Fake Flash Update: Can't get rid of it

[REDACTED]

Okay, darn it.  I've been hoping to find something that could help me easily get rid of this annoying problem, but haven't yet found anything precisely right, so I guess I'll scream for help.

I keep getting a redirect, almost always when I try to visit reuters.com (once it was another site, and only once so far), that tells me I need to update my flash player.  It's an obvious malware page, with a different url every few days (it'll be something like premiumfreeupdate.com or something similar).  MBAM, Avast!, and JRT find nothing, but adwcleaner finds and removes the same things every time, a few browser extensions and one registry key.

Once adwcleaner runs, I usually run for a couple of days, then it pops up again.  I'm a bit of a newshound, so I check reuters regularly.

I'd attach the last adwcleaner log, but can't find them.  Which should tell you how little I know about all this. 

Please let me know how to proceed.

Thanks ever so much,
Jim

[Pondus]

how to recive help instructions   https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

I had a redirect once and it was done via a Google banner advert as I was at the time running Google ads on my web site. (I'm not anymore.)

The way out of it was to reset the browser (IE9). I also now run ad blockers.

HTH

[REDACTED]

All right, here are the logs as requested.  Looking forward to any help that can be offered.

Jim

[essexboy]

Hi there, do you use a router ?  If so do any other computers using it experience the same problems

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File 
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[REDACTED]

Ok, those are done. 

We do have a router.  The other machines on the network have not experienced the redirect, although my wife's machine did have a PUP problem a couple of months ago that seems to have been resolved by MBAM.

Two comments:

The items removed by AdwCleaner are the same items it has removed in previous runs.

About half an hour after running the initial set of scans, I had a blue screen error.  Said something about detecting a system modification before it auto-restarted.

[essexboy]

Hmm time for a bigger hammer.  Are you still getting the popups ?

 Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[REDACTED]

I've attached the combofix log.

The problem with this particular redirect is it only pops up every couple of days.  I would have to wait a few days to be sure it was actually gone.

Meanwhile, since running combofix, I can no longer access google or this forum in IE.  I accessed it now through Chrome.

[Pondus]

Meanwhile, since running combofix, I can no longer access google or this forum in IE.  I accessed it now through Chrome.

reboot one more time....or two and try again

did that help?

[REDACTED]

Two reboots since running combofix.  Google and avast forum still inaccessible through IE.  Nothing in restricted sites list.  Can access other AV sites like mcafee and trendmicro (tried that just out of curiosity).

[REDACTED]

Third reboot, same IE problem.  Won't access Facebook either, but will access everything else I try so far.

[essexboy]

What error do you get when you try to access those sites ?

[REDACTED]

It will briefly say "waiting for..." in the tab, but will revert to the site I'm already on or say the webpage cannot be displayed. 

[REDACTED]

As it stands, it appears that the avast forum, Facebook, and google are the only sites I can't open.  The first two were those I've had open today for the most part.  Google is my default IE search engine.

[REDACTED]

Okay, been doing a bit more playing around.  Turns out it's any site that defaults to https.  Google, FB, and this forum all do so, and I've now tried a couple of bank sites that do the same, and I'm blocked.  Would combofix mess with IE security settings?