Your question

How To Remove AD Popup VIRUS When Windows Starts Up?

Tags:
  • Malware
  • Windows
  • Spyware
  • Virus
  • Games
  • Antivirus
  • Help Desk
Last response: in Antivirus / Security / Privacy
November 22, 2014 6:02:10 AM

(I DON'T SUPPORT PIRACY)

I'll just get straight to the point, there was a game I hadn't played in years from like when I was 9 years old and I couldn't seem to find it on any of the digital stores.. so I went to a download free site in hopes of finding it. I found it and saw a load of people wrote in the comments that it was working great and nothing wrong (over 75 people upvoted as opposed to the 0 who downvoted). ..anyway I downloaded it feeling pretty safe and now every time windows starts a chrome browser opens with some russian website even after uninstalling the game. It's driving me crazy! I haven't seen any pc slow-down or problems yet apart from that FU**ING ad! (excuse my french :p  )


Some may say it's karma for downloading a 10 year old game but honestly I just want some help from you guys on tom's hardware to return my pc to it's former clean virus-free self.

Thanks in advance! :) 

(Oh and Malwarebytes found no detections :(  )

More about : remove popup virus windows starts

November 22, 2014 6:08:19 AM

Open programs and features and sort by install date to see if it added an additional piece of software, then run msconfig and see what programs launch at startup. Assuming you can't identify the problem from there, open your settings tab in google chrome and see what pages launch when it's opened.

Some of those little guys are ugly and some require a system restore - if you can't get it cleaned after that point, run a system restore. If it's still buggy, try running an antimalware scrubber like malwarebytes or superantispyware.

If all the above fails you and it irritates you enough to want it gone, prepare to reload windows. I will pray it's not that malicious dude
m
0
l
Related resources
November 22, 2014 6:20:44 AM

game junky said:
Open programs and features and sort by install date to see if it added an additional piece of software, then run msconfig and see what programs launch at startup. Assuming you can't identify the problem from there, open your settings tab in google chrome and see what pages launch when it's opened.

Some of those little guys are ugly and some require a system restore - if you can't get it cleaned after that point, run a system restore. If it's still buggy, try running an antimalware scrubber like malwarebytes or superantispyware.

If all the above fails you and it irritates you enough to want it gone, prepare to reload windows. I will pray it's not that malicious dude


Could you explain how I see what pages chrome launches on startup in the settings? I can't seem to find it :o 
And if I system restore it to like 2 days ago will the virus be deleted?

m
0
l
November 22, 2014 6:43:26 AM

click the 3 line icon next to the address bar, click settings, there is a section called on startup and it has a section for you to be able to specify what happens when you launch the browser. Typically, most people have it either at google.com, gmail or a blank tab but sometimes those bugs imbed their webpage in that section. Additionally, check in extensions to see what's enabled.
m
0
l
November 22, 2014 6:46:49 AM

sorry - just saw the second question. Not always - it depends on the architecture. When you install a program and it asks you to restart your computer, what it' really doing is trying to setup a restore point so that if you discover installing that driver or application causes issues with another program, you can simple run a system restore to that restore point and it will remove any changes that were made when the application was installed. Usually, what it is actually doing is removing the changes that were made to your system registry and most bug makers try their best to make it difficult to remove their hard work. It's worth a shot but if they're smart, it won't help you at all.
m
0
l
November 22, 2014 7:53:48 AM

game junky said:
sorry - just saw the second question. Not always - it depends on the architecture. When you install a program and it asks you to restart your computer, what it' really doing is trying to setup a restore point so that if you discover installing that driver or application causes issues with another program, you can simple run a system restore to that restore point and it will remove any changes that were made when the application was installed. Usually, what it is actually doing is removing the changes that were made to your system registry and most bug makers try their best to make it difficult to remove their hard work. It's worth a shot but if they're smart, it won't help you at all.


Just checked my system restore option on my pc..and I have no restore points,fml!
+Malwarebytes doesn't find any detections :( 
m
0
l
November 22, 2014 10:20:25 AM

any luck with chrome extensions that shouldn't be there or pages launching at startup?
m
0
l
November 22, 2014 11:17:45 AM

game junky said:
any luck with chrome extensions that shouldn't be there or pages launching at startup?


unfortunately not :(  I think I may have found the virus tho.. Twunk_32.exe
m
0
l
November 22, 2014 3:36:37 PM

This is driving me mad :(  I even installed norton 360 and did a scan... but the virus persists! :( 
m
0
l
November 22, 2014 3:42:03 PM

