Can't delete .exe (virus) and can't kill process

[Cencio]

Hi all,
It's pretty tough for me to explain this, since I'm italian and explain all this in english is complicated, but I'm gonna try.
I have been stupid, I know, but I made this error. I executed an .exe file with "shady origins" and what happened?
This .exe created a process and two other .exe's. One in the folder C:\Users\Administrator\AppData\Local\Temp and another in C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup called 62300faa2bb16b197cdd2a7772441cc8.exe
If I try to delete the .exe file (both), windows tells me it can't be deleted. If I open the Task Manager there is this process which say it's User sided, but if I try to kill it, it says that process is crucial for the system and if I'll kill it, the system would be shut down. If I kill it I actually have a BSOD. Same thing if with a proram I force the delete of the .exe's, I'll get a BSOD. This virus also created some string in the regedit, if I delete them, they automatically recteate themselves 1 second later. There are also 4 process in the StartUp menu...if i remove the check from them, nothing will chance, the check will return automatically.

I also tried to fix the .exe with HiJackThis, but when I click on FIX, I have a BSOD. Same thing with ComboFix...one second after I run it, I have the BSOD...

I don't really know what to do, especially because I installed this thing 5-6 days ago, and my VGA started to do artefacts and crashing with "heavy" games like GTA5, and I'm scared this thing created this problem...I'm pretty scared honestly...I already asked for help but noone was able to help me...

Oh, one other thing. I would like to solve this without format W7, since I have 400GB of important things and I don't have an external HDD atm to make a backup...

I'm asking for help...I'll be ready to do everything you ask me...please

[Boggin]

BlueScreenView could give some clue as to how its removal caused the BSODs http://www.nirsoft.net/utils/blue_screen_view.html

The download choices are at the bottom of the page and posting any it finds could possibly help Shane in seeing where it is attacking.

I'm loathe to suggest using any other disinfection programs, but have you tried your restore points back to before you got caught.

If the infection hasn't removed them, it would be best to do this in Safe Mode.

[Cencio]

BlueScreenView could give some clue as to how its removal caused the BSODs http://www.nirsoft.net/utils/blue_screen_view.html

The download choices are at the bottom of the page and posting any it finds could possibly help Shane in seeing where it is attacking.

I'm loathe to suggest using any other disinfection programs, but have you tried your restore points back to before you got caught.

If the infection hasn't removed them, it would be best to do this in Safe Mode.

I don't know why, but that program won't recognize the BSOD. it's not listed...
I have another program, who recognize it (WhoCrashed) and it says:
 

crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: Unknown (0x00000000)
Bugcheck code: 0xF4 (0x3, 0xFFFFFA800A9CCB30, 0xFFFFFA800A9CCE10, 0xFFFFF80003798DB0)
Error: CRITICAL_OBJECT_TERMINATION
Bug check description: This indicates that a process or thread crucial to system operation has unexpectedly exited or been terminated.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This problem might be caused by a thermal issue.
A third party driver was identified as the probable root cause of this system error.

I would already did it, but unfortunately I have none of restore points before I installed that .exe. Since I had the artefacts on my VGA, In installed 3Dmark to have some test. All the restore points went to the moment I installed 3Dmark.

I tried to remove the .exe's in safe mode...they just get deleted with no problem in safe mode. Still when I restart the PC in normal mode they are back there...

[Boggin]

I think you will need some expert help with this as the regular disinfection programs like MBAM, ESET Online Scanner and Norton Power Eraser could do more harm than good.

I would suggest that you register on http://www.techsupportforum.com/forums/f50/new-instructions-read-this-before-posting-for-malware-removal-help-305963.html and open a thread after reading the prerequisites.

You can cross reference this thread as background info by copying & pasting the thread as a shortcut.

If you do go this route, don't perform any other attempts to clean the system until advised by the helper.

The alternative is a factory reset or clean install of the OS.

[Rick]

safe mode? run sfc /scannow

or, repair install only works ok too

do you, use games in ADM mode?
setup another User ID only for games without ADM privaleges and still use a password
chk your firewall before SFC or a repair install, if repair install, reset firewall before doing...

