Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus attack! Can't access Google chrome, pop up ads, etc. [So


  • This topic is locked This topic is locked

#1
bjgran123

bjgran123

    Member

  • Member
  • PipPip
  • 36 posts
Hi,
I spent hours yesterday trying to save and post a topic that included the txt file for diagnosis by Geeks to Go. When I would try, it would either reboot my computer or leave the site.
Note sure what to do now.
Symptoms are that after I downloaded a Kindle book to this computer two days ago, I began to receive pop up ads ( mostly for 'repair' and diagnosis, such as 'Spark Trust Clean' and others. I also cannot access Google Chrome. It redirects to ASK.com, my search dial search, search conduit and a message that tells me to update my windows drivers. Computer running very, very slow.
Please HELP!!!
I am a non-technical person who is also a writer and I have deadlines to meet. If you can help me today, I'd be very appreciative.
Thanks in advance...
Beverly G.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi could you try to attach the log, if not then do the following

  • Download RogueKiller and save it on your desktop.

    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please attach: All RKreport.txt text files located on your desktop.
  • 0

#3
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Attached File  RKreport0_SC_02272014_144421.txt   1.64KB   85 downloads
Attached File  RKreport0_S_02272014_144001.txt   6.12KB   99 downloads
Attached File  RKreport0_D_02272014_144103.txt   6.2KB   89 downloads

Essexboy:
Hope this helps...I really appreciate your fast reply.
Let me know what else I can do.
Beverly G.
  • 0

#4
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Essexboy...
Hope I replied to you...LOL
Let me know if you got my files from RogueKiller.
Thanks SO much,
Beverly
  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes they were good

This looks like a bad infection so I will go in with the big boy first and then clear the remants after

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    [img width=426 height=293]http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png[/img]

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#6
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Essexboy:
This is SO frustrating.
I did what you said and began the Combofix (also disabled malware and windows defender). .. went along fine until Stage 48, then I got a message, "SNAP" -- data not received....then,couldn't do anything but reboot.
Thanks for your continued help. NOW, what do I do???
Thanks so much,
Beverly G.
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There is a solution :)

Download the following three programmes to your desktop preferably using a clean computer :


1. Rufus

For 64bit systems
2. Windows 7 64bit RC
3. Farbar Recovery Scan Tool x64


Insert the USB stick Then run Rufus
Posted Image
Select the ISO file on the desktop via the ISO icon.

Press Start Burn
Posted Image
Then copy FRST to the same USB

Posted Image



Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here


When you reboot you will see this although yours will say windows 7.
Click repair my computer
Posted Image

Select your operating system
Posted Image

Select Command prompt
Posted Image

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Posted Image
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  • 0

#8
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi, again, Essexboy:
I will have to go out in the morning (am in Texas) to get a USB stick.
I REALLY thank you and will be in touch tomorrow morning when I try to fix this problem according to your instructions.
Thanks again. I'll be in touch,
Beverly
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I will be here :)
  • 0

#10
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi, Essexboy:
Got the USB stick....downloaded rufus...onto an Acer computer that I hate.
Can't see an ISO icon....confused.
what do I do next?
I appreciate you sticking with me. Very computer challenged except for writing. LOL
Thanks,
Beverly G.
  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK go to this link and you will see several files https://onedrive.liv...6F4048075B!2713

Click this file


And it will download to the desktop ... This is the ISO file to select with Rufus

Insert the USB stick Then run Rufus
Posted Image
Select the ISO file on the desktop via the ISO icon. Which is the small disc image highlighted in blue

Once that has completed then download and copy FRST64 to the USB from this link http://www.bleepingc...very-scan-tool/
  • 0

#12
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi Essexboy!

My name is Tiffany Beverly's daughter. Mom's in a straight jacket LOL so I took over. She couldn't get the USB thing to work so I came over and went back to the beginning of this thread to redo the steps.

I ran ComboFix (and went through the steps before I saw the note about not running it again but it never completed for her the first time). I got it to work all the way through and I will attach the log here.

Her Googe Chrome comes up much faster but the Chrome still opens up 4 tabs for search and ask.com looks like an Ask toolbar is installed in her Chrome.

She's still getting a popup (see attached screenshot) that looks like something unsafe to me. We're not touching it.

I have to go home now so I'll unbuckle her straight jacket and let her take over. LOL!

Tiff :)
P.S. Thanks for your help!

Attached Thumbnails

  • popup.png

Attached Files

  • Attached File  log.txt   39.61KB   91 downloads

  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
:rofl: Good job so far but still shedloads to get :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\sasnative64.exe
c:\users\Beverly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
c:\windows\Tasks\APSnotifierPP1.job
c:\windows\Tasks\APSnotifierPP2.job
c:\windows\Tasks\APSnotifierPP3.job
c:\windows\Tasks\RegClean Pro_DEFAULT.job
c:\windows\Tasks\RegClean Pro_UPDATES.job
c:\windows\Tasks\RegCure Pro.job
c:\windows\Tasks\SparkTrust PC Cleaner Plus_sch_F8C6CFF3-9F3A-11E3-9F14-506313C5C23A.job
c:\windows\Tasks\SparkTrust Registration3.job
c:\windows\Tasks\SparkTrust Update Version3 Startup Task.job
c:\windows\Tasks\SparkTrust Update Version3.job
c:\windows\Tasks\SystemToolsDailyTest.job
c:\windows\Tasks\Video-Saver Update.job
c:\windows\Tasks\Video-Saver_wd.job

