HKU\S-1-5-21-....

[REDACTED]

Hi . Since thursday , when I ran a malwarebytes full scan, mbam found this thing "PUP.Optional.ConduitTB.Gen", its type : Registry key , and its location which is the most weird and i've not even found it to this day : "HKU\S-1-5-21-...-...-...-1003\SOFTWARE\Conduit . Malwarebytes says it's pup ( potential unwanted program ) , but for real . Every time I put it to quarantine and delete it, this virus ( thing ) it shows up again next day , maybe next hour after the removal .
Here is one log from Threat Scan : Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 05.03.2016
Scan Time: 01:17
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.04.05
Rootkit Database: v2016.02.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Andreiii

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 337546
Time Elapsed: 3 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit, Quarantined, [62631271cacf0b2b9249c1b99f659769],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Do any of you know how to get rid of this ? Oh , I have to mention that in this time I've reinstalled the windows as well , but only quick formatting the SSD , not the HDDs.

[Asyn]

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

[REDACTED]

Here is everything you asked for . FRST + Addition , aswMBR and another one from MBAM . I hope all the logs can be seen and are approximately OK ...

[Asyn]

OK, now you've to wait a bit...

[essexboy]

Try this

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[REDACTED]

Ahmm.... So I've downloaded AdwCleaner and after the scan, it says something strange somehow and that is that my computer is safe ... You what mate ? Here is the message it displays after the scan : " AdwCleaner found no malicious program on your computer !"
So ? What now ? I mean, I read on the Internet about that HKU\S-1-5-21 and it says that is quite harmful  for the PC , including things like keylogger, a downgrade of the pc peformance, and so on ...
Oh, and if you ask yourself if the scan was made without any programs running in the same time , yes it was, i've closed everything from steam, chrome to my mouse/keyboard drivers.

[REDACTED]

Sorry for double posting, but even in the situation of seeing that message, I ran a scan again, of course it didn't find anything, but I pressed on Clean and i've restarted the PC. Here is the log .

[Pondus]

I read on the Internet about that HKU\S-1-5-21 and it says that is quite harmful  for the PC

No not dangerous, just a annoying toolbar
PUP.Optional.ConduitTB = Conduit Tool Bar

[essexboy]

It is not showing in any log...  Navigate to this key and see if it present

HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit

[REDACTED]

OK ... 1st of all : @Pondus : I don't understand what you wanted to say ...
2nd of all : I've used once again adwcleaner this time after a restart and a MBAM threat scan where, once again MBAM found that PUP, but this time i didn't remove it and didn't click finish from mbam so I can use ADWCleaner . Here is the log .
And finally , essexboy how can i navigate to it ? I went to regedit and then to HKEY_USERS . There i have more things ">.DEFAULT | >S-1-5-18 | >S-1-5-19 | >S-1-5-20" and of course 2 more with the name of the location but without "HKU" so at HKEY_USERS I have as well ">S-1-5-21-2785295504-...-...-1003"
It has a subfolder named SOFTWARE , but SOFTWARE doesn't contain a subfolder Conduit so... Yeah ... This is the weirdest virus or whatever it is , that i've ever had ...

[Pondus]

@Pondus : I don't understand what you wanted to say ...

EDITED ... Read my post again

[essexboy]

OK reboot and see if it returns

It is doing no harm to your computer and is inactive

[REDACTED]

Yes, it's still here... Should I reinstall the windows again, but this time erase everything on my SSD and HDD too ?

[mikaelrask]

hey andrei41 i suggest you go to this guide and post a frst scan+addation and let essexboy have a look at the computer.

https://forum.avast.com/index.php?topic=53253.0

don't throw in the towel just yet folow the guide above and post the log.

[REDACTED]

Here you have them, even if I've already posted them yesterday ...