[bjgran123]

Hi,
I spent hours yesterday trying to save and post a topic that included the txt file for diagnosis by Geeks to Go. When I would try, it would either reboot my computer or leave the site.
Note sure what to do now.
Symptoms are that after I downloaded a Kindle book to this computer two days ago, I began to receive pop up ads ( mostly for 'repair' and diagnosis, such as 'Spark Trust Clean' and others. I also cannot access Google Chrome. It redirects to ASK.com, my search dial search, search conduit and a message that tells me to update my windows drivers. Computer running very, very slow.
Please HELP!!!
I am a non-technical person who is also a writer and I have deadlines to meet. If you can help me today, I'd be very appreciative.
Thanks in advance...
Beverly G.

[Advertisements]

Hi could you try to attach the log, if not then do the following

• Download RogueKiller and save it on your desktop.
  
  NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
• The report has been created on the desktop.

Please attach: All RKreport.txt text files located on your desktop.

[Essexboy]

Hi could you try to attach the log, if not then do the following

• Download RogueKiller and save it on your desktop.
  
  NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
• The report has been created on the desktop.

Please attach: All RKreport.txt text files located on your desktop.

[bjgran123]

 RKreport0_SC_02272014_144421.txt   1.64KB   200 downloads
 RKreport0_S_02272014_144001.txt   6.12KB   230 downloads
 RKreport0_D_02272014_144103.txt   6.2KB   211 downloads

Essexboy:
Hope this helps...I really appreciate your fast reply.
Let me know what else I can do.
Beverly G.

[bjgran123]

Essexboy...
Hope I replied to you...LOL
Let me know if you got my files from RogueKiller.
Thanks SO much,
Beverly

[Essexboy]

Yes they were good

This looks like a bad infection so I will go in with the big boy first and then clear the remants after

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  [img width=426 height=293]http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png[/img]
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[bjgran123]

Essexboy:
This is SO frustrating.
I did what you said and began the Combofix (also disabled malware and windows defender). .. went along fine until Stage 48, then I got a message, "SNAP" -- data not received....then,couldn't do anything but reboot.
Thanks for your continued help. NOW, what do I do???
Thanks so much,
Beverly G.

[Essexboy]

There is a solution

Download the following three programmes to your desktop preferably using a clean computer :


1. Rufus

For 64bit systems
2. Windows 7 64bit RC
3. Farbar Recovery Scan Tool x64


Insert the USB stick Then run Rufus

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

Then copy FRST to the same USB





Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here


When you reboot you will see this although yours will say windows 7.
Click repair my computer


Select your operating system


Select Command prompt


At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[bjgran123]

Hi, again, Essexboy:
I will have to go out in the morning (am in Texas) to get a USB stick.
I REALLY thank you and will be in touch tomorrow morning when I try to fix this problem according to your instructions.
Thanks again. I'll be in touch,
Beverly

[Essexboy]

OK I will be here

[bjgran123]

Hi, Essexboy:
Got the USB stick....downloaded rufus...onto an Acer computer that I hate.
Can't see an ISO icon....confused.
what do I do next?
I appreciate you sticking with me. Very computer challenged except for writing. LOL
Thanks,
Beverly G.

[Essexboy]

OK go to this link and you will see several files https://onedrive.liv...6F4048075B!2713

Click this file


And it will download to the desktop ... This is the ISO file to select with Rufus

Insert the USB stick Then run Rufus

Select the ISO file on the desktop via the ISO icon. Which is the small disc image highlighted in blue

Once that has completed then download and copy FRST64 to the USB from this link http://www.bleepingc...very-scan-tool/

[bjgran123]

Hi Essexboy!

My name is Tiffany Beverly's daughter. Mom's in a straight jacket LOL so I took over. She couldn't get the USB thing to work so I came over and went back to the beginning of this thread to redo the steps.

I ran ComboFix (and went through the steps before I saw the note about not running it again but it never completed for her the first time). I got it to work all the way through and I will attach the log here.

Her Googe Chrome comes up much faster but the Chrome still opens up 4 tabs for search and ask.com looks like an Ask toolbar is installed in her Chrome.

She's still getting a popup (see attached screenshot) that looks like something unsafe to me. We're not touching it.

I have to go home now so I'll unbuckle her straight jacket and let her take over. LOL!

Tiff
P.S. Thanks for your help!

Attached Thumbnails

• 

Attached Files

•  log.txt   39.61KB   199 downloads

[Essexboy]

Good job so far but still shedloads to get

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\sasnative64.exe
c:\users\Beverly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
c:\windows\Tasks\APSnotifierPP1.job
c:\windows\Tasks\APSnotifierPP2.job
c:\windows\Tasks\APSnotifierPP3.job
c:\windows\Tasks\RegClean Pro_DEFAULT.job
c:\windows\Tasks\RegClean Pro_UPDATES.job
c:\windows\Tasks\RegCure Pro.job
c:\windows\Tasks\SparkTrust PC Cleaner Plus_sch_F8C6CFF3-9F3A-11E3-9F14-506313C5C23A.job
c:\windows\Tasks\SparkTrust Registration3.job
c:\windows\Tasks\SparkTrust Update Version3 Startup Task.job
c:\windows\Tasks\SparkTrust Update Version3.job
c:\windows\Tasks\SystemToolsDailyTest.job
c:\windows\Tasks\Video-Saver Update.job
c:\windows\Tasks\Video-Saver_wd.job

