Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - unable to remove


  • Please log in to reply
7 replies to this topic

#1 TonyG1959

TonyG1959

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 03 November 2016 - 04:01 PM

I have a PC with Windows 8.1 operating system. I have malware that I am unable to remove.

 

Background: The PC is used by my 10 yr old son for Minecraft. I suspect he sought out a mod to download and clicked where he should not have, all the warnings about downloading without dad being around.

 

Symptoms: Unwanted ads pop up at the lower right corner of the screen. They can be closed clicking the X with no issue. They will reappear randomly every 10 minutes or so. I will receive pop up notifications courtesy of Malwarebytes Anti Malware in the same area that provide me with the following warning:

 

KDV.decipheringwarns.com

38.134.106.126

Port 51456

Outbound

 

or 

 

adnetworkperformance.com

130.211.186.109

Port 51763

Outbound

 

Steps taken:

Ran Malwarebytes program with updated database. Removed over 370 items. Issue remained, but not as extensive. I have some logs generated that may be helpful - see below

 

Reviewed previous assistance from LoPhat at Gladiator a couple of years ago when he helped me remove Shopping Assistant and ran the following thinking that those programs may help:
 

Ran Adware Cleaner - See Log posted below

Ran Junk Removal Tool - see log posted below

 

The pop ups and notifications still persist. 

 

Any help to remove the remaining pieces would be greatly appreciated.

 

 Malwarebytes Anti-Malware

www.malwarebytes.org
 
 
Update, 2016-11-02 3:48 PM, SYSTEM, GAMING-PC, Scheduler, IP Database, 2016.10.31.1, 2016.11.2.1, 
Update, 2016-11-02 3:48 PM, SYSTEM, GAMING-PC, Scheduler, Domain Database, 2016.11.1.6, 2016.11.2.8, 
Update, 2016-11-02 3:48 PM, SYSTEM, GAMING-PC, Scheduler, Malware Database, 2016.11.2.2, 2016.11.2.9, 
Protection, 2016-11-02 3:48 PM, SYSTEM, GAMING-PC, Protection, Refresh, Starting, 
Protection, 2016-11-02 3:48 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 2016-11-02 3:48 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 2016-11-02 3:49 PM, SYSTEM, GAMING-PC, Protection, Refresh, Success, 
Protection, 2016-11-02 3:49 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Starting, 
Protection, 2016-11-02 3:49 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Started, 
Update, 2016-11-02 5:07 PM, SYSTEM, GAMING-PC, Scheduler, Domain Database, 2016.11.2.8, 2016.11.2.9, 
Update, 2016-11-02 5:07 PM, SYSTEM, GAMING-PC, Scheduler, Malware Database, 2016.11.2.9, 2016.11.2.11, 
Protection, 2016-11-02 5:07 PM, SYSTEM, GAMING-PC, Protection, Refresh, Starting, 
Protection, 2016-11-02 5:07 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 2016-11-02 5:08 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 2016-11-02 5:08 PM, SYSTEM, GAMING-PC, Protection, Refresh, Success, 
Protection, 2016-11-02 5:08 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Starting, 
Protection, 2016-11-02 5:09 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Started, 
Detection, 2016-11-02 5:55 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 205.185.208.26, istatic.eshopcomp.com, 53603, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 5:55 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 205.185.208.26, istatic.eshopcomp.com, 53603, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 5:55 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 205.185.208.26, istatic.eshopcomp.com, 53656, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 5:55 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 205.185.208.26, istatic.eshopcomp.com, 53658, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 5:55 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 205.185.208.26, istatic.eshopcomp.com, 53659, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:00 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 74.120.16.187, trcklion.com, 55086, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:00 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 74.120.16.187, trcklion.com, 55087, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:00 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 74.120.16.187, trcklion.com, 55086, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:00 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 74.120.16.187, trcklion.com, 55088, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Update, 2016-11-02 6:07 PM, SYSTEM, GAMING-PC, Scheduler, Malware Database, 2016.11.2.11, 2016.11.2.13, 
Protection, 2016-11-02 6:07 PM, SYSTEM, GAMING-PC, Protection, Refresh, Starting, 
Protection, 2016-11-02 6:07 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 2016-11-02 6:07 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 2016-11-02 6:08 PM, SYSTEM, GAMING-PC, Protection, Refresh, Success, 
Protection, 2016-11-02 6:08 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Starting, 
Protection, 2016-11-02 6:08 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Started, 
Detection, 2016-11-02 6:13 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, IP, 45.33.74.96, 58wg.2687837.com, 55571, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:13 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, IP, 45.33.74.96, 58wg.2687837.com, 55571, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:13 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, IP, 45.33.74.96, 58wg.2687837.com, 55572, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62478, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62478, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62479, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62480, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62481, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62482, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62483, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62491, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62492, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62493, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62494, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62495, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62496, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62497, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62498, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62499, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62500, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62501, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62502, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62503, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62504, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62505, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62506, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62507, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Detection, 2016-11-02 6:46 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Domain, 104.31.64.123, steam-wallet.co, 62508, Outbound, C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe, 
Update, 2016-11-02 6:51 PM, SYSTEM, GAMING-PC, Scheduler, Domain Database, 2016.11.2.9, 2016.11.2.10, 
Protection, 2016-11-02 6:51 PM, SYSTEM, GAMING-PC, Protection, Refresh, Starting, 
Protection, 2016-11-02 6:51 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 2016-11-02 6:51 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 2016-11-02 6:51 PM, SYSTEM, GAMING-PC, Protection, Refresh, Success, 
Protection, 2016-11-02 6:51 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Starting, 
Protection, 2016-11-02 6:51 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Started, 
Update, 2016-11-02 7:02 PM, SYSTEM, GAMING-PC, Scheduler, Domain Database, 2016.11.2.10, 2016.11.2.11, 
Protection, 2016-11-02 7:02 PM, SYSTEM, GAMING-PC, Protection, Refresh, Starting, 
Protection, 2016-11-02 7:02 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopping, 
Protection, 2016-11-02 7:02 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Stopped, 
Protection, 2016-11-02 7:02 PM, SYSTEM, GAMING-PC, Protection, Refresh, Success, 
Protection, 2016-11-02 7:02 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Starting, 
Protection, 2016-11-02 7:02 PM, SYSTEM, GAMING-PC, Protection, Malicious Website Protection, Started, 
 
