Hello,

My partner has an issue with her PC. This morning, she installed a version of Java which I think may be fake. Going through her Chrome downloads, I see a Java exe from this morning from filesystem http://www.sbxshclsm.com/temporary/Java.exe. Popups were appearing on YouTube and other sites and a black box appeared once on the desktop once when the PC booted (possible command prompt but unable to verify). The popups have now stopped however. Attached below are logs but Malwarebytes crashed just before generating the log. It moved over 1000 files to quarantine though. I can re-run it if the log is needed. OTL did not generate an Extras.txt either.

Many thanks

Can you run a Malwarebytes Scan (Instructions:http://forum.avast.com/index.php?topic=53253.0) and attach that log here?

The URL is dead now. So most likely a fake.

Yes I’ll run another scan and post the results, hope it doesn’t crash again. She performed a couple of system restores but they failed.

If it crash, you may try to run it from safe mode

Hi there, lets clear this rubbish away for you

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2014/04/08 14:06:38 | 002,470,688 | ---- | M] (Conduit) [Auto | Running] -- C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe -- (CltMngSvc)
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=coolmsd&cd=2XzuyEtN2Y1L1QzutC0CyByDtDzztCyB0A0AtDyDyD0AtAzztN0D0Tzu0CyDtBtBtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1R1F1F1I1H1B1Q&cr=881727014&ir=
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=coolmsd&cd=2XzuyEtN2Y1L1QzutC0CyByDtDzztCyB0A0AtDyDyD0AtAzztN0D0Tzu0CyDtBtBtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1R1F1F1I1H1B1Q&cr=881727014&ir=
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
IE - HKU\S-1-5-21-1886468635-2509764292-3672012906-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT3321738&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=5&UP=SP0437EDF7-3D2C-494C-B080-062BF285219B&SSPV=
IE - HKU\S-1-5-21-1886468635-2509764292-3672012906-1000\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1886468635-2509764292-3672012906-1000\..\SearchScopes,DefaultScope = {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
IE - HKU\S-1-5-21-1886468635-2509764292-3672012906-1000\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3321738&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=5&UP=SP0437EDF7-3D2C-494C-B080-062BF285219B&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-1886468635-2509764292-3672012906-1000\..\SearchScopes\{64663822-0812-D927-4BC3-733CA9C0BB7C}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3321738&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=5&UP=SP0437EDF7-3D2C-494C-B080-062BF285219B&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-1886468635-2509764292-3672012906-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=coolmsd&cd=2XzuyEtN2Y1L1QzutC0CyByDtDzztCyB0A0AtDyDyD0AtAzztN0D0Tzu0CyDtBtBtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1R1F1F1I1H1B1Q&cr=881727014&ir=
[2013/06/05 20:23:17 | 000,000,000 | ---D | M] ("MySearchDial" />;) -- C:\Users\Franchesca\AppData\Roaming\Mozilla\Firefox\Profiles\[ofr2][opt]rs0\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}
[2013/06/05 20:23:17 | 000,000,000 | ---D | M] ("MySearchDial" />;) -- C:\Users\Franchesca\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll) - C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (Conduit)
O20 - AppInit_DLLs: (C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll) - C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (Conduit)
[2014/04/21 10:40:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ScanTack
[2014/04/21 10:40:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\predm
[2014/04/21 10:31:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LPT
[2014/04/21 10:27:43 | 000,000,000 | ---D | C] -- C:\Users\Franchesca\AppData\Local\LPT
[2014/04/21 10:27:41 | 000,000,000 | ---D | C] -- C:\Users\Franchesca\AppData\Local\Smartbar
[2014/04/21 10:25:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MediaPlayerplus
[2014/04/21 10:25:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Freeven pro 1.2
[2014/04/15 21:18:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/04/10 20:26:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Karmian
[2014/04/10 20:26:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Karmian
[2014/04/21 17:43:28 | 007,585,792 | ---- | M] () -- C:\Users\Franchesca\AppData\Local\ChromeHitoryDB
[2013/06/05 20:23:18 | 000,423,709 | ---- | C] () -- C:\Users\Franchesca\AppData\Local\mysearchdial_speedial_v9.0.2.crx
[2013/06/05 20:21:02 | 000,000,000 | ---D | M] -- C:\Users\Franchesca\AppData\Roaming\DSite
[2013/06/05 20:23:19 | 000,000,000 | ---D | M] -- C:\Users\Franchesca\AppData\Roaming\mysearchdial
[2013/06/05 20:21:03 | 000,000,302 | ---- | C] () -- C:\Windows\Tasks\DSite.job

:Files
C:\Program Files (x86)\SearchProtect
C:\Program Files (x86)\Java Update
C:\Users\Franchesca\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmgpbjjcdccinnndjdgmegndbmhbgglb
C:\Users\Franchesca\AppData\Local\Google\Chrome\User Data\Default\Extensions\pflphaooapbgpeakohlggbpidpppgdff
C:\Users\Franchesca\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmgpbjjcdccinnndjdgmegndbmhbgglb
C:\Users\Franchesca\AppData\Local\Google\Chrome\User Data\Default\Extensions\majjphhgppkndjjkmhhnbgafooenebhd

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks I’ll do that now. Here’s the other log.

A really big amount of PUP.

I can recommend Unchecky: unchecky.com

Please install this after the system is cleaned if you wish.

Thanks so much. How are you guys so good at this?! Here are the other two logs. I’m going to grab a copy of unchecky for myself too, looks excellent. Anything else to do?

Anything else to do?

Thanks I’ll look into that.

Looking good, how is the computer behaving now ?