I recently tried to install a copy of a program that my friend had downloaded using a torrent. I'm pretty sure it was a dirty program and I was infected by a virus. My issue is that the virus is not detected by AVG, Spybot, or Ad-Aware. The symptoms are:
When opening Mozilla Firefox (3.5.8) or Internet Explorer (6.0.2900) I attempt to go to my homepage, which is google.com. I get a pop-up that immediately states (In the above bar)
"The page at http://www.google.com says:"
(Then in the text below)
"You need to update your Adobe Flash Player. Do it now?"
The only option is to click "Ok". Fortunately, I have Adblocker Plus and Noscript on, which prevent me from going to the website. AdBlock Plus' notification bar across the top of the webpage reads:
The virus prevents me from accessing any website other than the one the virus will allow me (while other internet activities, such as adaware's updates, are left alone.) I've tried scanning everything using the aforementioned virus programs, and they find nothing.
I've also checked "eventvwr" and scrutinized Windows/System32, based off of what I've read online and I can't find anything new or strange. Furthermore, my startup programs are typical as well.
I'm fighting a phantom here... anyone got a flashlight?
I have updated my flashplayer, but the popup feels completely wrong. First, the Google logo is blocked. Then, if I "x" out of the popup, I'm directed to the website (cited above) regardless. Furthermore, I was able to navigate to the website using the google searchbar in my Firefox, and then download the update from what I deemed the real site, and was NOT an "exe", but rather a plugin. I was thus led to believe that the site may be legitimate, but the virus somehow offers the ".exe" as a bait and switch. Furthermore, if my desktop needs the update, why doesn't my laptop- which has all the same program updates need one too?
Finally, when was the last time a program forced you to update, otherwise restricted your internet access? Any theories?
Also, I found two DAT files in my System32 folder: perfh009 and perfc009, which I think were flagged as viruses.
Ad-aware found two files on my E: drive, named a0020639.exe, and (in typical viral fashion) a0020640.exe. (Note the last two digits.) Firefox worked, until I restarted my computer. Then the popup was back.
If you cannot download or update the utils on the infected system try downloading both the programs and their updates on another computer and then copy them to a CD, DVD or USB disk to use on the infected system.
Yes, you do have an invasion, and your instincts were right for that fake pop-up.
If you check your DNS and DHCP settings "ipconfig /all", you will notice that they are either pointing to another computer on your network, or the one you are actually on.
Also, ping a website, and you will see it do the same. "ping www.swingnote.com"
What has happend, is a fake DHCP server is running on the network which feeds your computer the fake DNS address. Then EVERY site you go to will resolve to the local infected computer running a fake webserver, that serves up the fake adobe page.