# Solved: Need help removing Adware.RogueSuspect & WinAd



## tja (Sep 18, 2006)

I have AVG Anti Spyware and for the last couple of weeks, the scans show that I have the above adwares. I have tried using the options in AVG after I use the scan (quarantine, delete, delete on start-up, ignore once, etc.). I'd like to remove them from my computer, but it looks like the AVG doesn't provide that option (or it's not working-I just did the AVG update that was long in the making that was supposed to deal with some chronic problems with AVG). Can someone help me remove them (AVG says the risk level is "medium"). Even when I choose one of the "delete" options, each time the scan completes, it comes up with the same scan results. Thanks in advance for your help. I am attaching a copy of the Hijackthis log that I just ran.


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
Click *Exit* on the Main menu to close the program. 
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
_Please copy and paste the Scan Log results in your next reply *with a new hijackthis log*._

Click *Close* to exit the program.


----------



## tja (Sep 18, 2006)

Thanks. Here is the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/11/2007 at 12:34 PM

Application Version : 3.8.1002

Core Rules Database Version : 3242
Trace Rules Database Version: 1253

Scan type : Complete Scan
Total Scan Time : 00:34:09

Memory items scanned : 349
Memory threats detected : 0
Registry items scanned : 5865
Registry threats detected : 6
File items scanned : 38034
File threats detected : 3

MyWay Search Assistant Computers
HKLM\Software\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\Programmable
C:\PROGRAM FILES\MYWAYSA\SRCHASDE\1.BIN\DESRCAS.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20060918-215638-289.DLL

Adware.MovieLand/MediaPipe
C:\!KILLBOX\FSUPPORT\NOTIFIER.EXE


----------



## cybertech (Apr 16, 2002)

Did that help or do you still have problems? Please post your hijackthis log again.


----------



## tja (Sep 18, 2006)

My AVG will run another scan tomorrow morning. I ran a new HiJackThis after following the previous steps. Here it is:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:16:13 PM, on 07-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ken\Desktop\HiJackThis_v2\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146023019437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146022990500
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://192.168.1.100/Remote/msrdp.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462...img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbcyahoo/TrueInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

I ran an AVG scan this a.m. (6-11-07) - still have the same adware. Here is the report from AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	7:29:50 AM 07-06-12

+ Scan result:

HKLM\SOFTWARE\Esaya\TrueAssistant -> Adware.RogueSuspect : Ignored.
HKU\S-1-5-21-563458471-2069919217-3551775167-1008\Software\Esaya\TrueAssistant -> Adware.RogueSuspect : Ignored.
HKU\S-1-5-21-563458471-2069919217-3551775167-1008\Software\Esaya\TrueAssistant\Info -> Adware.RogueSuspect : Ignored.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP240\A0017201.dll -> Adware.WinAD : Ignored.

::Report end

--
End of file - 5946 bytes


----------



## cybertech (Apr 16, 2002)

If you rescan and change the options those can be removed:

Scan with AVG Anti-Spyware as follows: 

Click on the "Scanner" button and choose the "Settings" tab. 
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware. 
Under "How to Scan?", "Possibly unwanted software", and "What to Scan?" leave all the default settings. 
Under "Reports" select "Automatically generate report after every scan" and uncheck? "Only if threats were found". 
Click the "Scan" tab to return to scanning options. 
Click "Complete System Scan" to start. 
When the scan has finished, it should automatically be set to Quarantine --if not click on Recommended Action and set it there. 
You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.


----------



## tja (Sep 18, 2006)

I did what you recommended. Here's the report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	2:57:51 PM 07-06-12

+ Scan result:	



HKLM\SOFTWARE\Esaya\TrueAssistant -> Adware.RogueSuspect : Ignored.
HKU\S-1-5-21-563458471-2069919217-3551775167-1008\Software\Esaya\TrueAssistant -> Adware.RogueSuspect : Ignored.
HKU\S-1-5-21-563458471-2069919217-3551775167-1008\Software\Esaya\TrueAssistant\Info -> Adware.RogueSuspect : Ignored.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP240\A0017201.dll -> Adware.WinAD : Ignored.


::Report end

When the screen comes up after the scan, it says that the items are quarantined. My question is: should I be concerned about this? Should these adware things be deleted from my computer?


----------



## cybertech (Apr 16, 2002)

They are just registry entries and harmless without the files associated with them.

Flush your System Restore to remove the one item in C:\System Volume Information
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


----------



## tja (Sep 18, 2006)

I turned System Restore on and off. I'm not sure if that's the "flush" you were referring to(?). After I did that, AVG did it's daily scan - same adware is detected. If it doesn't matter, I won't worry about it. Thanks for your help thus far!


----------



## cybertech (Apr 16, 2002)

How is it running now? Any problems?


----------



## tja (Sep 18, 2006)

My computer is running fine - no detectable problems. I wasn't having any problems when I started the thread - just concerned because AVG kept detecting the same adware and it would always have "ignore once" as the recommended action, even when I changed it from the main screen that lists the results of the scan. But since I've done what you suggested with AVG (i.e. going into preferences, etc.), it (so far) lists the items as quarantined.


----------



## cybertech (Apr 16, 2002)

OK Great!!


----------



## tja (Sep 18, 2006)

Thank you for your help! This has proved to be the best computer help I've encountered. When I first joined, I had Norton Anti-Virus (Symantec) - got a worm and they wanted me to pay them about $80.00 to walk me through how to get it off my system (because their website help was totally inadequate). I felt that was extortion (since I had already paid for the product, my account with them was still current, and it failed to block the worm I got). Since that time, I have used Tech Support Guy and I'm completely happy with it. Thanks again.


----------



## cybertech (Apr 16, 2002)

It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Here are some additional links for you to check out.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!


----------



## tja (Sep 18, 2006)

I took your suggestions and went to Secunia and did the online checker. It indicated that I had earlier versions of Java that were vulnerable. I was able to remove those earlier versions. It also reported that my versions of Macromedia Flash Player were vulnerable. I went to the MacromediaFlash website and downloaded the most current version - well, I thought I downloaded. During the process, I got the yellow shield at the top (regarding ActiveX Controls) and clicked on it and selected the option to allow the download. At the Macromedia Flash site, it indicated that the download was successful. I went back to Secunia and did another check. The vulnerable Java programs were gone, but the MacromediaFlash programs were still the older vulnerable ones - it appears that the new version was not installed (I tried doing the installation again and another Secunia online check - same result). Any suggestions about how to deal with this? I'm attaching a notepad doc showing the programs Secunia says are vulnerable.


----------



## cybertech (Apr 16, 2002)

Mine said the same thing so I looked in the folder C:\WINDOWS\SYSTEM32\Macromed\Flash and ran FlashUtil9c.exe

Now mine checks out ok. You may want to try that.


----------



## tja (Sep 18, 2006)

I tried that . . . same problem. I ended up uninstalling Macromedia Flash and reinstalling from the website (same for Musicmatch). Secunia still showed vulnerabilities related to old macromedia files. So, I manually went into each location detected by Secunia and deleted only the specific files indicated as a problem. Did another Secunia check - now it says everthing is OK. Hope I didn't delete something that was necessary - computer is working fine. Thanks for your help.


----------



## cybertech (Apr 16, 2002)

Good to hear! :up:


----------