(end)
 
----------------------------------------------------------------------------------------------------------------------------
 
 # AdwCleaner v6.030 - Logfile created 31/10/2016 at 12:52:58
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-10-30.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Basement-PC - GAMING-PC
# Running from : \\WDMYCLOUD\Tony\utilities\AdwCleaner.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
[-] Key deleted: HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
[-] Key deleted: HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj
[-] Key deleted: HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj.1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{4BC8AD89-AC5F-4DBD-A38F-C355C7DD33D7}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKU\.DEFAULT\Software\ByteFence
[-] Key deleted: HKU\.DEFAULT\Software\INSTALLPATH\STATUS
[-] Key deleted: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\DownloadAdmin
[-] Key deleted: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\Reimage
[-] Key deleted: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\System Monitor
[#] Key deleted on reboot: HKU\S-1-5-18\Software\ByteFence
[#] Key deleted on reboot: HKU\S-1-5-18\Software\INSTALLPATH\STATUS
[#] Key deleted on reboot: HKCU\Software\DownloadAdmin
[#] Key deleted on reboot: HKCU\Software\Reimage
[#] Key deleted on reboot: HKCU\Software\System Monitor
[-] Key deleted: HKLM\SOFTWARE\AVG Tuneup
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[#] Key deleted on reboot: [x64] HKCU\Software\DownloadAdmin
[#] Key deleted on reboot: [x64] HKCU\Software\Reimage
[#] Key deleted on reboot: [x64] HKCU\Software\System Monitor
[-] Key deleted: [x64] HKLM\SOFTWARE\AVG Secure Search
[-] Key deleted: [x64] HKLM\SOFTWARE\PCValidator
[-] Key deleted: [x64] HKLM\SOFTWARE\Reimage
[-] Data restored: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\Microsoft\Internet Explorer\Main [Start Page] 
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] 
[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] 
[-] Key deleted: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Data restored: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\land.pckeeper.software
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mysearch.avg.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pckeeper.software
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ask.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\bestpriceninja.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\coupontime.co
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\gamingwonderland.dl.tb.ask.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\izito.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\pcpurifier.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\piroga.space
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\pstatic.bestpriceninja.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\reimageplus.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.coupontime00.coupontime.co
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\unturned.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\webcrawler.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.izito.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.pcpurifier.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.reimageplus.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.webcrawler.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ask.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\bestpriceninja.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\coupontime.co
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\gamingwonderland.dl.tb.ask.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\izito.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pcpurifier.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\piroga.space
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pstatic.bestpriceninja.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\reimageplus.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.coupontime00.coupontime.co
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\unturned.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\webcrawler.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.izito.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.pcpurifier.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.reimageplus.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.webcrawler.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\land.pckeeper.software
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mysearch.avg.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pckeeper.software
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ask.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\bestpriceninja.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\coupontime.co
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\gamingwonderland.dl.tb.ask.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\izito.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\pcpurifier.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\piroga.space
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\pstatic.bestpriceninja.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\reimageplus.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.coupontime00.coupontime.co
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\unturned.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\webcrawler.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.izito.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.pcpurifier.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.reimageplus.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.webcrawler.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ask.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\bestpriceninja.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\coupontime.co
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\gamingwonderland.dl.tb.ask.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\izito.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pcpurifier.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\piroga.space
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pstatic.bestpriceninja.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\reimageplus.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.coupontime00.coupontime.co
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\unturned.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\webcrawler.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.izito.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.pcpurifier.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.reimageplus.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.webcrawler.com
[-] Value deleted: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Gameo]
[-] Value deleted: HKU\S-1-5-21-41992882-2880907957-1080140454-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [UpdateAdmin]
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [vProt]
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
[-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
[-] Key deleted: HKLM\SOFTWARE\Classes\s
[-] Key deleted: HKCU\Software\Google\Chrome\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
[#] Key deleted on reboot: [x64] HKCU\Software\Google\Chrome\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Basement-PC\AppData\Local\Chromium\User Data\Default\Web data] [Search Provider] Deleted: search provided by yahoo
[-] [C:\Users\Basement-PC\AppData\Local\Chromium\User Data\Default] [extension] Deleted: chfdnecihphmhljaaejmgoiahnihplgn
[-] [C:\Users\Basement-PC\AppData\Local\Chromium\User Data\Default] [extension] Deleted: mallpejgeafdahhflmliiahjdpgbegpk
[-] [C:\Users\Basement-PC\AppData\Local\Chromium\User Data\Default] [homepage] Deleted: hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_15_50&param1=1&param2=f%3D1%26b%3Dchmm%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Ezz0D0EtByBtCtAtCtByDyCyC0D0ByBtN0D0Tzu0StCyEyEtDtN1L2XzutAtFtCtBtFyBtFtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyC0E0DzytCzytDtAtGyEzzyD0BtG0AyCzy0FtGtAtAyB0DtGtCzz0A0DtAyBzy0BtAtAyCyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StA0D0AtC0CyDyCtCtG0DyByD0FtGyE0EyDtDtG0B0C0AzztGtCtByB0AtBtAyEtCtCtCzyyB2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDzzzy%26cr%3D433137008%26a%3Dwbf_ir_15_50%26os%3DWindows%2B8.1&uref=chmm
[-] [C:\Users\Basement-PC\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Basement-PC\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search provided by yahoo.com
[-] [C:\Users\Basement-PC\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: chfdnecihphmhljaaejmgoiahnihplgn
[-] [C:\Users\Basement-PC\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: mkndcbhcgphcfkkddanakjiepeknbgle
[-] [C:\Users\Basement-PC\AppData\Local\Google\Chrome\User Data\Default] [homepage] Deleted: hxxp://ca.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_15_50&param1=1&param2=f%3D1%26b%3DChrome%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Ezz0D0EtByBtCtAtCtByDyCyC0D0ByBtN0D0Tzu0StCyEyEtDtN1L2XzutAtFtCtBtFyBtFtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyC0E0DzytCzytDtAtGyEzzyD0BtG0AyCzy0FtGtAtAyB0DtGtCzz0A0DtAyBzy0BtAtAyCyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StA0D0AtC0CyDyCtCtG0DyByD0FtGyE0EyDtDtG0B0C0AzztGtCtByB0AtBtAyEtCtCtCzyyB2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDzzzy%26cr%3D433137008%26a%3Dwbf_ir_15_50%26os%3DWindows%2B8.1
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [27504 Bytes] - [31/10/2016 12:52:58]
C:\AdwCleaner\AdwCleaner[R0].txt - [842 Bytes] - [07/09/2015 14:13:32]
C:\AdwCleaner\AdwCleaner[R1].txt - [3225 Bytes] - [28/09/2015 18:28:12]
C:\AdwCleaner\AdwCleaner[S0].txt - [853 Bytes] - [07/09/2015 14:15:45]
C:\AdwCleaner\AdwCleaner[S1].txt - [3287 Bytes] - [28/09/2015 18:30:41]
C:\AdwCleaner\AdwCleaner[S2].txt - [27128 Bytes] - [31/10/2016 12:48:00]
C:\AdwCleaner\AdwCleaner[S3].txt - [26279 Bytes] - [31/10/2016 12:52:11]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [28016 Bytes] ##########
----------------------------------------------------------------------------------------------------
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 10 Home x64 
Ran by Basement-PC (Administrator) on 2016-10-31 at 13:07:33.58
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 1 
 
