Strange startup program called "Program"

I have discovered a weird entry in my startup programs. A program with the name "Program" that has neither publisher nor can I open its location. See the following screenshot:


To me it seems to be some kind of "zombie" entry. When I right click on it the options "Open file location" and "Properties" are both grayed out. Nevertheless I was concerned a little bit that it could be some kind of malicious software, so I disabled the entry when it first occured. Now, after some time, the entry occured again and this time even twice (so now I have it 3 times in the startup list, one time disabled and two times enabled). This puzzles me a bit. I guess if I disable it again it will occur again once more.

Is there a way to find out where this startup entry is really located in the system (registry, startup folders...), permanently remove it, or even find out by which program it was created?

Best regards
Bastian Weber
Please download the free version of Malwarebytes.
Update it immediately.
Do a full system scan
Let us know the results at the end.

http://www.malwarebytes.org/products
Cat herder
Windows Insider MVP
MVP-Windows and Devices for IT
http://www.zigzag3143.com/

17 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

In addition to running a scan as ZigZag recommended, you can investigate a little further by right-clicking the column headers in Task Manager. Right-click and choose "Command Line" for example, and you can see what the full path to the program is being used to run that program:



Shawn "Cmdr" Keene | Microsoft MVP - Windows Insider | CmdrKeene.com | tweet me: @LtCmdrKeene
Microsoft MVPs are independent experts offering real-world answers. Learn more at mvp.microsoft.com.

247 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

In addition to running a scan as ZigZag recommended, you can investigate a little further by right-clicking the column headers in Task Manager. Right-click and choose "Command Line" for example, and you can see what the full path to the program is being used to run that program:




Oh, of course. I wonder why I didn't get the idea that there are more columns that can be displayed.


After investigating the commands it seems to be quite harmless. On of the programs apparently is Realtek HD-Audio, the other two belonged to another program that I recently installed but uninstalled again.


So why is the name "Program" shown? Well, there is a mistake in the filepaths which is a quotationmark that doesn't belong there. One example:


"C:\Program" Files\Realtek\Audio\HDA\RAVCpl64.exe -s


As you can see, the quotation mark after Program is not supposed to be there. It causes the path to end there, so that "Program" is being interpreted as the file name. Why this error occured for multiple entries independently and whether it is caused by a problem of my system or it is due to an error in the programs that created them I can not explain. I will see if in the future more such erroneous entries occur.


Nevertheless I'm going to do the malware scan. It won't hurt. Theoretically it could also be malicious software trying to disguise itself as harmless and broadly used programs.

70 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

In addition to running a scan as ZigZag recommended, you can investigate a little further by right-clicking the column headers in Task Manager. Right-click and choose "Command Line" for example, and you can see what the full path to the program is being used to run that program:

Oh, of course. I wonder why I didn't get the idea that there are more columns that can be displayed.

After investigating the commands it seems to be quite harmless. On of the programs apparently is Realtek HD-Audio, the other two belonged to another program that I recently installed but uninstalled again.

So why is the name "Program" shown? Well, there is a mistake in the filepaths which is a quotationmark that doesn't belong there. One example:

"C:\Program" Files\Realtek\Audio\HDA\RAVCpl64.exe -s

As you can see, the quotation mark after Program is not supposed to be there. It causes the path to end there, so that "Program" is being interpreted as the file name. Why this error occured for multiple entries independently and whether it is caused by a problem of my system or it is due to an error in the programs that created them I can not explain. I will see if in the future more such erroneous entries occur.

Nevertheless I'm going to do the malware scan. It won't hurt. Theoretically it could also be malicious software trying to disguise itself as harmless and broadly used programs.

OK, same issue here with a different program (GROOVE.exe).  How do you edit the command line to correct the issue?

13 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Please download the free version of Malwarebytes.
Update it immediately.
Do a full system scan
Let us know the results at the end.

http://www.malwarebytes.org/products

This would be an incorrect course of action.

clearly you're advertising, not diagnosing. Shawn 'Cmdr' Keene [MVP] ,  thank you for your solution. I thought it'd be a removed app (redundant file info usually indicates this). atleast now, I'm sure of it

16 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

If a quotation mark is missing then windows did so as to make the address redundant since the file isn't contained in that address anymore (file has probably been deleted or moved) but the reg entries still exist. 

7 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Delete the appropriate registration entry (find the file name by the "command line" column description in the Startup tab, then execute a find command with this file name in regedit.exe, then delete all strings matching this entry).

9 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Please download the free version of Malwarebytes.
Update it immediately.
Do a full system scan
Let us know the results at the end.

http://www.malwarebytes.org/products

LOL cause on my PC it is malwarebytes that is the rouge program in startup named "PROGRAM" it must be from some sort of error or file without attributes.

One thing I've noticed is this:

"C:\PROGRAM" FILES/MALWAREBYTES/ANTI-MALWARE\mbamtray.exe

the end quote is out of order it is EXACTLY like I typed it above but on every other entry it is after the .exe except this one.

I have no idea how to change that maybe someone does.

5 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

You can check the column "Type" in the task manager. It tells you whether the startup entry originates from the registry or from an autostart folder. If it's in the registry open up regedit and check the different locations where autostart options can be defined. One of them would be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\. There are several other ones, just google. Then navigate there, find the problematic entry, and correct it.

As an alternative, you could just disable the entry.

49 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

 
 

Question Info


Last updated September 24, 2020 Views 60,954 Applies to: