Jump to content

AdwC doesn't remove probable IObit registry entry


Recommended Posts

I went through troubleshooting with MalwareBytes Customer Service. They referred me to the forum.


0.  The system is regularly scanned, protected by Kaspersky, MBytes, and MBytes Exploit blocker, and the only PUP that I recall having been detected is Viewpoint.

1.  AdwCleaner detects registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}. On cleaning using AdwCleaner, the registry key is present after restart. Bleepingcomputer forum suggests this is an IObit entry. IObit and the IObit Cleaner have not been present on the system for a long time. 

2.  MBytes scans and detects nothing. Kaspersky also.
3. ZHPDiag detects Superfluous.CloudfrontNet, PUP.Optional.Company, PUP.Optional.MetaStream, PUP.Optional.Generic, and .Superfluous.Orphan. I can't find any evidence these are in any way malicious.  
4.  Kaspersky Forum reviewed logs and found nothing. Malwarebytes Customer Service suggested scans with MalwareBytes Rootkit, MBAM, and Bitdefender. These were all negative.  
Adwclean log showing recalcitrant key is attached.  
It seems to me either Adw isn't removing the registry key on cleaning, or some covert program is adding it back.
Any thoughts?  

Adware report-11-12-16.txt

Link to post
Share on other sites

  • Staff


I'll need more details:

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.

Best regards,

Link to post
Share on other sites

  • Staff



Thanks! We'll clean the remaining BHO from IOBit:

Download fixlist.txt file and save it to the Desktop (right-click on the link -> save as, with the name "fixlist.txt")

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Best regards,

Link to post
Share on other sites

Thanks, Jerome.  FRST64 ran, restarted, and fixlog is attached.  However, AdwCleaner is picking up the same key in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{10921475-03CE-4E04-90CE-E2E7EF20C814}, with subentries under iexplore for count, flags, time, and type. 


Searching the registry manually shows two additional instances of the key.  HKEY_CLASSES_ROOT\UninstallExplorer64.ExplorerBtn\Clsid and  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UninstallExplorer64.ExplorerBtn\Clsid.


For some reason, the search does not show the key detected by AdwCleaner.  


I'll try cleaning using AdwCleaner, but don't expect it to remove the key it found.  




Link to post
Share on other sites

Ok, now this is truly strange. Running Adwcleaner comes up clean. But!  A manual search for the key in question comes up with the following:






The first two we saw before. The other two appear to be new.  




Link to post
Share on other sites

  • Staff

Nice, thanks.

Please remove AdwCleaner with File > Uninstall.

Then, remove FRST:

  • Download DelFix on your desktop;
  • Launch it with administrator rights;
  • Select all the option except the one proposing to save the registry;
  • Then click on the "Execute" button;
  • When everything is finish, the software will close itself;
  • Then a report appear on the notepad, please copy paste it's content in your answer.

Best regards,

Link to post
Share on other sites

Thanks, Jerome.  Completed as per your instructions.  Here's the log. For privacy, I have replaced the actual computer name with "User's Computer."  Again, thanks.   

# Username : User'sComputer 8.1 - User'sComputer

# Operating System : Windows 10 Pro  (64 bits)


~ Activating UAC ... OK


~ Removing disinfection tools ...


Deleted : C:\FRST

Deleted : C:\Users\User'sComputer 8.1\Downloads\FRST-OlderVersion

Deleted : C:\Users\User'sComputer 8.1\Desktop\GetSystemInfo5.0.exe

Deleted : C:\Users\User'sComputer 8.1\Desktop\GetSystemInfo_User'sComputer_User'sComputer 8.1_2015_02_11_14_28_02.zip

Deleted : C:\Users\User'sComputer 8.1\Desktop\JRT.txt

Deleted : C:\Users\User'sComputer 8.1\Desktop\ZHPDiag.lnk

Deleted : C:\Users\User'sComputer 8.1\Downloads\Addition.txt

Deleted : C:\Users\User'sComputer 8.1\Downloads\avz4.zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\Fixlog.txt

Deleted : C:\Users\User'sComputer 8.1\Downloads\FRST.txt

Deleted : C:\Users\User'sComputer 8.1\Downloads\FRST64.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0 (1).zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0 (2).zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\GetSystemInfo5.0.zip

Deleted : C:\Users\User'sComputer 8.1\Downloads\JRT (1).exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\JRT.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\rkill.exe

Deleted : C:\Users\User'sComputer 8.1\Downloads\ZHPDiag3.exe

Deleted : HKLM\SOFTWARE\AdwCleaner


~ Cleaning system restore ...


Deleted : RP #9 [Scheduled Checkpoint | 11/07/2016 01:30:32]

Deleted : RP #10 [Installed WinZip 21.0 | 11/12/2016 21:08:25]

Deleted : RP #11 [JRT Pre-Junkware Removal | 11/13/2016 18:13:46]

Deleted : RP #14 [Scheduled Checkpoint | 11/21/2016 22:17:56]


New restore point created !


~ Resetting system settings ... OK


########## - EOF - ##########

I have replaced the actual name of my computer with "User's computer"

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.