Folder::
c:\program files\SavingsbullFilter
c:\users\Beverly\AppData\Roaming\SparkTrust
c:\program files (x86)\Common Files\SparkTrust
c:\programdata\SparkTrust
c:\program files (x86)\SparkTrust
c:\program files (x86)\Video-Saver-soft
c:\program files (x86)\FindRight
c:\users\Beverly\AppData\Roaming\mysearchdial
c:\program files (x86)\Mysearchdial
c:\program files (x86)\AnyProtectEx
c:\programdata\Systweak
c:\program files (x86)\Advanced System Protector
c:\users\Beverly\AppData\Roaming\VOPackage
c:\users\Beverly\AppData\Roaming\Systweak
c:\program files (x86)\Optimizer Pro
c:\users\Beverly\AppData\Local\SearchProtect
c:\programdata\BrowserProtect
c:\programdata\Browser Manager
c:\programdata\BitGuard
c:\programdata\Wincert
c:\users\Beverly\AppData\Local\ilividmoviestoolbar181
c:\program files (x86)\Movies Toolbar
c:\program files (x86)\MyPC Backup
c:\program files (x86)\FindRight
c:\program files (x86)\AnyProtectEx
c:\program files (x86)\ParetoLogic
c:\program files (x86)\Common Files\SparkTrust
c:\program files\PC-Doctor
c:\program files (x86)\Video-Saver-soft

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
"{0134af61-7a0c-4649-aeca-90d776060cb3}"=-
"{94625830-343a-4df0-88c1-444d195064d0}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{0134af61-7a0c-4649-aeca-90d776060cb3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{10AD2C61-0898-4348-8600-14A342F22AC3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{2c774641-5504-46a8-b63f-6715ae3fe376}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{94625830-343a-4df0-88c1-444d195064d0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{0134af61-7a0c-4649-aeca-90d776060cb3}"=-
"{94625830-343a-4df0-88c1-444d195064d0}"=-
"{3004627E-F8E9-4E8B-909D-316753CBA923}"=-
[-HKEY_CLASSES_ROOT\clsid\{3004627e-f8e9-4e8b-909d-316753cba923}]
[-HKEY_CLASSES_ROOT\mysearchdial.mysearchdialdskBnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_CLASSES_ROOT\mysearchdial.mysearchdialdskBnd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"="-
"BrowserSafeguard"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{184E4FA0-DE8C26D4-06000000}_0]

Driver::
BackupStack
Update FindRight
Util FindRight

DDS::
uStart Page = hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
mStart Page = hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:13828

Firefox::
FF - ProfilePath - c:\users\Beverly\AppData\Roaming\Mozilla\Firefox\Profiles\8ungfprm.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3315827&CUI=UN42230060398211103&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Mysearchdial
FF - prefs.js: browser.startup.homepage - hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
FF - prefs.js: keyword.URL -
FF - user.js: extensions.BabylonToolbar_i.id - c237f4070000000000000026c70f3770
FF - user.js: extensions.BabylonToolbar_i.hardId - c237f4070000000000000026c70f3770
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15501
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1711:04
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=060612_8_
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
FF - user.js: extensions.mysearchdial.hmpg - true
FF - user.js: extensions.mysearchdial.hmpgUrl - hxxp://start.mysearchdial.com/?f=1&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
FF - user.js: extensions.mysearchdial.dfltSrch - true
FF - user.js: extensions.mysearchdial.srchPrvdr - Mysearchdial
FF - user.js: extensions.mysearchdial.dnsErr - true
FF - user.js: extensions.mysearchdial_i.newTab - false
FF - user.js: extensions.mysearchdial.newTabUrl - hxxp://start.mysearchdial.com/?f=2&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=
FF - user.js: extensions.mysearchdial.tlbrSrchUrl - hxxp://start.mysearchdial.com/?f=3&a=irmsd0202ch&cd=2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=841362185&ir=&q=
FF - user.js: extensions.mysearchdial.id - 506313C5C23AF407
FF - user.js: extensions.mysearchdial.instlDay - 16127
FF - user.js: extensions.mysearchdial.vrsn - 1.8.21.0
FF - user.js: extensions.mysearchdial.vrsni - 1.8.21.0
FF - user.js: extensions.mysearchdial_i.vrsnTs - 1.8.21.016:51
FF - user.js: extensions.mysearchdial.prtnrId - mysearchdial
FF - user.js: extensions.mysearchdial.prdct - mysearchdial
FF - user.js: extensions.mysearchdial.aflt - irmsd0202ch
FF - user.js: extensions.mysearchdial_i.smplGrp - none
FF - user.js: extensions.mysearchdial.tlbrId - base
FF - user.js: extensions.mysearchdial.instlRef -
FF - user.js: extensions.mysearchdial.dfltLng -
FF - user.js: extensions.mysearchdial.appId - {CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
FF - user.js: extensions.mysearchdial.excTlbr - false
FF - user.js: extensions.mysearchdial_i.hmpg - true
FF - user.js: extensions.mysearchdial.cr - 841362185
FF - user.js: extensions.mysearchdial.cd - 2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R
FF - user.js: extensions.mysearchdial.AL - 2
FF - user.js: extensions.irmysearch.aflt - irmsd0202ch
FF - user.js: extensions.irmysearch.instlRef -
FF - user.js: extensions.irmysearch.cr - 841362185
FF - user.js: extensions.irmysearch.cd - 2XzuyEtN2Y1L1QzuyDtDyCtAtCtA0CyD0CtBtA0A0FyEtDyBtN0D0Tzu0CyBzzzztN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R



Or if you wish you can download this pre-configured script file

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

  • 0

#14
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
here's the log, going to do ad cleaner now.
Thanks,
Beverly
  • 0

#15
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Here are the two log files...
Beverly

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP