Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Flash Player Update Virus
March 29, 2010 00:29 Flash Player Update Virus #77769
Reply with Quote | Quick Reply | Top
chrisser665

Avatar

Novice
Join Date: 28.3.2010
Posts: 4
I recently tried to install a copy of a program that my friend had downloaded using a torrent. I'm pretty sure it was a dirty program and I was infected by a virus. My issue is that the virus is not detected by AVG, Spybot, or Ad-Aware. The symptoms are:

When opening Mozilla Firefox (3.5.8) or Internet Explorer (6.0.2900) I attempt to go to my homepage, which is google.com. I get a pop-up that immediately states (In the above bar)

"The page at http://www.google.com says:"
(Then in the text below)
"You need to update your Adobe Flash Player. Do it now?"

The only option is to click "Ok". Fortunately, I have Adblocker Plus and Noscript on, which prevent me from going to the website. AdBlock Plus' notification bar across the top of the webpage reads:

"Request {GET http://get.adobe.com/flashplayer/thankyou/?installer=Flash_Player_10_for_Windows_-_Other_Browsers <<<http://www.google.com/, http://www.google.com/} filtered by ABE: <LOCAL> Deny".

The virus prevents me from accessing any website other than the one the virus will allow me (while other internet activities, such as adaware's updates, are left alone.) I've tried scanning everything using the aforementioned virus programs, and they find nothing.
I've also checked "eventvwr" and scrutinized Windows/System32, based off of what I've read online and I can't find anything new or strange. Furthermore, my startup programs are typical as well.

I'm fighting a phantom here... anyone got a flashlight?

----------------------
AVG Version: 9.0.791
Virus Database version: 271.1.1/2775
LinkScanner version: 195

AdAware Free Anti Malware 8.2
Last Update Details: 3/28/2010 (0149.0188)

Spybot Search & Destroy:
Version 1.6.2.46
Latest Detection Update: 3/24/2010

Ad-Aware
Version
Windows XP Professional
Version: 5.1
Build: 2600
Service Pack: 3

Any help here would be fantastic!
March 29, 2010 07:45 Re: Flash Player Update Virus #77771
Reply with Quote | Quick Reply | Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Hi,

have you updated your Adobe Flash Player as suggested by mentioned pop up? As mentioned address is genuine and valid.

Thank you
***************AVG Team
March 30, 2010 01:00 Re: Flash Player Update Virus #77773
Reply with Quote | Quick Reply | Top
chrisser665

Avatar

Novice
Join Date: 28.3.2010
Posts: 4
I have updated my flashplayer, but the popup feels completely wrong. First, the Google logo is blocked. Then, if I "x" out of the popup, I'm directed to the website (cited above) regardless. Furthermore, I was able to navigate to the website using the google searchbar in my Firefox, and then download the update from what I deemed the real site, and was NOT an "exe", but rather a plugin. I was thus led to believe that the site may be legitimate, but the virus somehow offers the ".exe" as a bait and switch. Furthermore, if my desktop needs the update, why doesn't my laptop- which has all the same program updates need one too?
Finally, when was the last time a program forced you to update, otherwise restricted your internet access? Any theories?

Also, I found two DAT files in my System32 folder: perfh009 and perfc009, which I think were flagged as viruses.

Ad-aware found two files on my E: drive, named a0020639.exe, and (in typical viral fashion) a0020640.exe. (Note the last two digits.) Firefox worked, until I restarted my computer. Then the popup was back.
March 30, 2010 08:17 Re: Flash Player Update Virus #77775
Reply with Quote | Quick Reply | Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Hi,

Please read and follow the instructions in How To Clean An Infected Computer.

If you cannot download or update the utils on the infected system try downloading both the programs and their updates on another computer and then copy them to a CD, DVD or USB disk to use on the infected system.

If you do happen to find malware that AVG does not detect when cleaning the system, please follow these instructions What to do if you suspect a file, registry setting or website is infected and not currently detected by AVG

If the situation still persists, please provide us with output of Gmer full scan - http://forums.avg.com/cz-en/avg-free-forum?sec=thread&act=show&id=9455#post_9455
Then run Gmer again, choose tab ">>>", then "Autostart"
- tick "Show all" and run "Scan"
- save the output and provide us with it

Thank you
***************AVG Team
April 20, 2010 01:09 Re: Flash Player Update Virus #82977
Reply with Quote | Quick Reply | Top
euromarkus

Avatar

Novice
Join Date: 20.4.2010
Posts: 1
Yes, you do have an invasion, and your instincts were right for that fake pop-up.

If you check your DNS and DHCP settings "ipconfig /all", you will notice that they are either pointing to another computer on your network, or the one you are actually on.

Also, ping a website, and you will see it do the same. "ping www.swingnote.com"

What has happend, is a fake DHCP server is running on the network which feeds your computer the fake DNS address. Then EVERY site you go to will resolve to the local infected computer running a fake webserver, that serves up the fake adobe page.