Jump to content

G.exe Removal

BigSkyTech
 Share

Recommended Posts

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

BigSkyTech

BigSkyTech

Posted
  • Author
Posted

Hi Kevin,

I haven't seen the G.exe in a few days which is great. Thank you for all your help. It's hugely appreciated! Looks like the PowerTools worked.

The computer still continues to randomly crash on boot which started right around the time G.exe showed up. The taskbar and desktop itself hangs even though I can still move my mouse around. Control-Alt-delete won't work either. I'm not sure if they are related to g.exe but given the timing, I figured they might be. I've also noticed some strange things happening with my webcam being disabled when I come out of sleep mode. I'm not trying to throw a bunch of new things into the equation, but the computer itself is still experiencing some issues.

Having done all of these different scans already, do you have any other suggestions on finding out what's wrong?

Thanks

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

To reset back to Command Prompt: Select > start > settings > Personalization > Taskbar > flick swich to OFF under "Replace Command prompt with PowerShell etc etc"

Next,

To try and find what causes the G.exe try your system in Clean Boot mode...

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode. Obviously 3rd party services that affect security or internet connection can be left active.

If G.exe does not show in clean boot mode it is now a process of elimination to find which non MS service(s) was affecting your system...

Go through the process again, this time with all MS services hidden again enable the top half of non MS services, re-boot and see how your system responds, if still ok the top half can be left enabled.

Repeat again, enable so many of the bottom half then re-boot. Continue until you locate the problem service(s). A process of elimination, a bit long winded but worth the effort. Let me know the outcome...
Link to post
Share on other sites
BigSkyTech

BigSkyTech

Posted
  • Author
Posted

Hi Kevin,

 Attached are the results of the Check Health scan.

I'm happy to go through this process of elimination. However, the issue is that G.exe doesn't show every time I reboot. Any suggestions on how I can do this test and know for certain? I've never actually seen g.exe running in the task manager. It only shows up when I get alerted about programs preventing shutdown. 

Thanks again.

screenshot.jpg

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I believe the problem we have with the returning service is related to "G.exe" it would seem we are not yet able to locate that executable, hence the hidden service returns on reboot after removal with TDSSKIller.

Reset your PC back to normal boot from clean boot, instructions are in the link I gave for clean boot. Continue and run the foollowing after normal boot:

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply...

Thank you,

Kevin...

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for that log, unfortunately G.exe is not showing with autoruns. It would seem to be very elusive. I`ve done a broad google search and cannot find any entries showing where G.exe was found and removed...

I`m going to list a question regarding G.exe in our private forum and see if any of the other helpers have come across this issue before...

Kevin....

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello BigSkyTech,

Unfortunately i`ve had no responses in our private forum to my G.exe query.... We need to find the location of G.exe or we cannot progress... I want you to open the hidden admin account and try FRST from there. The hidden admin account has extra priveleges so is worth trying...

Select Windows key and X key together, from the list select "Command Prompt (Admin)"

At the prompt type or copy paste net user administrator /active:yes select enter.

Close out and reboot, you will see a new account "Administartor" select it and follow the prompts through.

When that account is set try FRST again as follows:

Run FRST one more time:

Type the following in the edit box after "Search:".

G.exe

Click Search Files button and post the log (Search.txt) it makes to your reply.

Next,

Run FRST one more time:

Type the following in the edit box after "Search:".

G.exe

Click Search Registry button and post the log (Search.txt) it makes to your reply.

Let me see those logs in your reply....

That account can be turned back off by pasting the following command at an elevated command prompt, hitting enter, then rebooting...

net user administrator /active:no

Thank you,

Kevin...

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello again BigSkyTech,

Since I last replied I`ve had help and advice from @picasso The hidden service is related to your security. G is not an executable but more than likely a hidden window. To find this hidden window do the following:

Download GUIPropView from either of the following links, ensure to get the correct version for your system

https://www.nirsoft.net/utils/guipropview-x64.zip

https://www.nirsoft.net/utils/guipropview.zip

Unzip GUIPropView to its own folder on Desktop (preferred place) open the folder and double click on GUIPropView.exe to run the tool. Expand the tool soit is full screen size..

Once opened the tool window populates, from the tool bar select "TopLevel" make sure "Display Hidden Windows" is checkmarked, once done the tool window repopulates to include hidden windows.

Hold down Ctrl key and select all entries that have G listed under "Title" column, when all selected and highlited blue, select > File > save selected items. name and save that text file to your Desktop or a place of your choice, attach that file to your reply...
 
Thanks,
Kevin

 

zeroin.JPG

zeroin2.JPG

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hiya BigSkyTech,

Looking at your log I would check this one first, "C:\Program Files (x86)\Altaro\Oops!Backup\OopsBackup.Engine.exe" this has R2 service code meaning auto start...

This appears to be the service name "OopsBackup.Service.exe"

Type or copy paste services.msc into the Cotano search function, select enter. The services window should open. Look through that window that service, change that service startup to Manual.. also stop that service from running..

Boot your system down, as that service is stopped does G still show...?

Thanks,

Kevin...

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.