New Thread, please--Fake desktop notice from Acrobat on 32-bit Vista

I can't post a new thread, but this is a different computer, with different symptoms, although the two often share a home network.

I can't find anything online that describes exactly what I have going on in this one.

Here's the problem:
I get this really annoying desktop pop-up notification, supposedly from Adobe. (see jpg attachment). When I check with Adobe properly, they tell me I'm up to date with Reader 10 (11 is still beta). Also, the Adobe symbol is missing, replaced with a star. (Haven't noticed anything else wrong...yet. This is new.)

Now I realize this message is an invitation to download something I don't want, and I'm smart enough to ignore it. But just the fact that it is ON my desktop tells me that there is something in my computer that I don't want there.

I've had problems with Windows Defender getting shut off,supposedly by AVG. So I also intend to ditch AVG once I get this cleared up and switch to Comodo. But first things first: what do I have, and how do I get rid of it?

Windows Vista Home Premium, SP-2
HP a5414f
AMD Athlon 64 x2 dual Core Processor 6000+ 3.00 GHz
3.00 GB RAM
32 bit OS

I worked through your procedure, albeit imperfectly. The text logs are zipped together into 5-Logs.zip. That gets me around your attachment limit and allows me to send you a screen-shot of the desktop with the fake Adobe notice.

----------Scanning notes:

Forgot to uncheck the cookies, and inadvertently hit next instead of close w/ Hitman. Hope I didn't screw up anything major!


Running MGTools: Windows error message:
ProcessDll.exe - Common Language Runtime Debugging Services

Application has generated an exception that could not be handled
Process ID = 0xe94 (3732), Thread Id = 0x1660 (5728),
Click OK to terminate the application.
Click Cancel to debug the application.

Clicked OK. I don't have the skills to debug this!

Dos Error report: c\MGGLogs.zip failed to be created.

Ran the batch file, and got the same windows error message as above (closed it again), but this time I got the zip file.
----------

 

Thank you for responding. I appreciate the help!!!!!

Notes on cleanup procedures:

1.
HJT seemed to work fine.

2.
OTM ran the first sections successfully.

After emptying the temp folders for All Users and Bob, it stalled with this final line in results:
user: Coleen >temp folder emptied 669326 bytes

MsgBox:
"OTM has stopped working. Windows will close programs and notify you if a solution is available."

I clicked close. There was something minimized at the bottom of the screen--another MsgBox.
"Microsoft Search Indexer stopped working and was closed. A problem caused the application to stop working correctly.
Windows will notify you if a solution is available."

After closing, I had a completely empty desktop. Only the photo left. No icons, no floating task bar to access the start menu.

I used ctl+alt+delete to bring up the task manager entry screen, and clicked restart from the button.

3.
C:\MGtools\GetLogs.bat

This ran the same way it ran last time, stopping with a windows message box. The Windows text in the box read as follows:
=========
Application has generated an exception that could not be handled
Process ID = 0x1438 (5176), Thread Id = 0xcc0 (3264),
Click OK to terminate the application.
Click Cancel to debug the application.
=========
I selected OK
When the batch file finished, I went back and copied the DOS information shown in the batch file just as the program halted--on the off chance it wouldn't turn up in the log file.

Text in cmdbox
=============
running processdll.exe to find loaded DLLs

Unhandled Exception: System.InvalidOperationException: Process performance counter is disabled, so the requested operation canot be performed.
at System.Diagnostics.NtProcessManager.GetProcessInfos<Performance CounterLib library>
at System.Diagnostics.NtProcessManager.GetProcessInfos<String machineName, Boolean isRemoteMachine>
at System.Diagnostics.ProcessManager.GetProcessInfos<String machineName>
at System.Diagnostics.Process.GetProcesses<String machineName>
at System.Diagnostics.Process.GetProcesses<>
at procdll.modMain.Main<>
Found and Zipping procdll.txt
==============

I'm re-activating WindowsDefender (Isn't that the Windows Vista Firewall?)

For what it's worth, last night I ran a couple of additional virus scans (which were all clean). Then I thought that perhaps my Adobe updater had been corrupted, so I repaired Reader. This morning there were some automatic Windows Updates. I haven't seen the crazy update message from the screen shot today--but it doesn't appear every time I reboot--seems to be on some sort of 2 or 3 times a day schedule.

Please respond to these logs with any relevant information about whether they are clean, or if I need to repair any files--I'm curious about why the batch file and OTM stalled. I'll assume that since I'm in the queue now, I won't bump myself down if I update--and I'll just add a note if and when the fake update message reappears. If it stays gone until tomorrow afternoon, I'll let you know that, as well.

 

Its baaacckkk! 9:48 PM. About the time it showed up yesterday.

 

I took your advice. However, the "update" is back again. Seems to show up every evening around 9:45 CDT. Never any other time of day, so if you have any more ideas, I'll try them--but won't know the results until 9:45 that night.

(FWIW, I just ran msconfig to check; Adobe updating is currently off.)

One thing comes to mind--really a long shot, but could the other computer on my network possibly be harboring this thing? (See earlier thread.)

The reason I ask is that Comodo (on the Win 7 laptop) spotted an active threat the other day, but it was coming from a directory that exists on this computer (Vista) but not on the other one. That directory is one of those that you had me clean out the other day.

One other thing that has me curious--why did the clean-up programs you had me run the other day get stuck? Did they perhaps trip on something?

I appreciate your efforts on this. It's a corker. I surely dread what might happen if I actually clicked that *^(^ "update".

 

Grasping at straws here... is there a known sequence to the Windows Vista shutdown? Because the "update message" blinked out first, before the rest of the desktop wemt all at once when I shut down last night.

 

I took your advice about the firewall and software; downloaded Comodo and uninstalled AVG. Interestingly, Comodo found no problems, either.

So I got brave and clicked the &^%* thing.

Up pops the "View and Review Your Downloads" Window.

AdobeReaderSetup_8631360-none pops up in first place.

There's no location, just the question: "Do you want to run or save this program?"

I saved it to the desktop, and had Comodo run a scan on it. Found nothing.

But it sure isn't legitimate from Adobe--

I'm thinking somebody truly expert should take a look at this thing. I'm sending you a zipped copy of it--I notice that it has a valid certificate from "Trusted Software ApS" and a digital signature email address of "Support@TrustedSoftware.com"

I think you're right, in that I don't have a virus on my system. But whatever this is, it's behavior is sure hinky--and I'd really like to stop getting the message--because I don't feel safe when it keeps coming in.


More weird. Had a difficult time uploading the file. And when I did, it wasn't the zip file; instead it was coming from C:\Users\Me\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I3NG9R67\AdobeReaderSetup_8631360-none[1].exe

Same thing again. The zip archive icon is on my desktop. But your uploader can't "see" any zip files there at all.

And, although I am supposed to be able to see hidden files and extensions on my computer, I cannot see the \Low\Content.IE5\etcetera subfolders.

I thought I'd try to rename the exe file on my desktop--surprise, Windows is hiding the extension, so I couldn't just change that.

FINALLY, I think I have it. I renamed the entire file to FakeFile. At that point the .exe showed up, and I changed that to .txt. And this time I zipped it right away.


Guess what--the first zipped file has disappeared from my Manage attachments page. I'm going to try to send you both zipped files, but if you only get one, at least you know how to change the name.

If I need to send this to one of the Antivirus companies, please tell me where it should go. Or perhaps you can fwd it to the right set of eyes, wherever they are.

Thanks for your patience with this.
chriscol

 

FYI:
Ran a full Comodo scan. It found two viruses, which it quarantined.
(After trying several other non-installable scanners which turned up nothing.)

C:\Program Files\QuickTime\QTSystem\QuickTimeUpdateHelper.exe Suspicious@#1fy9u1087o1ed Quarantine Success
C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe Suspicious@#2wsru862x9mkm Quarantine Success
I'm hoping the QuickTimeUpdateHelper was the source of my 9:42 evening visitor. But, of course, I won't know for sure until 9:43 tonight.

Thanks for the Revo info. I'm going to wait to see if the QuickTime installer was the problem. If not, I'll use the Revo next.

BTW, I'm very impressed with Comodo. I had to contact their GeekBuddy team twice in order to upload the questionable file to them--no charge for the help, even for someone like me using the free service. Might have been different if I had been asking for help with my computer specifically, but....

 

It's 9:53 and no message. Looks like the problem was the QuickTimeUpdateHelper.exe Suspicious@#1fy9u1087o1ed.

Unless you have questions for me, we can call this thread closed.

 

Before you assume any further, take a look at the attached file, which turned up in my Java directory after I had removed the application using REVO.

I think I'm still clean, but it's amazing the kind of computer damage this thing can do.