[Boggin]

safe mode? run sfc /scannow

or, repair install only works ok too

do you, use games in ADM mode?
setup another User ID only for games without ADM privaleges and still use a password
chk your firewall before SFC or a repair install, if repair install, reset firewall before doing...

Prior to any kind of install, you still need to back up as a safeguard and Cencio has said that no external media is available at the moment.

This looks like a serious Rootkit that requires expert advice to remove and I think I've already given the best advice to help to achieve this.

[Cencio]

So here's what happened yesterday. I tried to remove all the things on safe mode and the results are these:
process didn't show up in safe mode (it did the last time...) not even the two .exe's file did show up, don't know why.
I opened the regedit and not even the string where there anymore (at least in safe mode)
I opened the msconfig and removed the checks from all those automathed processes who the virus created.

I restarted the PC in normal mode and the process flew away, the .exe's disappeared and not even the strings on regedit are there anymore.
In the msconfig the string are no more 4 but 2 and they are unchecked, since the link for the exe and the string they were searching for is empty now.
I tried restarting the PC a couple of time and still the process and the .exe's won't show up again...

Does it even make any sense? Can this virus/rootkit/malware or whatever it is, be the cause of the artefacts on my VGA, or is that just a coincidence...?

[Boggin]

That doesn't sound like an infection but possibly adware.

If you uninstall something having unchecked the items in msconfig, it leaves orphaned files so those entries will remain.

In some cases you need to reboot to effect a removal, which rebooting from Safe Mode would have effected.

Can you post a snip of the msconfig so I can have a look at the questionable items ?

[Cencio]

That doesn't sound like an infection but possibly adware.

If you uninstall something having unchecked the items in msconfig, it leaves orphaned files so those entries will remain.

In some cases you need to reboot to effect a removal, which rebooting from Safe Mode would have effected.

Can you post a snip of the msconfig so I can have a look at the questionable items ?

They are the first two, the ones called 62300eccecc

[Rick]

That doesn't sound like an infection but possibly adware.

If you uninstall something having unchecked the items in msconfig, it leaves orphaned files so those entries will remain.

In some cases you need to reboot to effect a removal, which rebooting from Safe Mode would have effected.

Can you post a snip of the msconfig so I can have a look at the questionable items ?

They are the first two, the ones called 62300eccecc

well boggin;

sounds like a job for sysinternals to remove one by one...
download this file; Thursday, June 11, 2015  5:21 AM       680600 autoruns.exe
from http://live.sysinternals.com/

You need be able find all instances of runthis.exe
delete it from your system and search any external devices, Iphone etc...

install sysinternals and delete the questionable files loaded;

[Boggin]

Re-check those two boxes then run AdwCleaner http://www.bleepingcomputer.com/download/adwcleaner/

Runthis.exe isn't something I recognise but if it's adware then AdwCleaner will remove it.

Click on Scan and when that has completed, it may list programs in the lower pane.

While it can pick up legit programs as adware, any it lists in the lower pane can be unchecked for retention.

Click on Logfile and that will open a report of what it has found and will remove when you close the report and click on Cleaning.

Can you copy & paste that report ?

[Boggin]

I'm getting a bit of a problem getting AdwCleaner to run on my laptop - let me know if you also have problems.

[Cencio]

That doesn't sound like an infection but possibly adware.

If you uninstall something having unchecked the items in msconfig, it leaves orphaned files so those entries will remain.

In some cases you need to reboot to effect a removal, which rebooting from Safe Mode would have effected.

Can you post a snip of the msconfig so I can have a look at the questionable items ?

They are the first two, the ones called 62300eccecc

well boggin;

sounds like a job for sysinternals to remove one by one...
download this file; Thursday, June 11, 2015  5:21 AM       680600 autoruns.exe
from http://live.sysinternals.com/

You need be able find all instances of runthis.exe
delete it from your system and search any external devices, Iphone etc...

install sysinternals and delete the questionable files loaded;

Once I delete them I close the program I reopen it to see if they are gone but no. They just come back again and again
I'm now going to try with AdwCleaner

There is the LogFile:

# AdwCleaner v4.206 - Creato file registro eventi 15/06/2015 in 19:09:36
# Aggiornato 01/06/2015 da Xplode
# Database : 2015-06-14.1 [Server]
# Sistema operativo : Windows 7 Ultimate Service Pack 1 (x64)
# Nome utente : Nico - NICO
# In esecuzione da : C:\Users\Administrator\Desktop\Programmi\Altri programmi\AdwCleaner.exe
# Opzione : Analisi

***** [ Servizi ] *****


***** [ File / Cartelle ] *****

Cartella Trovato : C:\Program Files (x86)\Free Video Converter
Cartella Trovato : C:\ProgramData\Babylon
Cartella Trovato : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Video Converter
Cartella Trovato : C:\Users\Administrator\AppData\Local\Babylon
Cartella Trovato : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfmhcpmkbdkbgbmkjoiopeeegenkdikp
Cartella Trovato : C:\Users\Administrator\AppData\Roaming\Babylon
File Trovato : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_lfmhcpmkbdkbgbmkjoiopeeegenkdikp_0.localstorage
File Trovato : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_lfmhcpmkbdkbgbmkjoiopeeegenkdikp_0.localstorage-journal
File Trovato : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_niapdbllcanepiiimjjndipklodoedlc_0.localstorage
File Trovato : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_niapdbllcanepiiimjjndipklodoedlc_0.localstorage-journal
File Trovato : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
File Trovato : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
File Trovato : C:\Users\Administrator\AppData\Roaming\Adobe AIFF Format CS5 Prefs

***** [ Attività pianificate ] *****

Attività Trovato : paretologic registration3
Attività Trovato : paretologic update version3
Attività Trovato : ParetoLogic Update Version3 Startup Task
Attività Trovato : RegCure Pro

***** [ Collegamenti ] *****


***** [ Registry ] *****

Chiave Trovato : HKCU\Software\62300faa2bb16b197cdd2a7772441cc8
Chiave Trovato : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Chiave Trovato : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Chiave Trovato : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Chiave Trovato : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Chiave Trovato : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Chiave Trovato : HKLM\SOFTWARE\Classes\Prod.cap
Chiave Trovato : HKLM\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
Chiave Trovato : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}
Chiave Trovato : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CA1838EF-A497-194E-3850-37A62CEE398B}
Chiave Trovato : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Chiave Trovato : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Chiave Trovato : HKU\.DEFAULT\Software\PennyBee
Dati Trovato : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Browser web ] *****

-\\ Internet Explorer v9.0.8112.16448


-\\ Mozilla Firefox v38.0.5 (x86 it)


-\\ Google Chrome v43.0.2357.81


*************************

AdwCleaner[R1].txt - [3594 byte] - [15/06/2015 19:09:36]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [3652 byte] ##########

What do I have to do? I check everything has to do with the RUNTHIS.exe and try to delete it? I'm pretty sure I'll get a BSOD if I try to delete it tho

[Boggin]

I was wanting you to post the Lofile so I could have a look at what AdwCleaner had found - but glad it runs okay on yours.

[Cencio]

I was wanting you to post the Lofile so I could have a look at what AdwCleaner had found - but glad it runs okay on yours.

Log in the post above. Sorry, I edited the post instead of making a new one

EDIT: yes, I tried to fix that, and I had a BSOD, once again.

[Boggin]

Did this problem start after you downloaded Free Video Converter as it looks like the problem arises from then, especially as it included Babylon which is something you don't want on the computer.

Let AdwCleaner remove those and if you want Free Video Converter back on, choose the Custom install option if it gives you one, else look out for check boxes that will give you unwanted bundled software unless you uncheck them - but first let's see how you get on after the cleaning.

AdwCleaner will produce another report after the reboot to show what it has removed, but if they are still present, then there is another program that I follow ADW with and that is Junkware Removal Tool which is lower down on the AdwCleaner page.

You don't get a preview with that program but it displays its report on completion, but first things first.

[Cencio]

Did this problem start after you downloaded Free Video Converter as it looks like the problem arises from then, especially as it included Babylon which is something you don't want on the computer.

Let AdwCleaner remove those and if you want Free Video Converter back on, choose the Custom install option if it gives you one, else look out for check boxes that will give you unwanted bundled software unless you uncheck them - but first let's see how you get on after the cleaning.