Successfully deleted: C:\Program Files (x86)\your product (Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016-10-31 at 13:09:46.69
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:05 AM

Posted 15 November 2016 - 12:04 PM

Hello, Run RKill, now before any reboot run a MALWAREBYTES scan
Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista/Windows7, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TonyG1959

TonyG1959
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 15 November 2016 - 07:25 PM

Thank you for replying. I apologize, I am out of town on work relate matters. I will be able to follow up on your directions Thursday evening. I apologize for the delay. 

I appreciate your assistance.

 

TonyG



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:05 AM

Posted 17 November 2016 - 12:57 PM

No Problem.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 TonyG1959

TonyG1959
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 18 November 2016 - 01:22 AM

No joy. Still experiencing the pop ups as described originally.

Ran RKill from Link 2 after trying Link 1. Both did not briefly flash and disappear, although the dialogue suggested that they had killed operations running in the background. Did not reboot as directed.

 

From the log:
 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/17/2016 11:09:03 PM in x64 mode.
Windows Version: Windows 10 Home 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\Basement-PC\AppData\Local\Chromium\Application\chrome.exe (PID: 13988) [FI]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * Reparse Point/Junctions Found (These may be legitimate)!
 
     * C:\WINDOWS\WinSxS\x86_microsoft-windows-unimodem-core-tsp_31bf3856ad364e35_10.0.14393.206_none_8bbf93b9b502abad\unimdm.tsp => <Unknown Target> [File]
     * C:\WINDOWS\WinSxS\x86_microsoft-windows-v..driver-tvdigital-ks_31bf3856ad364e35_10.0.14393.0_none_941433dbe94ffbb8\bdaplgin.ax => <Unknown Target> [File]
 
Checking Windows Service Integrity: 
 
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * agp440 [Missing ImagePath]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 11/17/2016 11:09:25 PM
Execution time: 0 hours(s), 0 minute(s), and 21 seconds(s)
 

 

Ran ESET, disabled AVG and Malwarebytes and found two items.
 

From the log:

 

C:\Users\Basement-PC\AppData\LocalLow\Oracle\Java\jre1.8.0_101\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.N potentially unsafe application cleaned by deleting

C:\Users\Basement-PC\AppData\LocalLow\Oracle\Java\jre1.8.0_101\java_sp\JavaIC.dll a variant of Win32/Bundled.Toolbar.Ask.N potentially unsafe application cleaned by deleting
 
Wondering: Last time I had an issue with Google Chrome it led to an uninstall and reinstall to fix the issue. This time, I cannot use Chrome and am using Chromium. Would not surprise me if the bug bury's itself in Chromium.

Edited by TonyG1959, 18 November 2016 - 01:27 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:05 AM

Posted 21 November 2016 - 07:34 PM

Lets just get A deeper look and fix this. Start at step 6.
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 TonyG1959

TonyG1959
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 28 November 2016 - 03:47 PM

You can close this ticket off. It seems rebooting after the step above were completed, took care of the issue. I wanted to let the system operate for a few days before giving the thumbs up. Thanks again.

Will be sending a donation to your defense fund.

 



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:05 AM

Posted 29 November 2016 - 12:43 PM

OK, Thank you11
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users