avast! found viruses on my computer and I moved them to the chest. I have no idea of what to do. The viruses are Win32:Fasec and Win32:Rootkit-gen. The Win32:Rootkit-gen has been found as gaopdxpxoihvkn.dll. The Win32:Fasec has been found as gaopdxpxoihvkn.dll and iamfamous.dll. The gaopdxpxoihvkn.dll have been found in C:\Windows\System32 and the iamfamous.dll was found in C:\Program Files\Mozilla Firefox\components. What should I do now? gaopdxpxoihvkn.dll appears every time I open Internet Explorer.
I suggest:
Thanks. 
When i try downloading SuperAntiSpyware Free the download page doesn’t work and for MBAM the whole site doesn’t work. My internet is working because I can go to other sites. What do I do?
EDIT: Would this work? http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
I also found this: http://www.download.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
You should program an analysis with avast on the start up of the system. Soon while avast is scanning your computer will show an alert about the viruses that finds. Press the key that tell you in the options.
Remember update the virus database before make this ok.
Good loock ;D
Download.com should be fine.
Your HOSTS file might have been modified to block security sites to try to hinder your dealing with malware.
HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.
Once open you are looking for entries with avast.com,etc. on the line, you may well see other AV sites, post the contents of the hosts file. http://en.wikipedia.org/wiki/Hosts_file
I think I might have Mydoom.B.
Here:
The hosts file can also be "hijacked," or used for malicious purposes. For example, adware, computer viruses, trojan horses, or other malware can edit the hosts file to redirect traffic from a "safe" site (such as Google or Wikipedia) to sites hosting content that may be offensive or intrusive to the user or the user’s computer system. For example, a trojan (Qhosts) redirected traffic from search engines such as Google and AltaVista to a site specified by the author of the trojan horse.[1] Mydoom.B (a malware program) blocked users from visiting sites regarding computer security and antivirus software, and also affected users ability to access the Windows Update web site.
I can’t go to AV sites, gmail, and Windows Update won’t work.
Did you follow David’s suggestions? Your hosts file is probably infected.
Try http://www.abelhadigital.com/2008/07/hostsman-3157-released.html to have a clean and new hosts file.
I doubt you have MyDoom.B as that really is an old piece of malware and your system would have to be very out of date the article is for example purposes to show what can be done by modifying the HOSTS file.
The idea was to spark you into actually checking your own HOSTS file to see if there were any similar entries for security sites, etc. and report your findings, so they might be removed.
However, it may be better to use the tool Tech indicated as it doesn’t require any experience of the HOSTS file.
I checked my hosts file and this is wat is says:
# Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
OK that is fine, which makes it a little more complex as it could be some sort of DNS redirect which doesn’t rely on the HOSTS file.
Try this little test, this is the IP address for MalwareBytes.org, http://69.162.79.74/ and see if that allows you to get to malwarebytes.org ?
If so that is an indication that there is a more subtle redirect going on than the blunt HOSTS file.
What happens is that when you click a link like those given by Jtaylor83 with a domain name, you need to go to a DNS server for the IP address and this can be intercepted and either block or redirect you elsewhere…
Did you manage to get MBAM from download.com before ?
Yea I downloaded MBAM from the link I found and ran a scan. I also ran a scan earlier with SUPERAntiSpyware. In SUPERAntiSpyware, the scan found something called Trojan.DNS-Changer (Hi-Jacked DNS).
SUPERAntiSpyware Log:
SUPERAntiSpyware Scan Log http://www.superantispyware.comGenerated 02/24/2009 at 02:56 PM
Application Version : 4.25.1012
Core Rules Database Version : 3724
Trace Rules Database Version: 1698Scan type : Complete Scan
Total Scan Time : 08:56:44Memory items scanned : 920
Memory threats detected : 0
Registry items scanned : 7442
Registry threats detected : 6
File items scanned : 27476
File threats detected : 114Adware.MyWebSearch/FunWebProducts
HKCR\CLSID{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAsTrojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES{B29D9591-B6BD-4848-AFCD-032453B3373F}#NAMESERVER
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES{B8099C7E-AACF-46AB-9688-C1389A535223}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES{B29D9591-B6BD-4848-AFCD-032453B3373F}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES{B8099C7E-AACF-46AB-9688-C1389A535223}#NAMESERVERAdware.Tracking Cookie
C:\Users\Family\AppData\Roaming\Microsoft\Windows\Cookies\family@apmebf[1].txt … (too many characters)
MBAM Log:
Malwarebytes' Anti-Malware 1.34 Database version: 1798 Windows 6.0.6001 Service Pack 12/24/2009 8:25:17 PM
mbam-log-2009-02-24 (20-25-16).txtScan type: Full Scan (C:|)
Objects scanned: 282835
Time elapsed: 4 hour(s), 33 minute(s), 31 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\freshplay (Trojan.DNSChanger) → Quarantined and deleted successfully.Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) → Quarantined and deleted successfully.Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) → Data: 85.255.112.39,85.255.112.40 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{b8099c7e-aacf-46ab-9688-c1389a535223}\DhcpNameServer (Trojan.DNSChanger) → Data: 85.255.112.39,85.255.112.40 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) → Data: 85.255.112.39,85.255.112.40 → Quarantined and deleted successfully.
Yes, this is almost certainly the cause of the inability to connect to security sites and the entries in the MBAM log also show it has cleaned up further registry entries responsible. So hopefully you shouldn’t have the redirect problem ?
The IP addresses in the registry entries point to a server in the Ukraine.
The Ukraine? I live in the US. Well, my computer is working fine now. Thanks everyone for the help.
Intentional deletion.
Yes which is why it was suspicious having a DNS server in the Ukraine when you are in the USA and the reason for all the blocking because the DNS server redirect (to the Ukraine) blocked security sites.
Thankfully everything is now fine.