AdwCleaner will produce another report after the reboot to show what it has removed, but if they are still present, then there is another program that I follow ADW with and that is Junkware Removal Tool which is lower down on the AdwCleaner page.

You don't get a preview with that program but it displays its report on completion, but first things first.

Free Video Converter is there since years. This thing which is causing this problems has been installed like 1 week ago...and as far as I know I don't have any Babylon stuff, but maybe I'm wrong...I always do custom installation of programs and choice not to install toolbar, browsers, home pages or other stuff...
I already tried to make Adw remove them, but I get a BSOD...everytime I try to remove them with whatsoever program I get a BSOD...

[Boggin]

Removing adware shouldn't cause a BSOD - there's something much more serious going on here.

Go back to my Reply #3 and register on the techsupport forum using the link I've posted as well as copying a shortcut to this thread in your opening post.

EDIT - What did you download prior to getting this ?

[Cencio]

Removing adware shouldn't cause a BSOD - there's something much more serious going on here.

Go back to my Reply #3 and register on the techsupport forum using the link I've posted as well as copying a shortcut to this thread in your opening post.

EDIT - What did you download prior to getting this ?

That was dumb from me. I did an huge mistake. I downloaded this stuff that should've been an hack for a very old game that no one plays anymore, I wanted to do a private match with 2 friend of mine and have a bit of fun. Obviously the choice was wrong, and I knew before that it was wrong, but I tried and that's what happen when you do dumb things...

[Cencio]

Btw I, once again, start up my PC in Safe Mode: I removed the .exe's (they show up in safe mode too this time, and in safe mode I can remove them with no problem), I removed all the strings on the regedit and now it looks like every part of the virus is gone. 6230blabla is not even showing up in the msconfig anymore. I don't know if that's a good way to remove a virus, but I think that worked...

# AdwCleaner v4.206 - Creato file registro eventi 15/06/2015 in 20:13:27
# Aggiornato 01/06/2015 da Xplode
# Database : 2015-06-14.1 [Server]
# Sistema operativo : Windows 7 Ultimate Service Pack 1 (x64)
# Nome utente : Nico - NICO
# In esecuzione da : C:\Users\Administrator\Desktop\Programmi\Altri programmi\AdwCleaner.exe
# Opzione : Analisi

***** [ Servizi ] *****


***** [ File / Cartelle ] *****


***** [ Attività pianificate ] *****

Attività Trovato : paretologic registration3
Attività Trovato : paretologic update version3
Attività Trovato : ParetoLogic Update Version3 Startup Task
Attività Trovato : RegCure Pro

***** [ Collegamenti ] *****


***** [ Registry ] *****


***** [ Browser web ] *****

-\\ Internet Explorer v9.0.8112.16448


-\\ Mozilla Firefox v38.0.5 (x86 it)


-\\ Google Chrome v43.0.2357.81


*************************

AdwCleaner[R1].txt - [3738 byte] - [15/06/2015 19:09:36]
AdwCleaner[R2].txt - [3796 byte] - [15/06/2015 20:05:21]
AdwCleaner[R3].txt - [1011 byte] - [15/06/2015 20:13:27]
AdwCleaner[S1].txt - [3655 byte] - [15/06/2015 20:10:20]

########## EOF - C:\AdwCleaner\AdwCleaner[R3].txt - [1127 byte] ##########

It unistalled my Koyote Free Video Converter tho

[Boggin]

Well that seems like a result - can you also uninstall the game, or has that gone as well.

EDIT - now those entries have gone, run ADW again to see if it gets rid of Babylon etc.

[Cencio]

Well that seems like a result - can you also uninstall the game, or has that gone as well.

EDIT - now those entries have gone, run ADW again to see if it gets rid of Babylon etc.

Yeah I already did the scan with Adw and fixed all the checked files/processes. That's why I said "It unistalled my Koyote Free Video Converter.." because that program was in the list. And it deleted Babylon aswell

EDIT: the game has gone the day before. I got rid of it

[Boggin]

So does that mean you are all clear now ?

[Cencio]

So does that mean you are all clear now ?

I really hope so
Thank you for the help

[Boggin]

Well that's good news anyway