Adware Browser Site On Startup

Status
Not open for further replies.

Raydge

Estimable
Nov 17, 2015
4
0
4,510
So there's this russian adware site that pops up when I start my computer, takes me to a page called "gmaegames.pro" and displays ads. I have found that in the registry it is named as "exinarium.info". I've tried everything from registry data deletion (the lines keep coming back no matter what.) to malwarebytes and system restore, the adware is still there. This is highly annoying and I don't want to have to resort to complete system format (but if push comes to shove I will). Any insight or further information you'd like me to include, let me know.

I'm using Windows 7 Ultimate x64 and this happens with both Chrome and Firefox, depending on which is the main browser.

Thanks in advance.
 
with addware/trogens like yours there a fake dropper program installed on your pc. you can remove the addware but on reboot the dropper program reinstalls the infected files. go to installed programs and look under start up programs and remove the ones you dont know about or been added in the last few days. also from another pc download a resque virus iso and make a bootable usb iso and scan from a usb stick and not from inside of windows. see if it can pcik up anything that hidding.
 

Raydge

Estimable
Nov 17, 2015
4
0
4,510
Yes I know how this works, the thing is that I can't find that program. It's so well hidden. Tried MSCONFIG, the programs I have installed, scanned the entire thing even in safe mode but they still keep appearing. I fear my only choice will be to just tear the entire system from the root.. I will see if I can find out whether it's a disguised file within my programs. Any other ideas?
 

Raydge

Estimable
Nov 17, 2015
4
0
4,510
EDIT:

In my Registry there appear two values related to exinarium:

1) HKCU/Software/Microsoft/Windows/Current Version/Run - A REG_SZ entry that has "explorer.exe http...." which commands the page to open.
2) HKU/S-1-5-21-1517667210-3065893483-4133137327-1000/Software/Microsoft/Windows/Current Version/Run - Which shares the same properties.

The thing is, when I delete one of the two, the other gets deleted along with it, and they reappear again on startup. How can I find the program-file that commands these entries be registered? I see a cmd window pop up at random and execute some code for a split second. After it executes, the registry entries are there again. I believe I have found the source. All that's left is to eliminate it. How can I check which programs or files whatsoever were ran; a "history" of sorts but for executables such as .exe or .bat? This will help greatly.
 

cherry blossoms

Commendable
Apr 13, 2016
27
0
1,610
As others indicated, run malware bytes, make sure full scanning within archives and rootkit scanning is also enabled.

The run ADwCleaner.
https://www.malwarebytes.com/adwcleaner/

Once done, use Autoruns to check for autostarting entries. Requires homework on your part to see what tasks/processes being started actually do. Not an automated tool.

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns


 
Solution




I've tried everything from registry data deletion (the lines keep coming back no matter what.) to malwarebytes and system restore, the adware is still there.

The OP has already tried MalwareBytes.

@Raydge - Seems likely that a service that starts on reboot has been corrupted/replaced. Try booting into safe mode and see if you're still getting the pop-up ads.

-Wolf sends
 

Raydge

Estimable
Nov 17, 2015
4
0
4,510
Yes, I have tried every adware ridding program out there. Only thing I haven't done is Autoruns cause until yesterday, I didn't know an autorunning cmd was causing the lines to be added back. Will try it now (And no worries, I've done quite the homework hehe)

EDIT: Downloaded Autoruns and finally, found an entry in my Task Scheduler that opened a cmd instance and added the registry entries. I have rid myself of this meddlesome little imp. However, I am not yet closing this thread for I want to be sure further trickery isn't involved. Will update soon™ ...

EDIT #2: Success!!! After an agonizing battle (not really) I have found, and eliminated the root of evil. What I did was first, to remove the autorunning cmd from my Task Scheduler, then delete the registry entries it created. Finally, ran a scan with MalwareBytes again just to be on the safe side, and it hasn't appeared since. Thanks everyone.
 
Nov 27, 2018
1
0
10


Any hint on what you eliminated?
 
Status
Not open for further replies.