Computersarecool Posted July 20, 2013 Author ID:705216 Share Posted July 20, 2013 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 5.1.6 (07.17.2013:4)OS: Windows 7 Home Premium x64Ran by Shelly on Sat 07/20/2013 at 8:33:37.72~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasapi32Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasmancsSuccessfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\askpartnercobrandingtool_rasapi32Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\askpartnercobrandingtool_rasmancsSuccessfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\windows\currentversion\ext\preapproved\{4623a8c4-150d-4983-8982-68c01e7d6541}Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{214DCC7F-BC91-4CEC-B853-A830F39FDB5B} ~~~ Files Successfully deleted: [File] C:\Windows\syswow64\sho2DF4.tmpSuccessfully deleted: [File] C:\Windows\syswow64\shoC01C.tmpSuccessfully deleted: [File] C:\Windows\syswow64\shoDE1D.tmpSuccessfully deleted: [File] C:\Windows\syswow64\shoF22F.tmpSuccessfully deleted: [File] C:\Windows\syswow64\shoFF11.tmp ~~~ Folders Successfully deleted: [Folder] "C:\Users\Shelly\appdata\locallow\couponalert_2pei"Successfully deleted: [Folder] "C:\Program Files (x86)\couponalert_2pei"Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{18B64954-4848-4FC8-8397-3AECE6D832E2}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{1BB2CA01-569C-46C4-B080-61D35BF0905F}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{2CEA27A7-8207-45F0-B085-6C30EC4A0015}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{37310D1A-3AF6-4B63-B89C-F9A12D53489E}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{3B4692B5-9CF7-4A3F-914C-03FB1786E84B}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{50DE59C5-1A1D-45C3-8B18-ADF83D9B948E}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{5B9820B1-2509-4311-9A5A-E7D672BAB2F4}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{5BD9E6CE-D976-4871-8E70-6F0209CA9F7E}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{650DF4C7-B95D-4F34-A93E-7B09DD0F8469}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{6C2A062B-8140-4148-AF4B-D2D5342D380B}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{742DA85F-228E-4F54-ABBB-5D9F96D3C014}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{891307A1-E75F-4DD5-B599-AC50164D9D24}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{95B87F3C-E9B5-4EA9-81E5-05F4F96404DA}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{97B97756-21CF-4F11-81B0-B6C0E8F34FA0}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{A4E1959F-6947-4045-A09F-FE6738F7616E}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{AF2FB3B4-8B31-4043-838E-41F9B16DAC4A}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{B76983C9-4B3A-4B61-8A31-94F6CBAB5F29}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{C22C388A-3691-4B73-BE1D-BFAA392DB20F}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{C2A78D72-D98B-4771-ABCF-111DE39ABFCC}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{C39FF832-1A64-4FC1-8B3E-160AF3457BED}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{D4181AA0-1D9D-42C2-B4A6-8BBFD8FEE78A}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{DFAB5A31-C44D-48B3-962D-1B8337AB8019}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{EB3F34DD-A747-4675-9DE6-1A709934B304}Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{F72D3F20-2DE8-4E31-A4D2-A16DBE0F592A} ~~~ FireFox Emptied folder: C:\Users\Shelly\AppData\Roaming\mozilla\firefox\profiles\6r4ppha7.default\minidumps [1 files] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sat 07/20/2013 at 8:40:28.77End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to post Share on other sites More sharing options...
MrCharlie Posted July 20, 2013 ID:705219 Share Posted July 20, 2013 OK...How is it??? MrC Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705221 Share Posted July 20, 2013 I am no longer seeing ads, but lets wait a bit to see if they come up again like last time. Just out of curiosity, I opened MSCONFIG to check the startup list, and I found a weird entry. It is called ROC_ROC_APR2013_AV. What is this? Link to post Share on other sites More sharing options...
MrCharlie Posted July 20, 2013 ID:705223 Share Posted July 20, 2013 It has to do with AVG-Secure-Search, you can use RogueKiller to kill it: Run RogueKiller again and click Scan When the scan completes > click on the Registry tab Put a check next to all of these and uncheck the rest: (if found) [RUN][sUSP PATH] HKCU\[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Shelly\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 3fc10e13774647d0b878f123cccfd331-32da52831aa34f4fb7ccf705a2c57737d70ec825 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [-][x][x][x]) -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-3948153512-2191287527-3853436557-1000\[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Shelly\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 3fc10e13774647d0b878f123cccfd331-32da52831aa34f4fb7ccf705a2c57737d70ec825 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [-][x][x][x]) -> FOUND Now click Delete on the right hand column under Options MrC Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705224 Share Posted July 20, 2013 Should I keep it or would it be best to remove it? Also, I noticed a ton of icons disappeared from my system tray, most noticeably AVG Antivirus, but I can still start it from the start menu. Link to post Share on other sites More sharing options...
MrCharlie Posted July 20, 2013 ID:705229 Share Posted July 20, 2013 Yes, have RogueKiller delete them. There should be an option in AVG to show the icon. MrC Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705233 Share Posted July 20, 2013 The option was already set to show the icon... odd. I have also noticed that the laptop is running a lot faster . A few more questions, if you don't mind. Why can't malwarebytes detect adware, and why do people install adware to other people's computers? What is the difference between adware and malware? And what do you look for when reviewing the log files? And finally, would you recommend that I run a malwarebytes scan to make sure the computer is clean? Link to post Share on other sites More sharing options...