First download and install the app web of trust to chrome or WOT it will block any websites that people have reported, 2nd disable java script, and then slowly build your trusts back allowing them to run JavaScript on your page again from websites that you normally go to. Next delete all history, cookies, data etc... Then lastly run something like a adware cleaner http://www.bitdefender.com/solutions/adware-removal-too... or http://www.bleepingcomputer.com/download/adwcleaner/ better yet use both. Then download tdskiller and run it. I would also like to add you should run a antivirus program with real time protection, this will help with things like usb drives dropping payloads, websites running malicious scripts, etc... The thing with malwarebytes free is that is doesn't offer real time protection. I would recommend buying the pro version which I use and runs great, and if you can't afford it just do the 30 day pro free trial.
m
0
l
November 22, 2014 3:49:31 PM

lfkfkfkffs said:
First download and install the app web of trust to chrome or WOT it will block any websites that people have reported, 2nd disable java script, and then slowly build your trusts back allowing them to run JavaScript on your page again from websites that you normally go to. Next delete all history, cookies, data etc... Then lastly run something like a adware cleaner http://www.bitdefender.com/solutions/adware-removal-too... or http://www.bleepingcomputer.com/download/adwcleaner/ better yet use both. Then download tdskiller and run it. I would also like to add you should run a antivirus program with real time protection, this will help with things like usb drives dropping payloads, websites running malicious scripts, etc... The thing with malwarebytes free is that is doesn't offer real time protection. I would recommend buying the pro version which I use and runs great, and if you can't afford it just do the 30 day pro free trial.


Cool,I'm gonna give this a shot now,thanks! :)  I don't really understand this line tho "disable java script, and then slowly build your trusts back allowing them to run JavaScript on your page again from websites that you normally go to."

How do I disable javascript and how do I slowly build trust back,etc?

m
0
l
November 22, 2014 4:30:22 PM

By slowly building trust I meant when you disable it, at first you will need to enable JavaScript to run again on pages that you visit. Slowly build trust is letting chrome know you are okay with running JavaScript on that page, so slowly you will notice yourself not having to enable it as much say in like a week, because you will have it enabled on all your favorite websites by then. You can disable it by doing this. go to settings>Advanced settings>Privacy-Content settings>JavaScript-Will be the 3rd choice>Select Disable
m
0
l
November 22, 2014 4:54:57 PM

lfkfkfkffs said:
First download and install the app web of trust to chrome or WOT it will block any websites that people have reported, 2nd disable java script, and then slowly build your trusts back allowing them to run JavaScript on your page again from websites that you normally go to. Next delete all history, cookies, data etc... Then lastly run something like a adware cleaner http://www.bitdefender.com/solutions/adware-removal-too... or http://www.bleepingcomputer.com/download/adwcleaner/ better yet use both. Then download tdskiller and run it. I would also like to add you should run a antivirus program with real time protection, this will help with things like usb drives dropping payloads, websites running malicious scripts, etc... The thing with malwarebytes free is that is doesn't offer real time protection. I would recommend buying the pro version which I use and runs great, and if you can't afford it just do the 30 day pro free trial.


This didn't work unfortunately :(  I have a really wierd file on my computer called "Twunk_32" in my "C:\ Windows" folder that I can't seem to delete! and the wierdest thing just happened when I tried to open the tom's hardware page.. something appeared on the screen telling me I was denied access from the site due to suspicious activity on my pc. I had to do a captcha. :\ I'm sh*tting myself here wondering what damage this virus is doing to my new pc. should I just wipe the drive? is there an easy way to wipe the drive without having to re-install windows,etc..?

m
0
l
November 22, 2014 6:55:58 PM

The Captcha is almost certainly part of our anti-spam and anti-crawl system - it's currently set a little too aggressively, IMHO.
m
0
l
November 22, 2014 10:34:55 PM

I would just check your system startup folder first, just to see if anything got added. I pretty sure you don't have a virus, but if you had issues related to twunk look at http://blog.vilmatech.com/twunk_32-exe-virus-fix-twunk_... I just didn't feel like typing out all the instructions so I found you a link. Like most window system files pretty much any of them have the ability to become a virus from a malware author. I would say apply the fix from the link if needed, then just ignore it because I do malware analysis for a living and I can safely tell you are most likely not infected, I think you might of forgot to leave a check box blank, so it probably just added some adware that might be annoying but should be fixable. If you want some more reassurance just go look at the last date modified, and see if it has the Microsoft signature, if you see two and they both say like 09, you are good trust me.
m
0
l
November 23, 2014 6:15:50 AM

lfkfkfkffs said:
I would just check your system startup folder first, just to see if anything got added. I pretty sure you don't have a virus, but if you had issues related to twunk look at http://blog.vilmatech.com/twunk_32-exe-virus-fix-twunk_... I just didn't feel like typing out all the instructions so I found you a link. Like most window system files pretty much any of them have the ability to become a virus from a malware author. I would say apply the fix from the link if needed, then just ignore it because I do malware analysis for a living and I can safely tell you are most likely not infected, I think you might of forgot to leave a check box blank, so it probably just added some adware that might be annoying but should be fixable. If you want some more reassurance just go look at the last date modified, and see if it has the Microsoft signature, if you see two and they both say like 09, you are good trust me.



Oh,so Twunk isn't a new file? :\ I was under the impression that it was a new file because the icon looks pretty dodgy.
I just checked the date modified and it says 2009.. I've only had this PC for a few months D:
Another odd thing about Twunk_32 and Twunk_16 is that I can't delete it not matter what,it says I don't have permission and the only option is to keep retrying even tho I'm deleting it as an admin. (I even tried malwarebytes FileASSASSIN to unlock and delete it and it wasn't able to :o  ) I really hope you're right about it not being a virus because no antivirus has been able to find any malware whatsoever,Norton 360,Avira,Malwarebytes (free version),etc..

And if it isn't a virus how do I get rid of this horrible russian website that launches google chrome everytime windows launches?... luckily that's the only thing I've seen altering my pc. I haven't played any games yet but the speed seems about the same as all ways on chrome,desktop,idle.

*fingers crossed*
m
0
l
November 23, 2014 11:37:58 AM

Twunk is part of windows, it isn't anything to worry about, not all odd named exe files are bad. Can you link the website, without and shortners etc
m
0
l
November 23, 2014 3:41:26 PM

That website doesn't appear to come up in any of my tools as malicious, even running it through a vm doing some light analysis it doesn't really do anything malicious. The virustotal scan also came back clean https://www.virustotal.com/en/url/25b3c2754965906a2b26a...

The web of trust stuff came back as being yellow which means some people have reported it for pop-ups etc...
https://www.mywot.com/en/scorecard/farbeck.net?utm_sour...

The website itself doesn't drop a payload, it most likely just makes money each time you go to it, pay per click.

as for the http://katproxy.com/volgarr-the-viking-v2-0-0-1-2013-pc...

This torrent is like a lot of other torrents, some of its contents have been tampered with, and do carry malware.

Virus total didn't find anything about the link

https://www.virustotal.com/en/url/f0fceae8e3423ce2f7587...

But wot uses have reported it for a few malware related things, it just really depends on what you downloaded.
https://www.mywot.com/en/scorecard/katproxy.com?utm_sou...

What I would do is check your homepage, and your system startup folder. There is also a guide which shows you how to see if there is a webpage that is set in google chrome to come up as soon as you start it. http://www.ampercent.com/browser-opening-unknown-page-a...

It is possible that the game that you downloaded came from a time when the servers got compromised in 2012, Katproxy is just a child of the kickasstorrents website. You can read the full review here from someone who analyzed the site and the payload it dropped from files
http://2.bp.blogspot.com/-Gf0zaSDi14c/TppVJO0xMHI/AAAAA...

Another thing you could try is roguekiller, and fully scan your system.

The only other thought I could have without putting to much time into is to download something like process monitor and do a little bit of your own analysis http://technet.microsoft.com/en-us/sysinternals/bb89664... if you see something odd just look it up or ask me again here, if you do find something suspicious coming up again and again even after you kill it, just pause it then try to figure out which one of the other processes is its buddy. Viruses all use the buddy system, one goes down, the other brings it back up. You can also try cleaning/clearing everything up with ccleaner.
m
0
l
November 23, 2014 4:03:29 PM

Firstly:

Start > Run > type: msconfig
Go to the "Start up" tab and disable all programs that are displayed here (with exception of anti-virus) & reboot PC


Secondly:
Download a program called rkill from the link below:
http://www.bleepingcomputer.com/download/rkill/

Run the program as Admin, it will temporarily kill any malicious processes running on your machine & reset a few broken things.. *DO NOT reboot PC yet*


Thirdly:
Download AdwCleaner from the following link below:
http://www.bleepingcomputer.com/download/adwcleaner/

Run a scan as Admin, scan and remove everything it finds & now reboot your PC


Fourthly (continue if problem hasn't been solved):
Download HitmanPro for your PC using link below:
http://www.surfright.nl/en/hitmanpro/

Excellent second opinion cloud scanner, run as trial and do a scan, remove anything it finds and reboot PC


Fifthly (continue if problem hasn't been solved):
Reset your HOSTS file, might be redirections in there.
m
0
l
November 24, 2014 6:55:42 AM

aks_1337 said:
Firstly:

Start > Run > type: msconfig
Go to the "Start up" tab and disable all programs that are displayed here (with exception of anti-virus) & reboot PC


Secondly:
Download a program called rkill from the link below:
http://www.bleepingcomputer.com/download/rkill/

Run the program as Admin, it will temporarily kill any malicious processes running on your machine & reset a few broken things.. *DO NOT reboot PC yet*


Thirdly:
Download AdwCleaner from the following link below:
http://www.bleepingcomputer.com/download/adwcleaner/

Run a scan as Admin, scan and remove everything it finds & now reboot your PC


Fourthly (continue if problem hasn't been solved):
Download HitmanPro for your PC using link below:
http://www.surfright.nl/en/hitmanpro/

Excellent second opinion cloud scanner, run as trial and do a scan, remove anything it finds and reboot PC


Fifthly (continue if problem hasn't been solved):
Reset your HOSTS file, might be redirections in there.



