Virus / Malware

Stecyk · 28 May 2018

- Windows 10 Pro 64 bit

About two weeks ago, I would get periodic popups in the form of a new tab in Edge. On the new tab, it said:

“Congratulations User!
You have been selected today to receive a FREE iPhone X, PlayStation 4 or Samsung Galaxy S6!
Please click OK to claim the prize before we giveaway to somebody else!”

Obviously, this is bad news.

I searched and found this website:

Remove scam (Removal Guide) - updated Mar 2018

It suggested removing recent suspicious programs and clearing out your cache and other stuff from Edge. I did so.

For about ten days, the malware did not reappear. Today it did reappear once again.

I have scanned with Norton 360. It says my computer is clean.

I have run Malwarebytes, and again, it says my computer is clean.

But I know I have malware that is present.

This popup occurs at random times. It will suddenly rear its ugly head by announcing over my speakers that I have won something.

How do I find this thing and get rid of it?

Stecyk · 28 May 2018

Here's some follow-up information.

I ran Norton's Power Eraser (NPE). I found two items: 1) vyprvpnservice.exe and 2) a registry entry. I allowed NPE to delete or fix both. The first item is actually legitimate. It's my Vypr VPN service.

I went to the website and redownloaded and installed the file. So I have my VPN back again.

I reran NPE. This time, it only identified the vyprvpnservice.exe. Because that's a false positive, I skipped it. There were no registry entries this time.

Could a registry entry be responsible for my malware? In other words, has the issue likely been addressed?

spunk · 28 May 2018

Download and Run ADWCleaner then download Malwarebytes Scan with each individually and remove any items it finds. They both should clear out any Browser extensions and other malware. Follow it up with another 360 scan, all though we find Norton to be bloated and not worth the cost as it doesn't keep you safe.

Stecyk · 28 May 2018

I chatted with Norton on the phone for about a half hour. He was confident that my computer was clean because the Norton Power Eraser (NPE) didn't find anything. He believes that it might be related to some of the Extensions that I am using. Or, it might simply be the websites themselves. I have difficulty with the website idea because I am going to "mainstream" websites when the problem occurs and it is *always* the same popup message that exists on a separate tab.

Out of an abundance of caution, I removed the following two extensions:

Ghostry
IP Address and Domain Information

My other extensions are as follows:

Dashlane
Office Online
Adblock Plus
Save to Pocket
OneNote Web Clipper

I followed spunk's advice.

In addition to some relative innocuous stuff, ADWCleaner cleaned out 9 registry entries. I have a hunch that these might have played a role. The have the form like the following:

Code:

HKLM\Software\Classes\CLSID\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\DOMStorage\SuspiciousSite1dotcom
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\DOMStorage\wwwSuspiciousSite1dotcom
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\EdpDomStorage\SuspiciousSite1dotcom
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\EdpDomStorage\wwwSuspiciousSite1dotcom
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\DOMStorage\SuspiciousSite2dotcom
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\EdpDomStorage\SuspiciousSite2dotcom
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\DOMStorage\SuspiciousSite3dotcom
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_xxxxxxxxxxxxx\Xxxxxxxx\001\Internet Explorer\EdpDomStorage\SuspiciousSite3dotcom

I used "X" to replace various characters that are non-essential. And used "SuspiciousSite1dotcom" rather than placing the actual website.

I have a hunch that those sites were somehow responsible for supplying the garbage pop-ups.

I ran Malwarebytes. It indicated that my computer was clean.

I am running Norton again now using a full scan. So far after 3 million scanned items, it's found five tracking cookies. I suspect it won't find anything. I will wait, though, until it is done.

I hope that by deleting those registry entries my system is now clean.

Stecyk · 28 May 2018

Attention Moderator:

Please go to my first post in this thread and remove the hyperlink to the website. I don't trust that website. I am fearful that the website is designed to catch those wanting to remove these popups. If you to the hyperlinked site and hover over some of the links in the instructions, you will find that they don't go to where you think they should go. So please remove the hyperlink.

csun · 28 May 2018

Stecyk said:

Attention Moderator:

Please go to my first post in this thread and remove the hyperlink to the website.

Should be able to do that yourself. Just go to post and edit.

Wiley Coyote · 28 May 2018

Stecyk said:

Attention Moderator:

Please go to my first post in this thread and remove the hyperlink to the website. I don't trust that website. I am fearful that the website is designed to catch those wanting to remove these popups. If you to the hyperlinked site and hover over some of the links in the instructions, you will find that they don't go to where you think they should go. So please remove the hyperlink.

You (being the Thread Starter) should be able to go to that post and click "Edit" and remove the link yourself.

Edit:

Good luck with your malware.

Bree · 28 May 2018

Stecyk said:

I don't trust that website. I am fearful that the website is designed to catch those wanting to remove these popups...

That site makes it's money on commission on software sales. See their Disclosure...

The company works in the affiliation with these companies: Reimage, Plumbytes Software, Malwarebytes, OSHI Limited, iS3, SUPERAntiSpyware, SurfRight B.V., Webroot Inc., BullGuard, ParetoLogic. These companies pay special commissions after users purchase their products thru the site. The main program, which is recommended on the project, is Reimage.

...so expect a lot of links to Reimage. The information seems reasonable and well-intentioned, just as long as you avoid the temptations of the regular 'sales pitch' links scattered throughout the articles.

essenbe · 28 May 2018

Stecyk said:

Attention Moderator:

Please go to my first post in this thread and remove the hyperlink to the website. I don't trust that website. I am fearful that the website is designed to catch those wanting to remove these popups. If you to the hyperlinked site and hover over some of the links in the instructions, you will find that they don't go to where you think they should go. So please remove the hyperlink.

Site unlinked

Stecyk · 28 May 2018

Thank you, Moderator.

With regard to others suggesting that I should have edited the post myself, I see that I can report, quote, multi-quote, unsubscribe, print, and search. But I don't see the edit function. I must be looking in all the wrong places. Can someone, please, point me to the correct spot to edit for future reference?