MrCharlie Posted July 20, 2013 ID:705244 Share Posted July 20, 2013 Do a search for avgtray.exe and run it, see if that puts the icon backWhy can't malwarebytes detect adware, and why do people install adware to other people's computers?MB is for malware, it can detect some adware, you have to change the setting though:Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.You download the adware when you install free games and tool bars, etc.You should always read the End-user license agreement (EULA)Adware:http://www.bleepingcomputer.com/glossary/definition232.htmlMalware:http://www.bleepingcomputer.com/glossary/definition227.htmlAnd what do you look for when reviewing the log files?I make sure no legitimate folders are being targetedSome people name folders Save, that they want to save, there's adware out there that contains a folder named Save. So it would be deleted, AdwCleaner can't tell the difference.And finally, would you recommend that I run a malwarebytes scan to make sure the computer is clean?Yes...........Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.Make sure that everything is checked, and click Remove Selected.Please let me know how computer is running now, MrC Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705245 Share Posted July 20, 2013 Okay, doing that now. Should I post the log file to? Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705247 Share Posted July 20, 2013 Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.org Database version: v2013.07.20.04 Windows 7 x64 NTFSInternet Explorer 8.0.7600.16385Shelly :: SHELLY-PC [administrator] 7/20/2013 10:53:48 AMMBAM-log-2013-07-20 (11-01-00).txt Scan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 228914Time elapsed: 6 minute(s), 41 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 0(No malicious items detected) Files Detected: 3C:\Users\Shelly\Downloads\FlashPlayer_V.130194349c.exe (PUP.FakeFlash.Domaiq) -> No action taken.C:\Users\Shelly\Downloads\FlashPlayer_V.139704192c.exe (PUP.FakeFlash.Domaiq) -> No action taken.C:\Users\Shelly\Downloads\readersdigestgames-setup.exe (PUP.DownloadAdmin) -> No action taken. (end) I am removing them now... Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705248 Share Posted July 20, 2013 It quarantined and removed all of them. Link to post Share on other sites More sharing options...
MrCharlie Posted July 20, 2013 ID:705255 Share Posted July 20, 2013 Lets check your computers security before you go and we have a little cleanup to do also: Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705264 Share Posted July 20, 2013 I can tell you that windows update is disabled for two reasons. The first reason is that it shuts down the computer at the worst possible time (like when I am about to save a long text document) and the last time it updated it nearly corrupted windows. Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705269 Share Posted July 20, 2013 Results of screen317's Security Check version 0.99.70 Windows 7 x64 (UAC is enabled) US/windows7/install-windows-7-service-pack-1'> Out of date service pack!! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Kaspersky PURE AVG AntiVirus Free Edition 2013 Antivirus up to date! (On Access scanning disabled !) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 AVG PC TuneUp AVG PC TuneUp Language Pack (en-US) JavaFX 2.1.1 Java 6 Update 29 Java version out of Date! Adobe Flash Player 11.4.402.265 Flash Player out of Date! Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox 15.0 Firefox out of Date! Google Chrome 28.0.1500.71 Google Chrome 28.0.1500.72 ````````Process Check: objlist.exe by Laurent```````` AVG avgwdsvc.exe Symantec Norton Online Backup NOBuAgent.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 4% ````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705271 Share Posted July 20, 2013 A few things I no longer use from that list include firefox and Kaspersky Link to post Share on other sites More sharing options...
MrCharlie Posted July 20, 2013 ID:705273 Share Posted July 20, 2013 Out dated programs on the system are vulnerable to malware.Please update or uninstall them:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Out of date service pack!! <---check Windows Update for this----------------------------------------Please uninstall any and all Java from your add/remove programs:JavaFX 2.1.1Java™ 6 Update 29Java version out of Date! <-------Download and install the latest version (Version 25) from HereUncheck the box to install the Ask toolbar!!! and any other free "stuff".-------------------------------------Adobe Flash Player 11.4.402.265 Flash Player out of Date! <----------Please check for an update, should be located in your control panel-----------------------------------Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).----------------------------------Mozilla Firefox 15.0 Firefox out of Date! <---please check for an update if available--------------------------------Google Chrome 28.0.1500.71 <-----OLDGoogle Chrome 28.0.1500.72 <-----OKYou have old versions of Google Chrome on the system.Please download and run OldChromeRemover.@Windows Vista/Windows 7-8 users must use “Run As Administrator.”~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)---------------------------------If you used DeFogger to disable your CD Emulation drivers, please re-enable them.-------------------------------Please download OTC to your desktop.http://oldtimer.geekstogo.com/OTC.exeDouble-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")Click on the CleanUp! button and follow the prompts.(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)You will be asked to reboot the machine to finish the Cleanup process, choose Yes.After the reboot all the tools we used should be gone.Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.Any other programs or logs you can manually delete.IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Computersarecool Posted July 20, 2013 Author ID:705275 Share Posted July 20, 2013 Okay, I will post back if the ads come back! I hope they don't though... Link to post Share on other sites More sharing options...
LDTate Posted July 21, 2013 ID:705548 Share Posted July 21, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts