Fake adobe updates, no issue detected by malwarebytes.

[DisciPie]

Hello, new here so I hope I'm doing this right. For the past few weeks I've had this issue while using Google Chrome, (I don't use other browsers.) Regardless of what site I'm currently on, several times a day I will be redirected to a site that looks like the image I'll attach. The site's name changes every time but the page always looks like below. It will display a pop up and then immediately start downloading a file named "setup.exe" I've run malwarebytes with scan for rootkits checked, (I read to try this on another thread,) and it displays my machine as clean. I will also attach my FRST files as recommended in the thread giving advice before posting.

Malwarebytes scan http://gyazo.com/24eff4bd64565832b9ef08e64571822f

 

[TwinHeadedEagle]

Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.
  
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

[DisciPie]

Zoek.exe v5.0.0.0 Updated 20-December-2014
Tool run by Josiah on Sat 12/20/2014 at 5:30:02.53.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Josiah\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

12/20/2014 5:33:16 AM Zoek.exe System Restore Point Created Succesfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Adblocker deleted successfully
C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~2\Bethesda Softworks deleted successfully
C:\PROGRA~2\Malwarebytes' Anti-Malware deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\Origin Games deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\PROGRA~3\Telestream deleted successfully
C:\PROGRA~3\Trusted Publisher deleted successfully
C:\Users\Josiah\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\Josiah\AppData\Roaming\Publish Providers deleted successfully
C:\Users\Josiah\AppData\Roaming\TP deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1814413989-3838121923-1208062030-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9e8eb35-ff77-455d-b677-91e5e4fc06c2} deleted successfully
HKEY_USERS\S-1-5-21-1814413989-3838121923-1208062030-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{e9e8eb35-ff77-455d-b677-91e5e4fc06c2} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{e9e8eb35-ff77-455d-b677-91e5e4fc06c2} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\Josiah\AppData\Roaming\Mozilla\Firefox\Profiles\9ezrh32r.default

---- Lines easylife removed from prefs.js ----
user_pref("extensions.SpZPbUF6S4afeQ43.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||
user_pref("extensions.VJTEzJPzcw19Nzms.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||
---- Lines extensions.B5q1SmaxSljPyBaq removed from prefs.js ----
user_pref("extensions.B5q1SmaxSljPyBaq.epoch", "1");
user_pref("extensions.B5q1SmaxSljPyBaq.scode", "void(0);");
user_pref("extensions.B5q1SmaxSljPyBaq.url", "http://newtonial.in/sync/?q=C6qUojY...MAyVUojw8rdn7rHC6qTa7pdsGqHw7qHCFtNtVh7n0rjnF
---- Lines extensions.E6ek removed from prefs.js ----
user_pref("extensions.E6ek.epoch", "1412730328");
user_pref("extensions.E6ek.url", "http://toolkitfree.us/sync2/?q=hfZ9...heDUojw9rdYGqTaEqjwEqGhIC7n0rjnFrda6rdwEpdnEt
---- Lines extensions.SpZPbUF6S4afeQ43 removed from prefs.js ----
user_pref("extensions.SpZPbUF6S4afeQ43.epoch", "1412730327");
user_pref("extensions.SpZPbUF6S4afeQ43.url", "http://veterant.info/sync2/?q=hfZ9o...NmGWj8lkGhGheDUojw9rjaEqHaEqjg9qGhIC7n0rjnFrd
---- Lines extensions.VJTEzJPzcw19Nzms removed from prefs.js ----
user_pref("extensions.VJTEzJPzcw19Nzms.epoch", "1412730328");
user_pref("extensions.VJTEzJPzcw19Nzms.url", "http://veterances.info/sync2/?q=hfZ...8BNmGWj8lkGhGheDUojw9rjaEqHaErdC9rShIC7n0rjnF
---- Lines extensions.W167Twj removed from prefs.js ----
user_pref("extensions.W167Twj.epoch", "1412730327");
user_pref("extensions.W167Twj.url", "http://veterances.com/sync2/?q=hfZ9...NtVh7n0rjnEpdw4rjCHqjrHtMFHhd9FqdwErdCErja5qd
---- Lines extensions.iTWNpoRpV removed from prefs.js ----
user_pref("extensions.iTWNpoRpV.epoch", "1412730328");
user_pref("extensions.iTWNpoRpV.url", "http://jpi-syncer.info/sync2/?q=hfZ...8lkGhGheDUojw9rdYFpjw6rHkFqGhIC7n0rjnFrda6rdw
---- FireFox user.js and prefs.js backups ----

user_20141220_0606_.backup
prefs_20141220_0606_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Users\Josiah\AppData\Roaming\ProtectDISC deleted
C:\ProgramData\EnjeoyCCouopon deleted
C:\ProgramData\FunDealss deleted
C:\ProgramData\NewSSaver deleted
C:\Users\Josiah\AppData\LocalLow\{AFAA812D-59BF-F66A-58E4-CB6B0DACD9B0} deleted
C:\Users\Josiah\AppData\LocalLow\{F308B536-4389-52E7-3B85-F8C4E330B505} deleted
C:\Users\Josiah\AppData\Local\Packages\windows_ie_ac_001\AC\{AFAA812D-59BF-F66A-58E4-CB6B0DACD9B0} deleted
C:\Users\Josiah\AppData\Local\Packages\windows_ie_ac_001\AC\{F308B536-4389-52E7-3B85-F8C4E330B505} deleted
C:\PROGRA~3\272f24668dac0699 deleted
C:\PROGRA~3\prIIcecchoPP deleted
C:\PROGRA~2\prIIcecchoPP deleted
C:\PROGRA~2\ProtectDisc Driver Installer deleted
C:\Users\Josiah\AppData\Roaming\appdataFr2.bin deleted
C:\Users\Josiah\AppData\Roaming\MAGIX deleted
C:\PROGRA~3\HirezPipeError.txt deleted
C:\PROGRA~3\NuewSuAver deleted
C:\PROGRA~3\MAGIX deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Josiah\AppData\LocalLow\{69C5679C-0A61-AB45-0E1F-34582F720632} deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\GPT.INI deleted
C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\shoCF31.tmp deleted
C:\Windows\SysWow64\AI_RecycleBin deleted
C:\Users\Josiah\AppData\Roaming\Mozilla\Firefox\Profiles\9ezrh32r.default\extensions\staged deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"ytfmdownloader@gmail.com"="C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\ytfmdownloader@gmail.com" [02/10/2013 07:47 PM]

==== Firefox Extensions ======================

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Josiah\AppData\Roaming\Mozilla\Firefox\Profiles\9ezrh32r.default
3CD19649B2C3023D65E67C056457A2BC - C:\Users\Josiah\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll - Facebook Video Calling Plugin


==== Fake Chromium Profiles Check ======================

Fake profile C:\Users\Administrator\AppData\Local\Torch deleted
Fake profile C:\Users\Administrator\AppData\Local\Google\Chrome deleted
Fake profile C:\Users\Administrator\AppData\Local\Google\Chrome SxS deleted
Fake profile C:\Users\Administrator\AppData\Local\Comodo\Dragon deleted
Fake profile C:\Users\Administrator\AppData\Local\Chromatic Browser deleted
Fake profile C:\Users\Guest\AppData\Local\Torch deleted
Fake profile C:\Users\Guest\AppData\Local\Google\Chrome deleted
Fake profile C:\Users\Guest\AppData\Local\Google\Chrome SxS deleted
Fake profile C:\Users\Guest\AppData\Local\Comodo\Dragon deleted
Fake profile C:\Users\Guest\AppData\Local\Chromatic Browser deleted
Fake profile C:\Users\HomeGroupUser$\AppData\Local\Torch deleted
Fake profile C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome deleted
Fake profile C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome SxS deleted
Fake profile C:\Users\HomeGroupUser$\AppData\Local\Comodo\Dragon deleted
Fake profile C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser deleted
Fake profile C:\Users\Josiah\AppData\Local\Torch deleted
Fake profile C:\Users\Josiah\AppData\Local\Google\Chrome SxS deleted
Fake profile C:\Users\Josiah\AppData\Local\Comodo\Dragon deleted
Fake profile C:\Users\Josiah\AppData\Local\Chromatic Browser deleted
Fake profile C:\Users\UpdatusUser\AppData\Local\Torch deleted
Fake profile C:\Users\UpdatusUser\AppData\Local\Google\Chrome deleted
Fake profile C:\Users\UpdatusUser\AppData\Local\Google\Chrome SxS deleted
Fake profile C:\Users\UpdatusUser\AppData\Local\Comodo\Dragon deleted
Fake profile C:\Users\UpdatusUser\AppData\Local\Chromatic Browser deleted

==== Chromium Look ======================

Google Chrome Version: 36.0.1985.143 (Could not determine latest Stable Version)

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bpegkgagfojjbcpkihigfmkojdmmimdf - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx[02/01/2013 10:31 AM]
ehgldbbpchgpcfagfpfjgoomddhccfgh - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Chrome\ChromeYoutubePlugin.crx[02/01/2013 10:31 AM]
jbolfgndggfhhpbnkgnpjkfhinclbigj - C:\Program Files (x86)\Freemake\Freemake Video Converter\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx[09/11/2012 09:45 AM]

Google Voice Search Hotword (Beta) - Josiah\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Twitch Giveaways - Josiah\AppData\Local\Google\Chrome\User Data\Default\Extensions\poohjpljfecljomfhhimjhddddlidhdd

==== Chromium Startpages ======================

C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Preferences
"homepage": "http://www.google.com/",


==== Chromium Fix ======================

C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx deleted successfully
C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Chrome\ChromeYoutubePlugin.crx deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_www.superfish.com_0.localstorage deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_www.superfish.com_0.localstorage-journal deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.ask.com_0.localstorage deleted successfully
C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.ask.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\ehgldbbpchgpcfagfpfjgoomddhccfgh deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2DF3E224-05CD-4113-AA7A-86F2F6607B46} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{478472F9-9E09-492A-BDAB-42EE595EF1AD} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{64A4ABCA-CF3D-C548-2DC4-72A55DC5882A} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6A08B379-76FB-B4CF-0C70-CAFCD3635A77} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C637A71C-A4B2-4B47-1B2A-1042A8D525A3} deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Josiah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Josiah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Josiah\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Josiah\AppData\Local\Mozilla\Firefox\Profiles\9ezrh32r.default\Cache emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Josiah\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=126 folders=179 40384248 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\DefaultAppPool\AppData\Local\Temp emptied successfully
C:\Users\Josiah\AppData\Local\Temp will be emptied at reboot
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Josiah\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\MpCmdRun.log" not found

==== EOF on Sat 12/20/2014 at 6:26:45.49 ======================

 

[TwinHeadedEagle]

Reinstall Google Chrome (it is altered by malware) and tell me how is the situation now.

 

[DisciPie]

Have just reinstalled. Will update tomorrow or so if anything does or doesn't happen as it usually happened daily. Thanks for the help!