Folder::
c:\program files\SavingsbullFilter
c:\users\Beverly\AppData\Roaming\SparkTrust
c:\program files (x86)\Common Files\SparkTrust
c:\programdata\SparkTrust
c:\program files (x86)\SparkTrust
c:\program files (x86)\Video-Saver-soft
c:\program files (x86)\FindRight
c:\users\Beverly\AppData\Roaming\mysearchdial
c:\program files (x86)\Mysearchdial
c:\program files (x86)\AnyProtectEx
c:\programdata\Systweak
c:\program files (x86)\Advanced System Protector
c:\users\Beverly\AppData\Roaming\VOPackage
c:\users\Beverly\AppData\Roaming\Systweak
c:\program files (x86)\Optimizer Pro
c:\users\Beverly\AppData\Local\SearchProtect
c:\programdata\BrowserProtect
c:\programdata\Browser Manager
c:\programdata\BitGuard
c:\programdata\Wincert
c:\users\Beverly\AppData\Local\ilividmoviestoolbar181
c:\program files (x86)\Movies Toolbar
c:\program files (x86)\MyPC Backup
c:\program files (x86)\FindRight
c:\program files (x86)\AnyProtectEx
c:\program files (x86)\ParetoLogic
c:\program files (x86)\Common Files\SparkTrust
c:\program files\PC-Doctor
c:\program files (x86)\Video-Saver-soft

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
"{0134af61-7a0c-4649-aeca-90d776060cb3}"=-
"{94625830-343a-4df0-88c1-444d195064d0}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{0134af61-7a0c-4649-aeca-90d776060cb3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{10AD2C61-0898-4348-8600-14A342F22AC3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{2c774641-5504-46a8-b63f-6715ae3fe376}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{94625830-343a-4df0-88c1-444d195064d0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{0134af61-7a0c-4649-aeca-90d776060cb3}"=-
"{94625830-343a-4df0-88c1-444d195064d0}"=-
"{3004627E-F8E9-4E8B-909D-316753CBA923}"=-
[-HKEY_CLASSES_ROOT\clsid\{3004627e-f8e9-4e8b-909d-316753cba923}]
[-HKEY_CLASSES_ROOT\mysearchdial.mysearchdialdskBnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_CLASSES_ROOT\mysearchdial.mysearchdialdskBnd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"="-
"BrowserSafeguard"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{184E4FA0-DE8C26D4-06000000}_0]

Driver::
BackupStack
Update FindRight
Util FindRight

DDS::
uStart Page = hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
mStart Page = hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:13828

Firefox::
FF - ProfilePath - c:\users\Beverly\AppData\Roaming\Mozilla\Firefox\Profiles\8ungfprm.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3315827&CUI=UN42230060398211103&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Mysearchdial
FF - prefs.js: browser.startup.homepage - hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
FF - prefs.js: keyword.URL -
FF - user.js: extensions.BabylonToolbar_i.id - c237f4070000000000000026c70f3770
FF - user.js: extensions.BabylonToolbar_i.hardId - c237f4070000000000000026c70f3770
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15501
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1711:04
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=060612_8_
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
FF - user.js: extensions.mysearchdial.hmpg - true
FF - user.js: extensions.mysearchdial.hmpgUrl - hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
FF - user.js: extensions.mysearchdial.dfltSrch - true
FF - user.js: extensions.mysearchdial.srchPrvdr - Mysearchdial
FF - user.js: extensions.mysearchdial.dnsErr - true
FF - user.js: extensions.mysearchdial_i.newTab - false
FF - user.js: extensions.mysearchdial.newTabUrl - hxxp://start.mysearchdial.com/?f=2&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
FF - user.js: extensions.mysearchdial.tlbrSrchUrl - hxxp://start.mysearchdial.com/?f=3&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=&q=
FF - user.js: extensions.mysearchdial.id - 506313C5C23AF407
FF - user.js: extensions.mysearchdial.instlDay - 16127
FF - user.js: extensions.mysearchdial.vrsn - 1.8.21.0
FF - user.js: extensions.mysearchdial.vrsni - 1.8.21.0
FF - user.js: extensions.mysearchdial_i.vrsnTs - 1.8.21.016:51
FF - user.js: extensions.mysearchdial.prtnrId - mysearchdial
FF - user.js: extensions.mysearchdial.prdct - mysearchdial
FF - user.js: extensions.mysearchdial.aflt - irmsd0202ch
FF - user.js: extensions.mysearchdial_i.smplGrp - none
FF - user.js: extensions.mysearchdial.tlbrId - base
FF - user.js: extensions.mysearchdial.instlRef -
FF - user.js: extensions.mysearchdial.dfltLng -
FF - user.js: extensions.mysearchdial.appId - {CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
FF - user.js: extensions.mysearchdial.excTlbr - false
FF - user.js: extensions.mysearchdial_i.hmpg - true
FF - user.js: extensions.mysearchdial.cr - 841362185
FF - user.js: extensions.mysearchdial.cd - 2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R
FF - user.js: extensions.mysearchdial.AL - 2
FF - user.js: extensions.irmysearch.aflt - irmsd0202ch
FF - user.js: extensions.irmysearch.instlRef -
FF - user.js: extensions.irmysearch.cr - 841362185
FF - user.js: extensions.irmysearch.cd - 2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R

Or if you wish you can download this pre-configured script file

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

[bjgran123]

here's the log, going to do ad cleaner now.
Thanks,
Beverly

[bjgran123]

Here are the two log files...
Beverly

Attached Files

•  AdwCleanerS0.txt   25.42KB   198 downloads
•  combolog.txt   495.01KB   354 downloads