How To Remove AD Popup VIRUS When Windows Starts Up?

Status
Not open for further replies.

Shark Dentist

Estimable
Jul 2, 2014
74
0
4,580
(I DON'T SUPPORT PIRACY)

I'll just get straight to the point, there was a game I hadn't played in years from like when I was 9 years old and I couldn't seem to find it on any of the digital stores.. so I went to a download free site in hopes of finding it. I found it and saw a load of people wrote in the comments that it was working great and nothing wrong (over 75 people upvoted as opposed to the 0 who downvoted). ..anyway I downloaded it feeling pretty safe and now every time windows starts a chrome browser opens with some russian website even after uninstalling the game. It's driving me crazy! I haven't seen any pc slow-down or problems yet apart from that ad!


Some may say it's karma for downloading a 10 year old game but honestly I just want some help from you guys on tom's hardware to return my pc to it's former clean virus-free self.

Thanks in advance! :)

(Oh and Malwarebytes found no detections :( )
 

game junky

Distinguished
Feb 2, 2012
123
0
18,660
Open programs and features and sort by install date to see if it added an additional piece of software, then run msconfig and see what programs launch at startup. Assuming you can't identify the problem from there, open your settings tab in google chrome and see what pages launch when it's opened.

Some of those little guys are ugly and some require a system restore - if you can't get it cleaned after that point, run a system restore. If it's still buggy, try running an antimalware scrubber like malwarebytes or superantispyware.

If all the above fails you and it irritates you enough to want it gone, prepare to reload windows. I will pray it's not that malicious dude
 

Shark Dentist

Estimable
Jul 2, 2014
74
0
4,580


Could you explain how I see what pages chrome launches on startup in the settings? I can't seem to find it :eek:
And if I system restore it to like 2 days ago will the virus be deleted?

 

game junky

Distinguished
Feb 2, 2012
123
0
18,660
click the 3 line icon next to the address bar, click settings, there is a section called on startup and it has a section for you to be able to specify what happens when you launch the browser. Typically, most people have it either at google.com, gmail or a blank tab but sometimes those bugs imbed their webpage in that section. Additionally, check in extensions to see what's enabled.
 

game junky

Distinguished
Feb 2, 2012
123
0
18,660
sorry - just saw the second question. Not always - it depends on the architecture. When you install a program and it asks you to restart your computer, what it' really doing is trying to setup a restore point so that if you discover installing that driver or application causes issues with another program, you can simple run a system restore to that restore point and it will remove any changes that were made when the application was installed. Usually, what it is actually doing is removing the changes that were made to your system registry and most bug makers try their best to make it difficult to remove their hard work. It's worth a shot but if they're smart, it won't help you at all.
 

Shark Dentist

Estimable
Jul 2, 2014
74
0
4,580


Just checked my system restore option on my pc..and I have no restore points,fml!
+Malwarebytes doesn't find any detections :(
 

lfkfkfkffs

Estimable
Apr 2, 2014
37
0
4,610
First download and install the app web of trust to chrome or WOT it will block any websites that people have reported, 2nd disable java script, and then slowly build your trusts back allowing them to run JavaScript on your page again from websites that you normally go to. Next delete all history, cookies, data etc... Then lastly run something like a adware cleaner http://www.bitdefender.com/solutions/adware-removal-tool-for-pc.html or http://www.bleepingcomputer.com/download/adwcleaner/ better yet use both. Then download tdskiller and run it. I would also like to add you should run a antivirus program with real time protection, this will help with things like usb drives dropping payloads, websites running malicious scripts, etc... The thing with malwarebytes free is that is doesn't offer real time protection. I would recommend buying the pro version which I use and runs great, and if you can't afford it just do the 30 day pro free trial.
 

Shark Dentist

Estimable
Jul 2, 2014
74
0
4,580


Cool,I'm gonna give this a shot now,thanks! :) I don't really understand this line tho "disable java script, and then slowly build your trusts back allowing them to run JavaScript on your page again from websites that you normally go to."

How do I disable javascript and how do I slowly build trust back,etc?

 

lfkfkfkffs

Estimable
Apr 2, 2014
37
0
4,610
By slowly building trust I meant when you disable it, at first you will need to enable JavaScript to run again on pages that you visit. Slowly build trust is letting chrome know you are okay with running JavaScript on that page, so slowly you will notice yourself not having to enable it as much say in like a week, because you will have it enabled on all your favorite websites by then. You can disable it by doing this. go to settings>Advanced settings>Privacy-Content settings>JavaScript-Will be the 3rd choice>Select Disable
 

Shark Dentist

Estimable
Jul 2, 2014
74
0
4,580


This didn't work unfortunately :( I have a really wierd file on my computer called "Twunk_32" in my "C:\ Windows" folder that I can't seem to delete! and the wierdest thing just happened when I tried to open the tom's hardware page.. something appeared on the screen telling me I was denied access from the site due to suspicious activity on my pc. I had to do a captcha. :\ I'm sh*tting myself here wondering what damage this virus is doing to my new pc. should I just wipe the drive? is there an easy way to wipe the drive without having to re-install windows,etc..?

 

lfkfkfkffs

Estimable
Apr 2, 2014
37
0
4,610
I would just check your system startup folder first, just to see if anything got added. I pretty sure you don't have a virus, but if you had issues related to twunk look at http://blog.vilmatech.com/twunk_32-exe-virus-fix-twunk_32-exe-error-issues/ I just didn't feel like typing out all the instructions so I found you a link. Like most window system files pretty much any of them have the ability to become a virus from a malware author. I would say apply the fix from the link if needed, then just ignore it because I do malware analysis for a living and I can safely tell you are most likely not infected, I think you might of forgot to leave a check box blank, so it probably just added some adware that might be annoying but should be fixable. If you want some more reassurance just go look at the last date modified, and see if it has the Microsoft signature, if you see two and they both say like 09, you are good trust me.
 

Shark Dentist

Estimable
Jul 2, 2014
74
0
4,580



Oh,so Twunk isn't a new file? :\ I was under the impression that it was a new file because the icon looks pretty dodgy.
I just checked the date modified and it says 2009.. I've only had this PC for a few months D:
Another odd thing about Twunk_32 and Twunk_16 is that I can't delete it not matter what,it says I don't have permission and the only option is to keep retrying even tho I'm deleting it as an admin. (I even tried malwarebytes FileASSASSIN to unlock and delete it and it wasn't able to :eek: ) I really hope you're right about it not being a virus because no antivirus has been able to find any malware whatsoever,Norton 360,Avira,Malwarebytes (free version),etc..

And if it isn't a virus how do I get rid of this horrible russian website that launches google chrome everytime windows launches?... luckily that's the only thing I've seen altering my pc. I haven't played any games yet but the speed seems about the same as all ways on chrome,desktop,idle.

*fingers crossed*
 

lfkfkfkffs

Estimable
Apr 2, 2014
37
0
4,610
That website doesn't appear to come up in any of my tools as malicious, even running it through a vm doing some light analysis it doesn't really do anything malicious. The virustotal scan also came back clean https://www.virustotal.com/en/url/25b3c2754965906a2b26a0e1bb114aa7561978c21a63a0f1a8350897ea9ee612/analysis/

The web of trust stuff came back as being yellow which means some people have reported it for pop-ups etc...
https://www.mywot.com/en/scorecard/farbeck.net?utm_source=addon&utm_content=contextmenu

The website itself doesn't drop a payload, it most likely just makes money each time you go to it, pay per click.

as for the http://katproxy.com/volgarr-the-viking-v2-0-0-1-2013-pc-eng-t7869593.html#main

This torrent is like a lot of other torrents, some of its contents have been tampered with, and do carry malware.

Virus total didn't find anything about the link

https://www.virustotal.com/en/url/f0fceae8e3423ce2f75877187478b1f8e3c316fb8829dba4fa7ef418c85d41b7/analysis/

But wot uses have reported it for a few malware related things, it just really depends on what you downloaded.
https://www.mywot.com/en/scorecard/katproxy.com?utm_source=addon&utm_content=contextmenu

What I would do is check your homepage, and your system startup folder. There is also a guide which shows you how to see if there is a webpage that is set in google chrome to come up as soon as you start it. http://www.ampercent.com/browser-opening-unknown-page-at-startup/9627/

It is possible that the game that you downloaded came from a time when the servers got compromised in 2012, Katproxy is just a child of the kickasstorrents website. You can read the full review here from someone who analyzed the site and the payload it dropped from files
http://2.bp.blogspot.com/-Gf0zaSDi14c/TppVJO0xMHI/AAAAAAAAChY/FMfz_dKHlNA/s1600/malvertising%2Bon%2Bkickasstorrents%2Bspreading%2Bsecurity%2Bsphere%2B2012%2Bfake%2Bantivirus%2Bvia%2Bhacked%2Bopenx%2B2.png

Another thing you could try is roguekiller, and fully scan your system.

The only other thought I could have without putting to much time into is to download something like process monitor and do a little bit of your own analysis http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx if you see something odd just look it up or ask me again here, if you do find something suspicious coming up again and again even after you kill it, just pause it then try to figure out which one of the other processes is its buddy. Viruses all use the buddy system, one goes down, the other brings it back up. You can also try cleaning/clearing everything up with ccleaner.
 
Status
Not open for further replies.