Adware Browser Site On Startup

Raydge

Estimable
Nov 17, 2015
4
0
4,510
Best answers
0
So there's this russian adware site that pops up when I start my computer, takes me to a page called "gmaegames.pro" and displays ads. I have found that in the registry it is named as "exinarium.info". I've tried everything from registry data deletion (the lines keep coming back no matter what.) to malwarebytes and system restore, the adware is still there. This is highly annoying and I don't want to have to resort to complete system format (but if push comes to shove I will). Any insight or further information you'd like me to include, let me know.

I'm using Windows 7 Ultimate x64 and this happens with both Chrome and Firefox, depending on which is the main browser.

Thanks in advance.
 

smorizio

Splendid
Jan 22, 2010
1,154
0
21,410
Best answers
269
with addware/trogens like yours there a fake dropper program installed on your pc. you can remove the addware but on reboot the dropper program reinstalls the infected files. go to installed programs and look under start up programs and remove the ones you dont know about or been added in the last few days. also from another pc download a resque virus iso and make a bootable usb iso and scan from a usb stick and not from inside of windows. see if it can pcik up anything that hidding.
 

Raydge

Estimable
Nov 17, 2015
4
0
4,510
Best answers
0
Yes I know how this works, the thing is that I can't find that program. It's so well hidden. Tried MSCONFIG, the programs I have installed, scanned the entire thing even in safe mode but they still keep appearing. I fear my only choice will be to just tear the entire system from the root.. I will see if I can find out whether it's a disguised file within my programs. Any other ideas?
 

Raydge

Estimable
Nov 17, 2015
4
0
4,510
Best answers
0
EDIT:

In my Registry there appear two values related to exinarium:

1) HKCU/Software/Microsoft/Windows/Current Version/Run - A REG_SZ entry that has "explorer.exe http...." which commands the page to open.
2) HKU/S-1-5-21-1517667210-3065893483-4133137327-1000/Software/Microsoft/Windows/Current Version/Run - Which shares the same properties.

The thing is, when I delete one of the two, the other gets deleted along with it, and they reappear again on startup. How can I find the program-file that commands these entries be registered? I see a cmd window pop up at random and execute some code for a split second. After it executes, the registry entries are there again. I believe I have found the source. All that's left is to eliminate it. How can I check which programs or files whatsoever were ran; a "history" of sorts but for executables such as .exe or .bat? This will help greatly.
 

mdd1963

Distinguished
Jan 14, 2006
608
0
20,060
Best answers
110
i'd have a look at what all entries a scan with www.freefixer.com turns up as well...

(Look very carefully at everything not 'whitelisted ', i.e., highlighted in green with no option to delete)
 

Wolfshadw

Splendid
Moderator
Aug 3, 2006
2,417
0
23,160
Best answers
531




I've tried everything from registry data deletion (the lines keep coming back no matter what.) to malwarebytes and system restore, the adware is still there.
The OP has already tried MalwareBytes.

@Raydge - Seems likely that a service that starts on reboot has been corrupted/replaced. Try booting into safe mode and see if you're still getting the pop-up ads.

-Wolf sends
 

Raydge

Estimable
Nov 17, 2015
4
0
4,510
Best answers
0
Yes, I have tried every adware ridding program out there. Only thing I haven't done is Autoruns cause until yesterday, I didn't know an autorunning cmd was causing the lines to be added back. Will try it now (And no worries, I've done quite the homework hehe)

EDIT: Downloaded Autoruns and finally, found an entry in my Task Scheduler that opened a cmd instance and added the registry entries. I have rid myself of this meddlesome little imp. However, I am not yet closing this thread for I want to be sure further trickery isn't involved. Will update soon™ ...

EDIT #2: Success!!! After an agonizing battle (not really) I have found, and eliminated the root of evil. What I did was first, to remove the autorunning cmd from my Task Scheduler, then delete the registry entries it created. Finally, ran a scan with MalwareBytes again just to be on the safe side, and it hasn't appeared since. Thanks everyone.
 
Nov 27, 2018
1
0
10
Best answers
0


Any hint on what you eliminated?
 
Thread starter Similar threads Forum Replies Date
2 Antivirus / Security / Privacy 7
L Antivirus / Security / Privacy 3
B Antivirus / Security / Privacy 3
C Antivirus / Security / Privacy 7
G Antivirus / Security / Privacy 1
C Antivirus / Security / Privacy 8
V Antivirus / Security / Privacy 5
C Antivirus / Security / Privacy 6
G Antivirus / Security / Privacy 4
J Antivirus / Security / Privacy 6
B Antivirus / Security / Privacy 6
C Antivirus / Security / Privacy 10
I Antivirus / Security / Privacy 9
K Antivirus / Security / Privacy 3
J Antivirus / Security / Privacy 5
G Antivirus / Security / Privacy 1
X Antivirus / Security / Privacy 6
C Antivirus / Security / Privacy 2
M Antivirus / Security / Privacy 11
U Antivirus / Security / Privacy 2

Similar threads


ASK THE COMMUNITY

TRENDING THREADS