Fake Flash Update: Can't get rid of it

Viruses and worms
21

Could you attach the combofix log please, as the popups are intermittent it may be poisoned ads on the site

22

The combofix log is attached to reply #7.

23

Ah my apologies I thought you meant you had run it on your wifes’ system. Could you run FRST on hers please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

24

Will run FRST on the wife’s system.

In the meantime, today’s trip to reuters.com tripped the trigger again. Screenshot attached.

If it is a bad ad, why the devil isn’t Avast! stopping the redirect??

25

Hmm intriguing as I have just gone to reuters and received no popup, that popup is fake as you have said

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

26

TFC run and rebooted.

The popup has always been intermittent. I’m going to take a stab and say it occurs on average every three days, and seems oddly regular.

I’ll keep an eye on it and record when (if) it pops up again.

The wife will run FRST and join the fun tomorrow.

Thanks again.

27

OK ready and waiting :slight_smile:

28

Hello. Please find the two log files attached to this reply.

29

I will use two adware cleaners on this one as they target slightly different areas

I have noticed that Trend does sometimes cause a slowdown in the system when Rapport is also installed

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

AppInit_DLLs-x32: acaptuser32.dll => "acaptuser32.dll" File Not Found Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy Software Installer.lnk ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®) SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=165&itype=a&ver=12692&tm=356&src=ds&p={searchTerms} SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=165&itype=a&ver=12692&tm=356&src=ds&p={searchTerms} SearchScopes: HKCU - {69B4CA8F-8945-4CE9-93F3-80D82AB576F9} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8 SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=165&itype=a&ver=12692&tm=356&src=ds&p={searchTerms} SearchScopes: HKCU - {B352733F-CF53-4E72-81C2-0AB41F9F2CC3} URL = http://www.ted.com/search?q={searchTerms} Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Toolbar: HKCU - No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File Task: {5AB51838-9422-445E-A6E9-132D7E551CFF} - \ProgramUpdateCheck No Task File <==== ATTENTION EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

30

I have saved the fixlist.txt and tried to run FRST64.exe. Received the attached error message. SO I exited Trend Micro AND windows security system and ran again. Same error message.

So I re-downloaded FRST and ran again. Same message.

What to do now?

31

Found that I had Trusteer open as well. Shut that down and ran again. Same error.

Do I need to restart to make sure Trusteer is shut off?

32

Hmm weird, could you continue with AdwCleaner and JRT please I will investigate this

33

Another occurrence. Three days between.

34

OK lets remove the flashplayer update task in case it has been corrupted

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Task: {23F55997-414C-4CCF-A794-4CFBF328188A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-11] (Adobe Systems Incorporated) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

35

OK back to wife’s computer.

Here is the log file from AdwCleaner.

On to JRT.

36

That took out nearly all of the FRST fix that did not work :slight_smile:

37

AND here is the log file from JRT.

AND IE works!!! A thing of beauty.

Just like magic.

Thank you!!!

38

Any further problems on this computer ?

39

Ok, done with the latest fix. Unless I see anything new, I probably won’t know 'til Friday if it’s going to hit again. And I believe I saw something about you going on holiday at that point? :slight_smile:

40

Yes I will be on holiday then. As it is only on one site and at random times I would suspect that the site is at fault and not your computer