AdwC doesn't remove probable IObit registry entry

[JoelS]

I went through troubleshooting with MalwareBytes Customer Service. They referred me to the forum.

 

0.  The system is regularly scanned, protected by Kaspersky, MBytes, and MBytes Exploit blocker, and the only PUP that I recall having been detected is Viewpoint.

1.  AdwCleaner detects registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}. On cleaning using AdwCleaner, the registry key is present after restart. Bleepingcomputer forum suggests this is an IObit entry. IObit and the IObit Cleaner have not been present on the system for a long time. 

2.  MBytes scans and detects nothing. Kaspersky also.

 

3. ZHPDiag detects Superfluous.CloudfrontNet, PUP.Optional.Company, PUP.Optional.MetaStream, PUP.Optional.Generic, and .Superfluous.Orphan. I can't find any evidence these are in any way malicious.  

 

4.  Kaspersky Forum reviewed logs and found nothing. Malwarebytes Customer Service suggested scans with MalwareBytes Rootkit, MBAM, and Bitdefender. These were all negative.  

 

Adwclean log showing recalcitrant key is attached.  

 

It seems to me either Adw isn't removing the registry key on cleaning, or some covert program is adding it back.

 

Any thoughts?  

 

 

Adware report-11-12-16.txt

[jboursier]

Hello,

I'll need more details:

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

• Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
• Make sure Addition.txt is checkmarked under "Optional scans"
• Press Scan button to run the tool....
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The tool will also make a log named (Addition.txt) Please attach those logs to your reply.

Best regards,

[JoelS]

OK...here you are. 

Addition.txt

FRST.txt

[jboursier]

Hello,

 

Thanks! We'll clean the remaining BHO from IOBit:

Download fixlist.txt file and save it to the Desktop (right-click on the link -> save as, with the name "fixlist.txt")

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Best regards,

[JoelS]

Thanks, Jerome.  FRST64 ran, restarted, and fixlog is attached.  However, AdwCleaner is picking up the same key in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{10921475-03CE-4E04-90CE-E2E7EF20C814}, with subentries under iexplore for count, flags, time, and type. 

 

Searching the registry manually shows two additional instances of the key.  HKEY_CLASSES_ROOT\UninstallExplorer64.ExplorerBtn\Clsid and  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UninstallExplorer64.ExplorerBtn\Clsid.

 

For some reason, the search does not show the key detected by AdwCleaner.  

 

I'll try cleaning using AdwCleaner, but don't expect it to remove the key it found.  

 

 

Fixlog.txt

[JoelS]

Ok, now this is truly strange. Running Adwcleaner comes up clean. But!  A manual search for the key in question comes up with the following:

 

HKEY_CLASSES_ROOT\UninstallExplorer64.ExplorerBtn\Clsid

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UninstallExplorer64.ExplorerBtn\Clsid

HKEY_USERS\S-1-5-21-3321917765-4288778147-1431918074-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit

The first two we saw before. The other two appear to be new.  

!!

 

 

[jboursier]

Hello,

Which key are you searching for?

Thanks,

[JoelS]

I just searched the registry for the following key, Jerome:  

On 11/18/2016 at 9:23 AM, JoelS said:

10921475-03CE-4E04-90CE-E2E7EF20C814

That is what is referred to in the two posts above.  

[jboursier]

Hello,

Can you relaunch AdwCleaner, do a scan, and share me the generated logfile? I've published an update which should help.

Thanks,

Edited November 21, 2016 by fr33tux
typo

[JoelS]

Looks good, Jerome. I searched the registry and the IObit key is gone.  AdwC log attached. 

 

Thanks!  

AdwCleaner[S16].txt

[jboursier]

Nice, thanks.

Please remove AdwCleaner with File > Uninstall.

Then, remove FRST:

• Download DelFix on your desktop;
• Launch it with administrator rights;
• Select all the option except the one proposing to save the registry;
• Then click on the "Execute" button;
• When everything is finish, the software will close itself;
• Then a report appear on the notepad, please copy paste it's content in your answer.

Best regards,

[JoelS]

Thanks, Jerome.  Completed as per your instructions.  Here's the log. For privacy, I have replaced the actual computer name with "User's Computer."  Again, thanks.   

# Username : User'sComputer 8.1 - User'sComputer

# Operating System : Windows 10 Pro  (64 bits)

 

~ Activating UAC ... OK

 

~ Removing disinfection tools ...

 

Deleted : C:\FRST

Deleted : C:\Users\User'sComputer 8.1\Downloads\FRST-OlderVersion

Deleted : C:\Users\User'sComputer 8.1\Desktop\GetSystemInfo5.0.exe

Deleted : C:\Users\User'sComputer 8.1\Desktop\GetSystemInfo_User'sComputer_User'sComputer 8.1_2015_02_11_14_28_02.zip

Deleted : C:\Users\User'sComputer 8.1\Desktop\JRT.txt

Deleted : C:\Users\User'sComputer 8.1\Desktop\ZHPDiag.lnk

Deleted : C:\Users\User'sComputer 8.1\Downloads\Addition.txt

Deleted : C:\Users\User'sComputer 8.1\Downloads\avz4.zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\Fixlog.txt

Deleted : C:\Users\User'sComputer 8.1\Downloads\FRST.txt

Deleted : C:\Users\User'sComputer 8.1\Downloads\FRST64.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0 (1).zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0 (2).zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0.zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\JRT (1).exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\JRT.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\rkill.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\ZHPDiag3.exe

Deleted : HKLM\SOFTWARE\AdwCleaner

 

~ Cleaning system restore ...

 

Deleted : RP #9 [Scheduled Checkpoint | 11/07/2016 01:30:32]

Deleted : RP #10 [Installed WinZip 21.0 | 11/12/2016 21:08:25]

Deleted : RP #11 [JRT Pre-Junkware Removal | 11/13/2016 18:13:46]

Deleted : RP #14 [Scheduled Checkpoint | 11/21/2016 22:17:56]

 

New restore point created !

 

~ Resetting system settings ... OK

 

########## - EOF - ##########

I have replaced the actual name of my computer with "User's computer"

[jboursier]

Thanks for the feedback and for your patience!

Do not hesitate to come back if needed.

Best regards,