Computersarecool

Ads keep popping up on every website

43 posts in this topic

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 5.1.6 (07.17.2013:4)

OS: Windows 7 Home Premium x64

Ran by Shelly on Sat 07/20/2013 at  8:33:37.72

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasapi32

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasmancs

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\askpartnercobrandingtool_rasapi32

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\askpartnercobrandingtool_rasmancs

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\windows\currentversion\ext\preapproved\{4623a8c4-150d-4983-8982-68c01e7d6541}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{214DCC7F-BC91-4CEC-B853-A830F39FDB5B}

 

 

 

~~~ Files

 

Successfully deleted: [File] C:\Windows\syswow64\sho2DF4.tmp

Successfully deleted: [File] C:\Windows\syswow64\shoC01C.tmp

Successfully deleted: [File] C:\Windows\syswow64\shoDE1D.tmp

Successfully deleted: [File] C:\Windows\syswow64\shoF22F.tmp

Successfully deleted: [File] C:\Windows\syswow64\shoFF11.tmp

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\Users\Shelly\appdata\locallow\couponalert_2pei"

Successfully deleted: [Folder] "C:\Program Files (x86)\couponalert_2pei"

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{18B64954-4848-4FC8-8397-3AECE6D832E2}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{1BB2CA01-569C-46C4-B080-61D35BF0905F}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{2CEA27A7-8207-45F0-B085-6C30EC4A0015}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{37310D1A-3AF6-4B63-B89C-F9A12D53489E}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{3B4692B5-9CF7-4A3F-914C-03FB1786E84B}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{50DE59C5-1A1D-45C3-8B18-ADF83D9B948E}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{5B9820B1-2509-4311-9A5A-E7D672BAB2F4}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{5BD9E6CE-D976-4871-8E70-6F0209CA9F7E}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{650DF4C7-B95D-4F34-A93E-7B09DD0F8469}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{6C2A062B-8140-4148-AF4B-D2D5342D380B}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{742DA85F-228E-4F54-ABBB-5D9F96D3C014}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{891307A1-E75F-4DD5-B599-AC50164D9D24}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{95B87F3C-E9B5-4EA9-81E5-05F4F96404DA}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{97B97756-21CF-4F11-81B0-B6C0E8F34FA0}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{A4E1959F-6947-4045-A09F-FE6738F7616E}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{AF2FB3B4-8B31-4043-838E-41F9B16DAC4A}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{B76983C9-4B3A-4B61-8A31-94F6CBAB5F29}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{C22C388A-3691-4B73-BE1D-BFAA392DB20F}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{C2A78D72-D98B-4771-ABCF-111DE39ABFCC}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{C39FF832-1A64-4FC1-8B3E-160AF3457BED}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{D4181AA0-1D9D-42C2-B4A6-8BBFD8FEE78A}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{DFAB5A31-C44D-48B3-962D-1B8337AB8019}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{EB3F34DD-A747-4675-9DE6-1A709934B304}

Successfully deleted: [Empty Folder] C:\Users\Shelly\appdata\local\{F72D3F20-2DE8-4E31-A4D2-A16DBE0F592A}

 

 

 

~~~ FireFox

 

Emptied folder: C:\Users\Shelly\AppData\Roaming\mozilla\firefox\profiles\6r4ppha7.default\minidumps [1 files]

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 07/20/2013 at  8:40:28.77

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Share this post


Link to post
Share on other sites

I am no longer seeing ads, but lets wait a bit to see if they come up again like last time. Just out of curiosity, I opened MSCONFIG to check the startup list, and I found a weird entry. It is called ROC_ROC_APR2013_AV. What is this?

Share this post


Link to post
Share on other sites

It has to do with AVG-Secure-Search, you can use RogueKiller to kill it:

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

 

[RUN][sUSP PATH] HKCU\[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Shelly\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 3fc10e13774647d0b878f123cccfd331-32da52831aa34f4fb7ccf705a2c57737d70ec825 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [-][x][x][x]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3948153512-2191287527-3853436557-1000\[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Shelly\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 3fc10e13774647d0b878f123cccfd331-32da52831aa34f4fb7ccf705a2c57737d70ec825 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [-][x][x][x]) -> FOUND

Now click Delete on the right hand column under Options

MrC

Share this post


Link to post
Share on other sites

Should I keep it or would it be best to remove it? Also, I noticed a ton of icons disappeared from my system tray, most noticeably AVG Antivirus, but I can still start it from the start menu.

Share this post


Link to post
Share on other sites

Yes, have RogueKiller delete them.

There should be an option in AVG to show the icon.

MrC

Share this post


Link to post
Share on other sites

The option was already set to show the icon... odd. I have also noticed that the laptop is running a lot faster  :D. A few more questions, if you don't mind. Why can't malwarebytes detect adware, and why do people install adware to other people's computers? What is the difference between adware and malware? And what do you look for when reviewing the log files? And finally, would you recommend that I run a malwarebytes scan to make sure the computer is clean?

Share this post


Link to post
Share on other sites

Do a search for avgtray.exe and run it, see if that puts the icon back

Why can't malwarebytes detect adware, and why do people install adware to other people's computers?

MB is for malware, it can detect some adware, you have to change the setting though:
Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

You download the adware when you install free games and tool bars, etc.
You should always read the End-user license agreement (EULA)

Adware:
http://www.bleepingcomputer.com/glossary/definition232.html

Malware:
http://www.bleepingcomputer.com/glossary/definition227.html

And what do you look for when reviewing the log files?

I make sure no legitimate folders are being targeted
Some people name folders Save, that they want to save, there's adware out there that contains a folder named Save. So it would be deleted, AdwCleaner can't tell the difference.

And finally, would you recommend that I run a malwarebytes scan to make sure the computer is clean?

Yes...........

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Share this post


Link to post
Share on other sites
Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.07.20.04

 

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Shelly :: SHELLY-PC [administrator]

 

7/20/2013 10:53:48 AM

MBAM-log-2013-07-20 (11-01-00).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 228914

Time elapsed: 6 minute(s), 41 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 3

C:\Users\Shelly\Downloads\FlashPlayer_V.130194349c.exe (PUP.FakeFlash.Domaiq) -> No action taken.

C:\Users\Shelly\Downloads\FlashPlayer_V.139704192c.exe (PUP.FakeFlash.Domaiq) -> No action taken.

C:\Users\Shelly\Downloads\readersdigestgames-setup.exe (PUP.DownloadAdmin) -> No action taken.

 

(end)

 

 

 

I am removing them now...

Share this post


Link to post
Share on other sites

Lets check your computers security before you go and we have a little cleanup to do also:

 

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC

Share this post


Link to post
Share on other sites

I can tell you that windows update is disabled for two reasons. The first reason is that it shuts down the computer at the worst possible time (like when I am about to save a long text document) and the last time it updated it nearly corrupted windows. 

Share this post


Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Out of date service pack!! <---check Windows Update for this

----------------------------------------

Please uninstall any and all Java from your add/remove programs:
JavaFX 2.1.1
Java™ 6 Update 29


Java version out of Date! <-------Download and install the latest version (Version 25) from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

-------------------------------------

Adobe Flash Player 11.4.402.265 Flash Player out of Date! <----------Please check for an update, should be located in your control panel

-----------------------------------

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

----------------------------------


Mozilla Firefox 15.0 Firefox out of Date! <---please check for an update if available

--------------------------------

Google Chrome 28.0.1500.71 <-----OLD
Google Chrome 28.0.1500.72 <-----OK

You have old versions of Google Chrome on the system.
Please download and run OldChromeRemover.
@Windows Vista/Windows 7-8 users must use “Run As Administrator.”

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.