Registry Key Adware Keeps Coming Back

[AdvancedSetup]

Please get me a new set of logs from FRST

 

[whatwhat]

Addition.txt FRST.txt

[AdvancedSetup]

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here.
• Save Autoruns.exe to your desktop and double-click it to run it.
• Once it starts, please press the Esc key on your keyboard.
• Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
• Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
• When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
• Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder you just created to your next reply

 

 

Thanks

 

[whatwhat]

When I click the first "here" link in your message above a new tab opens for a split second then closes and nothing happens and nothing is downloaded.

[AdvancedSetup]

More than likely as you probably have Chrome set to auto download. It probably already saved the file in your downloads folder.

Look there, or go here to download

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

 

[AdvancedSetup]

Windows Defender believes this to be a Bitcoin Minder threat. You should consider deleting it. If you've installed it I'd recommend you uninstall it.

C:\Users\Zach\Downloads\litecoin-0.14.2-win64-setup.exe

 

[AdvancedSetup]

Please review the following and perform a clean up of Google Chrome settings

Once that is done we'll run one more extensive clean up script. This has to be from an extension or setting in Google Chrome that is allowing it to come back I'm reasonably sure.

 

 

[AdvancedSetup]

I'd still like you to run the ESET antivirus scan as well to ensure it too finds nothing.

I'll repost the information below.

 

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

[whatwhat]

For autoruns the options tab is faded out and does not let me click on it.

[whatwhat]

23 minutes ago, whatwhat said:

For autoruns the options tab is faded out and does not let me click on it.

Nevermind I figured it out

[AdvancedSetup]

I'll check back on you again sometime tomorrow

Thanks

 

[whatwhat]

I had to turn off my computer between the malwarebytes and ESET scan. I don't know if that is important or not but I figured it wouldn't hurt to mention it.

Autoruns log.zip malwarebyte1 log.txt ESET scan log.txt

[AdvancedSetup]

Please go ahead and uninstall all versions and plugins for Adobe Flash Player. That has been discontinued

As expected the ESET log did not find anything either. This would appear to almost have to be caused from some type of object in your Chrome Browser.

Please follow these directions and clean up Google Chrome.

Let me know how that goes please.

Also, you can manually delete that Registry key

 

 

[whatwhat]

Ok so I have never had sync enabled on my pc so it did not give me the option to reset sync since sync had no data stored. Also, I went ahead and reset chrome to its default settings. I will let you know if that fixed the problem.

[AdvancedSetup]

Okay, thanks. Make sure that key in the Registry is gone, in case it does come back again

 

[whatwhat]

It came back before I deleted the key in the registry. Since I do not have google sync on can I just delete the registry key and it should be gone, or do I need to do a malwarebytes scan, delete the registry key, and then reset chrome?

[AdvancedSetup]

Delete the key.

Then restart the computer and check and see if it comes back on it's own or not.

 

[whatwhat]

I deleted the registry key but the adware still came back.

[AdvancedSetup]

Okay. Delete the key again. But do not run Google Chrome at all.

Temporarily set another browser to be the default.

Then delete the key, reboot the computer again and see if it comes back

 

[whatwhat]

I set microsoft edge to my default browser, uninstalled the registry key, and restarted my computer. After the restart I checked the registry and the key was not there. I only used microsoft edge, but eventually the adware opened internet explorer and displayed ads. I then checked the registry and sure enough the key was there again.

[AdvancedSetup]

Okay, do some more testing.

Delete the registry key. Restart the computer.

Then do not run any browser or other app. Start Regedit and see if the key is back on it's own after a reboot.

Assuming it's not back. See if you can use the computer for a couple hours WITHOUT opening any browser. Keep Regedit open and press the F5 key to refresh it and see if that key comes back or not.

If it does not come back, then launch your browser and keep watching the Registry to see if it comes back.

We can run some other programs to try and track it down but it's gets a bit more complex so let's see if we can catch it this way.

Let me know

 

[whatwhat]

Ok thank you. I will have to try it tomorrow, but I really appreciate your help so far.

[AdvancedSetup]

You're quite welcome.

Check back with you tomorrow then.

Goodnight

 

[whatwhat]

I deleted the reg key and restarted the computer. On the restart the key was not there, so I used only application programs and now browsers for 2 hours. The key did not reappear during the 2 hours. I then briefly opened microsoft edge to check if the key would appear as soon as edge is opened, but it did not appear. After that, I opened chrome to see if they key would immediately appear after opening chrome, and it did not. I then left chrome open and about 5-7 minutes after chrome was open, the adware opened internet explore and displayed ads. Sure enough, the key was back in the registry after I checked it.

 

From what I can gather it is definitely correlated to browsers being opened. Also, the moment the key reappears it displays ads. The adware does not remain dormant, it immediately executes what it is supposed to do if the key and deleted and then reappears. 

 

We know chrome likely causes the key to reappear and I'm fairly certain edge does as well, but I can run another test to verify this if you think it is needed.

[AdvancedSetup]

Well at this point I'd like to try and do a full uninstall and forced removal of Google Chrome.

Please save all bookmarks or other items needed and I'll give you a script to force a removal of Google Chrome.

For the moment please download Firefox and use that as your default browser before we remove Chrome.