [2015-03-18]
FF Extension: Fast Start - C:\Users\Fifa-Rafa\AppData\Roaming\Mozilla\Firefox\Profiles\eggpda5k.default\Extensions\1426714937_xpi [2015-03-18] [Brak podpisu cyfrowego]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-02-04]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-02-04]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-02-04]
CHR HKLM-x32\...\Chrome\Extension: [jidkebcigjgheaahopdnlfaohgnocfai] - hxxps://clients2.google.com/service/update2/crx
S2 Update Special Box; "C:\Program Files (x86)\Special Box\updateSpecialBox.exe" [X]
S2 Util Special Box; "C:\Program Files (x86)\Special Box\bin\utilSpecialBox.exe" [X]
S1 {2fbd7dfe-a573-4ffa-a5f6-c8e79be0e000}Gw64; system32\drivers\{2fbd7dfe-a573-4ffa-a5f6-c8e79be0e000}Gw64.sys [X]
S1 {71841b04-1cf8-4575-bb09-affe4c54c593}Gw64; system32\drivers\{71841b04-1cf8-4575-bb09-affe4c54c593}Gw64.sys [X]
Task: {771E341C-119D-4CC2-AB94-7695364B291D} - System32\Tasks\{E8FFA997-D13A-43DB-9BC7-6627113C9D50} => pcalua.exe -a "D:\Dropbox\przydatne książki itp\EES PROGRAM\EES_2014_Update\Setup_ees.exe" -d "D:\Dropbox\przydatne książki itp\EES PROGRAM\EES_2014_Update"
Task: {892A4209-80A7-44B3-BBB7-B55302748F59} - System32\Tasks\{910F47DB-5B69-46D2-9CA3-CACED581EFE2} => pcalua.exe -a F:\AutorunPro.EXE -d F:\
Task: {B5046F30-8633-43B9-A838-AC526DD4D5E5} - System32\Tasks\{B63C717B-C5E2-443E-B97D-197E16CDD55D} => Firefox.exe hxxp://ui.skype.com/ui/0/7.16.85.102/pl/go/help.faq.installer?LastError=1603

RemoveDirectory: C:\Program Files (x86)\Autodesk
RemoveDirectory: C:\Program Files (x86)\Common Files\Autodesk Shared
RemoveDirectory: C:\Program Files\Autodesk
RemoveDirectory: C:\Users\Fifa-Rafa\AppData\Local\Autodesk

EmptyTemp:


    The above script will also knock out all the Autodesk folders given in the last lines (so use it only if you really want to get rid of the residue).

    You can try to kick off unnecessary things from the start, because there are a lot of them.

    The stability of this system is difficult to guarantee due to the relatively invasive crack to Windows / Office (KMS). He can cause a lot of problems.

    I suggest that you do an adwcleaner scan and remove the problems it finds (considering that it may also take KMS as a harmful element).
  • ADVERTISEMENT
  • #3 16765641
    destroy_m
    Level 3  
    Posts: 94
    Rate: 20
    Board Language: polish
    After using the script and automatically restarting the system, there are no pop-up windows, no hourglass at the cursor, and there are no "chromium host executable" processes in the task manager.

    I really need Office now and I do not have time to take a deeper look at the computer, so I will not use ADW Cleaner and leave Office as it is, but I will keep an eye on advice.
    Please tell me what you mean about unnecessary things in the Startup, and do you have any suggestions?
    Attached generated fixlog.

    Thanks!
    pzdr
    Attachments:
    • Fixlog.txt (23.34 KB) You must be logged in to download this attachment.
  • Helpful post
    #4 16766324
    dt1
    Admin of Computers group
    Posts: 47933
    Help: 7255
    Rate: 8177
    Board Language: polish
    Automatic start and Dropbox synchronization
    Automatic update of nVidia and Shadowplay
    Background Download Solidworks
    Automatic update of Adobe Acrobat
    Automatic Safezone update (and the Safezone browser itself, which you do not use anyway)
    Realtek HD manager startup

    I would get rid of these things from the start. Fixlist would look like this:
    Code: text Expand Select all Copy to clipboard
    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12452456 2012-02-21] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585744 2015-02-05] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [25577864 2016-03-12] (Dropbox, Inc.)
HKU\S-1-5-21-336851867-1116109463-2107188286-1000\...\Run: [DAEMON Tools Pro Agent] => D:\programy\daemon\DAEMON Tools Pro 7.1.0.0595\DAEMON Tools Pro 7.1.0.0595\DAEMON Tools Pro\DTAgent.exe [4229824 2016-03-29] (Disc Soft Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks Pobieracz w tle.lnk [2015-03-16]
ShortcutTarget: SolidWorks Pobieracz w tle.lnk -> C:\Program Files (x86)\Common Files\Menedżer instalacji SolidWorks\BackgroundDownloading\sldBgDwld.exe (Dassault Systèmes SolidWorks Corp.)
Task: {14574F27-B62D-4477-8520-50D1600F781D} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-03-05] (AVAST Software)
Task: {2EC42FA0-7E52-415B-B6A4-8F85905FA4F9} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2015-07-20] (Dropbox, Inc.)
Task: {77B98FCD-06BF-474E-A2C3-59BE2F5A5602} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-13] (Adobe Systems Incorporated)
Task: {B63EA023-AC95-42F3-B0E9-92B4F5F6E3A2} - System32\Tasks\SafeZone scheduled Autoupdate 1454564070 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-02-01] (Avast Software)
Task: {C6465B01-F227-46B8-B194-CA1DEB7FD928} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2015-07-20] (Dropbox, Inc.)
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe


    You can run it in its entirety, if you want to remove it from the fixlist (if it does not get moved then).
  • ADVERTISEMENT
  • #5 16768182
    destroy_m
    Level 3  
    Posts: 94
    Rate: 20
    Board Language: polish
    I used this fixlist yesterday.

    Today, unfortunately, the computer is lagging again, especially Firefox. He can not even follow my writing and scrolling. In the attachment I gave the results from the scan.
    I also attach screenshots from the Task Manager - Memory and Processes. As you can see there are a huge number of processes, here I probably copied some or omitted, because when doing these 9 screenshots, something changed constantly.

    greetings


    FRST Scan Analysis: Dealing with Chromium Host Executable Malware on Laptop FRST Scan Analysis: Dealing with Chromium Host Executable Malware on Laptop FRST Scan Analysis: Dealing with Chromium Host Executable Malware on Laptop FRST Scan Analysis: Dealing with Chromium Host Executable Malware on Laptop
    Attachments:
    • FRST.txt (60.32 KB) You must be logged in to download this attachment.
    • Addition.txt (39.02 KB) You must be logged in to download this attachment.
  • Helpful post
    #6 16768223
    Kolobos
    IT specialist
    Posts: 85151
    Help: 17158
    Rate: 10417
    Board Language: polish
    On the screens you can not see anything interesting.

    Fixlist:
    HKLM Group Policy restriction on software:% HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRoot%
  • Helpful post
    #7 16768227
    krzychupar
    Level 43  
    Posts: 6807
    Help: 1490
    Rate: 633
    Board Language: polish
    Open the system notebook and paste:

    CustomCLSID: HKU \ S-1-5-21-487903229-2902273839-1728269137-1001_Classes \ CLSID \ {9AAF0EB6-42D8-46C1-A2EF-679511B37A0D} \ localserver32 -> C: \ Program Files \ Autodesk \ AutoCAD 2018 \ acad. exe / Automation => No file
    CustomCLSID: HKU \ S-1-5-21-487903229-2902273839-1728269137-1001_Classes \ CLSID \ {B6EB585B-B467-4E46-A9C7-48D7D6FD26CB} \ localserver32 -> C: \ Program Files \ Autodesk \ AutoCAD 2018 \ acad. exe => No file
    CustomCLSID: HKU \ S-1-5-21-487903229-2902273839-1728269137-1001_Classes \ CLSID \ {E2C40589-DE61-11ce-BAE0-0020AF6D7005} \ InprocServer32 -> C: \ Program Files \ Autodesk \ AutoCAD 2018 \ pl- PL \ acadficn.dll => No file
    Task: {9D724792-554B-43F8-9231-31F46EECDB50} - \ Adobe Acrobat Update Task -> No file
  • #8 16768268
    destroy_m
    Level 3  
    Posts: 94
    Rate: 20
    Board Language: polish
    I did what he recommended @Kolobos
    @krzychupar What's going on with "After the script has completed, put SMART disk in CrystalDiskInfo." - I do not use this program
  • #10 16769873
    destroy_m
    Level 3  
    Posts: 94
    Rate: 20
    Board Language: polish
    So I put a screen and a notepad file (that's what it was about?)




    FRST Scan Analysis: Dealing with Chromium Host Executable Malware on Laptop
    Attachments:
    • opis.txt (8.05 KB) You must be logged in to download this attachment.
  • Helpful post
    #11 16770830
    RADU23
    VIP Meritorious for electroda.pl
    Posts: 20712
    Help: 2425
    Rate: 1726
    Board Language: polish
    There are problems with the disc. Parameter (C4) should be zero.

    You can try resetting and re-entering SMART =>
    https://www.elektroda.pl/rtvforum/topic1550200.html

    ATTENTION, all data will be irretrievably deleted.
  • Helpful post
    #12 16770919
    dt1
    Admin of Computers group
    Posts: 47933
    Help: 7255
    Rate: 8177
    Board Language: polish
    But why reset this disk, if they are not unstable sectors? They were like that, the record was made on them, they were not changed, they are now working. The disk had problems in the past, according to the current state of SMART, there are no more - that's how I read it.

    Instead of resetting the entire disk, you can prevent it from being scanned. According to the current state, all sectors should be legible. If this is the case, zeroing is not necessary.
  • #13 16771584
    destroy_m
    Level 3  
    Posts: 94
    Rate: 20
    Board Language: polish
    OK, how do you scan the surface?
  • ADVERTISEMENT
  • Helpful post
    #14 16771656
    krzychupar
    Level 43  
    Posts: 6807
    Help: 1490
    Rate: 633
    Board Language: polish
    Using the MHDD program in this tutorial [inactive link removed].
  • #15 18845618
    destroy_m
    Level 3  
    Posts: 94
    Rate: 20
    Board Language: polish
    FRST programme
| New topic
Report a violation of the law

Topic summary

✨ The discussion revolves around a user experiencing issues with the "Chromium Host Executable" process on their laptop, suspected to be malware linked to Autodesk products. The user attempted to uninstall Autodesk software but faced difficulties. After running a provided fixlist script, the user reported an initial resolution of pop-up windows and cursor lag. However, subsequent performance issues arose, particularly with Firefox, prompting further investigation into startup processes and system scans. Recommendations included removing unnecessary startup items, using CrystalDiskInfo to check disk health, and scanning the disk surface with the MHDD program. The conversation highlights the importance of managing software and system performance to mitigate malware-related issues.
Generated by the language model.

FAQ

TL;DR: One FRST fixlist removed the Chromium Host Executable and Autodesk residues; “The stability of this system is difficult to guarantee … (KMS).” [Elektroda, dt1, post #16765625] Why it matters: This FAQ helps Windows users clean malware-like Chromium Host Executable, trim startup bloat, and check disk health after FRST.

Quick Facts

What is the “Chromium Host Executable” I see in Task Manager?

In this thread it behaved like malware/PUP, resisted closing, and blocked file deletion. The user linked it to leftover Autodesk components. FRST cleanup resolved it. If you see it persist and can’t delete files, treat it as unwanted software and proceed with FRST plus a follow-up adware scan. [Elektroda, destroy_m, post #16765356]

How do I remove Chromium Host Executable with FRST?

Use the custom Fixlist provided by a malware helper. It stops related services, removes startup entries, and can delete Autodesk residues. Run FRST, click Fix, and reboot when prompted. Only use Autodesk-removal lines if you want those folders gone. “You can try to kick off unnecessary things from the start.” [Elektroda, dt1, post #16765625]

What results should I expect after running the fixlist?

The reported outcome here was clear: 0 pop‑ups, no cursor hourglass, and no “Chromium Host Executable” processes after reboot. That confirms successful removal and improved responsiveness. If symptoms persist, continue with startup pruning and disk health checks below. [Elektroda, destroy_m, post #16765641]

Which startup items should I disable to speed up Windows?

Disable: Dropbox auto‑start and update tasks, NVIDIA Update/ShadowPlay, SolidWorks Background Downloader, Adobe Acrobat Updater, Avast SafeZone auto‑update, and Realtek HD Manager. This trims processes and reduces background I/O that slows browsers. You can remove these via an FRST fixlist update as shown. [Elektroda, dt1, post #16766324]

Do I also need to run AdwCleaner?

Yes—run AdwCleaner to catch adware and browser hijacks left behind. Note that it may flag KMS activators as harmful. If you rely on KMS, understand it reduces system stability, per the expert’s warning. Consider replacing it with a legitimate license. [Elektroda, dt1, post #16765625]

Firefox still lags—what should I check first?

Check disk health. Use CrystalDiskInfo Portable to read SMART immediately. Browser lag with many processes can reflect disk issues rather than malware alone. Capture a screenshot of SMART attributes before taking action, so helpers can interpret C4/C5/C6 values. [Elektroda, Kolobos, post #16768270]

What does SMART parameter C4 mean, and what value is acceptable?

C4 tracks reallocation events/attempts. The helper noted, “Parameter (C4) should be zero.” Non‑zero suggests prior or ongoing reallocation activity. Treat rising C4 as a warning, back up data, and run a surface scan to verify all sectors are readable. [Elektroda, RADU23, post #16770830]

Should I zero (reset) the disk if C4 isn’t zero?

Zeroing can refresh mappings but erases all data irreversibly. The helper proposed reset/zero with a clear caution to back up first. Only proceed if you fully understand the risk and have verified backups. Otherwise, scan first and evaluate results. [Elektroda, RADU23, post #16770830]

If there are no unstable sectors now, do I still need to zero the disk?

No. Another expert read the SMART as stable and recommended skipping zeroing. Instead, prevent scanning delays and confirm that all sectors are readable. If reads are clean, keep using the disk while monitoring SMART. [Elektroda, dt1, post #16770919]

How do I scan the disk surface (How‑To)?

  1. Boot a toolset that includes MHDD and start MHDD.
  2. Select your drive, then run a full surface scan without remap.
  3. Review times for slow/bad sectors and decide on backup or replacement steps. “Using the MHDD program in this tutorial.” [Elektroda, krzychupar, post #16771656]

Is Autodesk linked to the issue in this case?

Yes. The user found references pointing to Autodesk Desktop/App components and removed Autodesk products and files. The subsequent FRST fixlist also targeted Autodesk services and folders, which helped stop the pop‑ups and rogue process. [Elektroda, destroy_m, post #16765356]

Is using KMS for Windows/Office safe?

No. As the expert warned, “The stability of this system is difficult to guarantee due to the relatively invasive crack to Windows/Office (KMS).” Replace KMS with a legitimate license to avoid recurring system issues. [Elektroda, dt1, post #16765625]

What did the FRST fixlist’s Autodesk lines actually do?

They removed Autodesk services, startups, tasks, and cleaned residual folders via RemoveDirectory commands. The author emphasized it would wipe Autodesk residues and to use it only if you truly intend to remove them. This reduced conflicts and background load. [Elektroda, dt1, post #16765625]

Which tool generated the diagnostic logs in this thread?

FRST (Farbar Recovery Scan Tool). The thread author later confirmed using the FRST program for scans and fixes referenced throughout. [Elektroda, destroy_m, post #18845618]
Generated by the language model.
ADVERTISEMENT