leftydrummrr Posted April 11, 2014 Share Posted April 11, 2014 This has shown up twice on a Malwarebytes scan. Keeps coming back after I delete. What should I do, Am i missing something? Thanks Link to post Share on other sites
Juliet Posted April 12, 2014 Share Posted April 12, 2014 Which version of Malwarebytes do you have? Recently there was a software update that now is 2.0., check your version. -AdwCleaner-by Xplode Click on this link to download : ADWCleaner Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop. Do not click on any links in the top Advertisment. Double click on AdwCleaner.exe to run the tool. Click on Search. A logfile will automatically open after the scan has finished. Please post the contents of that logfile with your next reply. You can find the logfile at C:\AdwCleaner[R1].txt as well. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please download Junkware Removal Tool to your desktop. Shut down your protection software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message. Link to post Share on other sites
leftydrummrr Posted April 12, 2014 Author Share Posted April 12, 2014 I believe I have the latest version of MalwareBytes. I update each time I use it. Here are the scans. # AdwCleaner v3.023 - Report created 12/04/2014 at 09:58:03 # Updated 01/04/2014 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : mark gisi - YOUR-DCA4C55FD8 # Running from : C:\Documents and Settings\mark gisi\My Documents\Downloads\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Found C:\Documents and Settings\All Users\Application Data\apn Folder Found C:\Documents and Settings\mark gisi\Local Settings\Application Data\FileTypeAssistant Folder Found C:\Documents and Settings\NetworkService\Local Settings\Application Data\FileTypeAssistant Folder Found C:\Program Files\File Type Assistant Folder Found C:\WINDOWS\system32\AI_RecycleBin ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKLM\Software\InstallIQ Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\File Type Assistant\TSAssist.exe] ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [secondary Start Pages] - hxxp://us-mg205.mail.yahoo.com/neo/launch?.rand=2146636319&action=showLetter&umid=2_0_0_1_158104_AOvTimIAANteUepq4QHRNTP5vxM&box=Inbox -\\ Google Chrome v34.0.1847.116 [ File : C:\Documents and Settings\mark gisi\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [2601 octets] - [12/04/2014 09:58:03] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2661 octets] ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.1.4 (04.06.2014:1) OS: Microsoft Windows XP x86 Ran by mark gisi on Sat 04/12/2014 at 10:05:06.76 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\installiq Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} ~~~ Files Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll" Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll" ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\apn" Successfully deleted: [Folder] "C:\Documents and Settings\mark gisi\Local Settings\Application Data\filetypeassistant" Successfully deleted: [Folder] "C:\Program Files\coupons" Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Sat 04/12/2014 at 10:10:08.32 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thank you Juliet. Link to post Share on other sites
Juliet Posted April 12, 2014 Share Posted April 12, 2014 Uninstall File Type Assistant. Close all open programs and internet browsers. Double click on adwcleaner.exe to run the tool. This time in the list of objects, Click on Delete. Confirm each time with Ok. You will be prompted to restart your computer. A text file will open after the restart. Please post the contents of that logfile with your next reply. You can find the logfile at C:\AdwCleaner[s1].txt as well. How's your computer now? Link to post Share on other sites
leftydrummrr Posted April 12, 2014 Author Share Posted April 12, 2014 Here is the file. The computer is faster now. # AdwCleaner v3.023 - Report created 12/04/2014 at 14:10:40 # Updated 01/04/2014 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : mark gisi - YOUR-DCA4C55FD8 # Running from : C:\Documents and Settings\mark gisi\My Documents\Downloads\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Program Files\File Type Assistant Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\FileTypeAssistant Folder Deleted : C:\Documents and Settings\mark gisi\Local Settings\Application Data\FileTypeAssistant ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\File Type Assistant\TSAssist.exe] ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [secondary Start Pages] -\\ Google Chrome v34.0.1847.116 [ File : C:\Documents and Settings\mark gisi\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [2741 octets] - [12/04/2014 09:58:03] AdwCleaner[R1].txt - [2024 octets] - [12/04/2014 14:07:32] AdwCleaner[s0].txt - [1833 octets] - [12/04/2014 14:10:40] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1893 octets] ########## Did I get it all? Link to post Share on other sites
Juliet Posted April 12, 2014 Share Posted April 12, 2014 Did I get it all?I hope This has shown up twice on a Malwarebytes scan. Keeps coming back after I delete. What should I do, Am i missing something?You were able to delete the original problem. Is the computer experiencing anything else? Link to post Share on other sites
leftydrummrr Posted April 12, 2014 Author Share Posted April 12, 2014 No further problems. Thank you. Anything else I should do? Link to post Share on other sites
Juliet Posted April 12, 2014 Share Posted April 12, 2014 Download TFC from here http://oldtimer.geekstogo.com/TFC.exe and save it to your desktop. Close any open programs and Internet browsers. Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning. Please be patient as clearing out temp files may take a while. Once it completes you may be prompted to restart your computer, please do so. Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files. ~~~~~~~~~~~~~~~~~ Go here to run an online scanner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activeX control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish When the scan completes, press the LIST OF THREATS FOUND button Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop Include the contents of this report in your next reply. Press the BACK button. Press Finish Link to post Share on other sites
leftydrummrr Posted April 12, 2014 Author Share Posted April 12, 2014 Here is the report. C:\AdwCleaner\Quarantine\C\Program Files\File Type Assistant\ftacfg.exe.vir Win32/FileTypeAssistant.A potentially unwanted application C:\AdwCleaner\Quarantine\C\Program Files\File Type Assistant\TSASetup.exe.vir Win32/FileTypeAssistant.A potentially unwanted application C:\AdwCleaner\Quarantine\C\Program Files\File Type Assistant\tsassist.exe.vir Win32/FileTypeAssistant.A potentially unwanted application C:\AdwCleaner\Quarantine\C\Program Files\File Type Assistant\temp\~tmp.exe.vir Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP549\A0082992.exe a variant of Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP549\A0082995.exe a variant of Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP549\A0082996.exe Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP549\A0082998.exe a variant of Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP577\A0086503.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP577\A0086545.exe Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP577\A0086547.exe Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP577\A0086548.exe Win32/FileTypeAssistant.A potentially unwanted application C:\System Volume Information\_restore{EB844A99-6E06-4AAD-BD6B-8B1A294877A0}\RP577\A0086552.exe Win32/FileTypeAssistant.A potentially unwanted application H:\Maxtor backup\D539F051\C\Documents and Settings\Mark Gisi\My Documents\RADMIN FILE\radmin22.zip Win32/RemoteAdmin.RAdmin.22 potentially unsafe application H:\Maxtor backup\D539F051\C\Documents and Settings\Mark Gisi\My Documents\RADMIN FILE\radmin22\RADMIN22.EXE Win32/RemoteAdmin.RAdmin.22 potentially unsafe application Still more infections? Link to post Share on other sites
Juliet Posted April 12, 2014 Share Posted April 12, 2014 What was found is held in quarantine, system restore which cannot hurt you unless you click on one of those restore points, and a couple in a back up you made. not-a-virus:RemoteAdmin.Win32.RAdmin.22 - Riskware, potentially unsafe application ~~~~~~~~~~ To remove AdwCleaner quarantine folder, double click on adwcleaner.exe to run the tool. Click on Uninstall, then confirm with yes to remove AdwCleaner from your computer. Click Start Menu > Run > type (or copy and paste) %SystemRoot%\System32\restore\rstrui.exe Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close. Next goto Start Menu > Run > type cleanmgr Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window. ~~~~~~~~~~~~ Go to My Computer->Tools->Folder Options->View tab: Under the Hidden files and folders heading: Select - Show hidden files and folders. Uncheck- Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. (Remember to Hide files and folders once done) Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold H:\Maxtor backup\D539F051\C\Documents and Settings\Mark Gisi\My Documents\RADMIN FILE\radmin22.zip H:\Maxtor backup\D539F051\C\Documents and Settings\Mark Gisi\My Documents\RADMIN FILE\radmin22\RADMIN22.EXE reboot the computer. Running good now? Please take time to read over the below article Important information regarding Windows XP http://forums.whatthetech.com/index.php?showtopic=127901 Link to post Share on other sites
leftydrummrr Posted April 13, 2014 Author Share Posted April 13, 2014 Finished all above. Computer runs well. Anything else? Link to post Share on other sites
Juliet Posted April 13, 2014 Share Posted April 13, 2014 I think we're done with what we found. If something was still lurking in the background you would know it. WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE. Green should be good to go Yellow for caution Red to stop Please read the following safe computing articles.. Secure My Computer: A Layered Approach Free Antivirus-AntiSpyware-Firewall Software Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions. Link to post Share on other sites
leftydrummrr Posted April 13, 2014 Author Share Posted April 13, 2014 Thank you for your excellent help. Link to post Share on other sites
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now