I did everything up to resetting my HOSTS (haven't done that yet).. hitman pro found a few things that I thought was the problem.. cookies called "MLN advertising" etc.. Turned my pc back on after the reboot and the problem is still there :( 

How do I reset my HOSTS file and will I lose anything important?
m
0
l
November 24, 2014 4:15:28 PM

If you don't have anything important I would just repave and format and install the os again. They most likely changed some registry values, so no matter how many times you delete/change stuff the registry will bring it back up. You could change the registry where it got messed up, but that can be hard without know what messed it up in the first place. So just wipe once, unless you ate taco bell, and install the os again.
m
0
l
November 25, 2014 9:02:39 AM

lfkfkfkffs said:
If you don't have anything important I would just repave and format and install the os again. They most likely changed some registry values, so no matter how many times you delete/change stuff the registry will bring it back up. You could change the registry where it got messed up, but that can be hard without know what messed it up in the first place. So just wipe once, unless you ate taco bell, and install the os again.


I had just formatted my drive about 2 moths ago because of new hardware and lost everything :( 
My PC is full of stuff I need for editing/photoshop.. like plugins,images,etc.. and my second drive isn't really big enough unfortunately :( 
Luckily I just got a copy of Windows 8.1 off a friend so would you recommend I use that instead of my current windows 7 Ultimate? :o 

Oh and is this virus likely causing damage to my hardware or is it just ads? because I was thinking about maybe finishing all my editing sony vegas projects before I format the drive so that I can clear up some space?/
m
0
l
November 25, 2014 5:53:01 PM

I think one thing that you could try is just uninstalling chrome, and then try switching to firefox. The ad thing might only target chrome. Again I don't really think we are dealing with a virus, just something simple like a check box when you installed the torrent or game that installed some extra junk, and edited your registry making it hard to pin point both the file, and the registry for it. As for the windows 7 ultimate if you have the key you can use that key to install it again. Windows 8.1 unless it is pro or higher will be limited to 16 gigs of ram depending on which one you have. if you have the bandwith you could probably upload your files to a cloud overnight while you are asleep. then reformat in the morning if nothing else is working. I use http://www.adrive.com/personal_premium You get 50gigs for free, or for like $2.50 a month you get 10tb of space. I would just upload there, then transfer back and remove the stuff from your account.
m
0
l
December 30, 2014 6:54:34 PM

can you please tell it to me when you have a solution? I have the same problem now and it's driving me crazy. everywhere I click I get this stupid add. I can't even check my social network. since i've tried to delete it I've got everytime i click, no matter what I do, I go to an other site. please help me, this is the only way I could communicate.
m
0
l
November 8, 2015 1:23:46 AM

Shark Dentist said:
aks_1337 said:
Firstly:

Start > Run > type: msconfig
Go to the "Start up" tab and disable all programs that are displayed here (with exception of anti-virus) & reboot PC


Secondly:
Download a program called rkill from the link below:
http://www.bleepingcomputer.com/download/rkill/

Run the program as Admin, it will temporarily kill any malicious processes running on your machine & reset a few broken things.. *DO NOT reboot PC yet*


Thirdly:
Download AdwCleaner from the following link below:
http://www.bleepingcomputer.com/download/adwcleaner/

Run a scan as Admin, scan and remove everything it finds & now reboot your PC


Fourthly (continue if problem hasn't been solved):
Download HitmanPro for your PC using link below:
http://www.surfright.nl/en/hitmanpro/

Excellent second opinion cloud scanner, run as trial and do a scan, remove anything it finds and reboot PC


Fifthly (continue if problem hasn't been solved):
Reset your HOSTS file, might be redirections in there.



I did everything up to resetting my HOSTS (haven't done that yet).. hitman pro found a few things that I thought was the problem.. cookies called "MLN advertising" etc.. Turned my pc back on after the reboot and the problem is still there :( 

How do I reset my HOSTS file and will I lose anything important?




Go to run>msconfig>startup tab. Expand the command column and scroll down to see the russian game website under the command column. Mine was called some zivlingamer or gamezonenews if that helps. The name of the startup thing will be hidden under some Microsoft Operating System Software or something. I had the same problem. Hope yours gets solved.
m
0
l
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS