Help me find the virus.
August 4th, 2016
https://www..org/viewtopic.php?p=88483422#88483422
I think I found what the virus does. Everytime I start/restart my computer, a chrome window opens and try to go to this website (don’t go there):
http://dota2game.org/
Luckily my ESET Smart Security blocks it because it’s identified as a phishing page.
Now my question is this, how can I find the file that does this thing ?? I mean there must be some list of all programs that work immediately on computer start up. Where can I find that??
Thanks,
Right click on the start icon and select search.. Type msconfig. Run it and you will see an option for start up programs. Search for start up progs your unaware of and uncheck them from starting up, hopfully should fix your prob with a little playing around.
It will also give you the name and location of the file, so once it has been stopped from starting up you can then check if it is in your program list and uninstall from there, or if not manually go to the directory stated and delete it from there.
Also might have to look carfully, ill post a pic of some one else with a prob and on start up cmd runs which is from microsoft, but with a web location to a spam site.. May be tricky like that as well, let us know how you go.
Yup, that’s it found it
Many thanks.
Although I can’t track it to it’s location or can I.
Location says “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentRun\Run”
They go to as much trouble as possible to hide the program from you. More or less if chrome opens each time on start up, one of the items in your startup list is making it do it, no ifs or buts.. The above example would be logical that you havnt been able to find a virus..
Ohh good stuff.. Umm you can sorta, that location is a registry value. You can by going into (search for it) regedit and going to that location, deleting registry values can cause problems though.. let me think about how id get rid of it, and ill edit this again a min or two…
Seems safe to delete the value, make sure you inspect the key properly, there most likely will be multiple ones in the registry folder you mentioned.. Make sure to only delete the one that starts cmd and has a link to the site you mentioned though… and then the problem will be fixed..
https://www..org/viewtopic.php?t=22369745
look at the last post of mine on this topic , provide what has been asked for at there. i just felt too lazy to rewrite it again
@, thanks will try this now.
https://www..org/viewtopic.php?t=22369745
look at the last post of mine on this topic , provide what has been asked for at there. i just felt too lazy to rewrite it again
Logon :
Processes :
Scheduled Tasks :
Services :
Dont worry about processes and so forth, it will just be a one startup key you need to find and delete. The first pic is close but doesnt actually show the “folder”/directory that you mentioned above.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentRun\Run
You have to get to that directory to the find the needed key.. If you find it start by unchecking the box, restart to ensure it fixed the prob and you have the right key, and if so go back in the reg editor and delete the whole key.
If you having no luck try http://sourceforge.net/projects/hjt/ Called Highjackthis, more specifically a registry prog which should find the key for you if you cant.
even without virus , this computer should be slow.
most of the software you have installed are unfamiliar to me so , i will tell suspicious things and you double check them.
first of all go to everything tab on autoruns and right click on every single yellow colored line then delete , this way we get rid of junk entries at least.
LOGON
akamai net session client runs from a weird location go and check if that software is legit by right clicking its exe and looking for digital signature tab if it exists. it just added to that list 1 day before you had posted your problem. so it is highly suspicious.
also go and look the executables of those processes in order to confirm either software is legit or installed by you.
aeria ignite apsdeamon
roccat
stcagent zyngagames google chrome installer , i dont use chrome but i think it shouldnt run on the start up. thats all for logon part , most possible suspect is akamai thing.
PROCESSES
again aeria ignite and zyngagames gmclient <<< possible suspect
savu
volumewatcher
soldier front <<<<<<<i believe this is a game right , ? otherwise this is the most possible infection.
Scheduled Tasks
nothing
Services
applechargersrv
scbackservice
thats all i can see , some of those software may be legit but i have heard them for the first time so asked you to check them , their “run” pathway is written next to them so go and check them akamai , gmclient and soldier front (if it is not a game) are the most suspicious ones among all.
All of the above are checked.
Also, I’m trying to run regedit but it’s not reacting.
all of them are legit ? especially akamai ? what is that process for
all of them are legit ? especially akamai ? what is that process for
It’s for the online game I’m playing.
can you upload its exe to virustotal and paste the report here ? i also assume you have checked all plugins , extensions , addons and such for chrome , if not you can check it with ccleaner.
if there is a cmd command , then it may fell under windows logon.
run autoruns as admin again , and check the winlogon tab to see if anything at there for 4 different users which can be accessed through autoruns “user” toolbar at the above, 3 NT authority system and 1 your individual user. if still you cant find anything , we need additional help from someone else cuz it is certain answer lies in one of those screenshots. there are too many things weird about your system , even chrome’s 10 instance of same scheduled task is weird.
Akamai is safe. Kepard seems the most suspicious thing you have. You should check the browser. Maybe it’s an extension.
there is the back up i also saw the kepard but since it does not exist anymore according to autoruns i skipped it.
Still not fixed?? Regedit is the same on all versions Windows, unsure why you wouldnt be able to run it. (its located in c:/windows) Manually deleting the key should be your best option, just have to figure out why the editor isnt running. If not try the hijackthis app I posted above. If that dont work, install AVG PC Tuneup (get it from here). In its options are startup programs, and it has slide bars to disable unwanted programs. You may be able to just disable it from that prog.. One of my suggestions is the way to go. Up to you now.
Hi OP, assuming you’re still having the same issue.
Please run HIJACKTHIS and post the log file.
You can also remove items you will find as false programs.