Attempting to browse to one of the many sites produces a message box informing that I must update my “Flash Player Pro” with a fake Adobe Flashplayer logo and a fake “TRUSTe” badge (it’s suppose to be a link but it’s just an image). Until I have fixed the problem, I can’t access any of these sites. Which means I have no search engine or social networks (and it’s the pits that I can’t get to my calendar, my phone system or my GMail but that’s a personal problem )

OS: Windows 7.

Browsers: Chrome. Firefox. Internet Explorer.

Sites affected (not the sites, but these are the targeted ones): Any Google site (all services including Search, YouTube, GMail, Voice etc), any Yahoo, any Bing, any Facebook (and I’m guessing any social networking site).

So if you have this problem, you’re blocked from many obvious sites you could see if anyone else had the problem - hence I’m here at the source!

First of all I can browse normally to most sites other than those listed - I’m here aren’t I? :

Here’s what happens when I attempt to browse to one of the many sites it seems to affect:

• First of all a message box comes up in the browser (any browser listed) - see the first attachment.

Clearing or clicking OK produces a “webpage” (presumably from somewhere in a file on my computer) without changing the location in the address bar so that it looks like I am getting this from Google or wherever even though I am not.

When I booted my computer, I noticed that avast! was disabled so I suspected a Run, Runonce or Rootkit. But at no stage did I get a warning from avast! which really surprises me.

I did a quick scan with avast! which threw up nothing. As avast! was running before the boot, it obviously failed to pick up whatever gave this to me

I got someone to do some searches and came up with a long list of solutions. The ones I have tried so far are:

1. Quick scan by avast! mentioned above. Nothing found.

2. Tried different browsers and sites. Problem persisted.

3. Checked the things listed below in normal mode.

4. Windows System Restore to a few days earlier. No change.

5. Reboot to safe mode and:

(a) Check Internet options - Connections - LAN - proxy setting check box clear.
(b) Run Kaspersky Labs tdsskiller. Nothing found.
(c) Run Malware Bytes AntiMalware (mbam). A few keys and files found so I quarantined them.
(d) Check Chrome extensions for anything I don’t recognise. Nothing found.
(e) Windows Control Panel - Programs and Features - Sort list by recent date and check for unintended software. Nothing found.
(f) Regedit, check the HKCM - … - Windows - Current Version - Run and Runonce for anything unusual. Nothing found.

3. Reboot. Check the non-scan ones. Nothing found.

Apart from the one “disabling” on a reboot when I first found this, avast! has been running with default settings.

I’m stumped. If avast! doesn’t notice it getting on my PC and if I can’t find a trace of it, how do I fix it? Yes, I know we’d love to know where it came from, but I need to get re-connected to the sites I can’t reach!

Any ideas? Anyone had this and solved it or is this a re-incarnation of an earlier rootkit that avast doesn’t find?

PLEASE HELP!!!

(By the way, I should have mentioned the rather obvious typo in whatever this thing is… the “Unistall”)

Being unable to search for a soluton makes this quite hard to solve so I’m hoping someone in the avast! community or even devs can come up with an explanation if not a solution!

follow instructions here and attach OTL diagnostic logs http://forum.avast.com/index.php?topic=53253.0

Thanks Pondus.

Done - files attached.

This may be an infected router

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=119&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=119&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-1829667081-1669320110-4033323133-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://search.babylon.com/?babsrc= [Binary data over 200 bytes]
IE - HKU\S-1-5-21-1829667081-1669320110-4033323133-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=101067&mntrId=2c68e383000000000000701a04160352
IE - HKU\S-1-5-21-1829667081-1669320110-4033323133-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=119&systemid=406&sr=0&q={searchTerms}
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
[2011/12/22 22:53:26 | 000,000,000 | ---D | M] -- C:\Users\briton\AppData\Roaming\Babylon

:Files
netsh advfirewall reset /c
netsh advfirewall set allprofiles state ON /c
ipconfig /flushdns /c
netsh winsock reset catalog /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks again. I ran OTL in the way you said. Logfile attached.

(At that time I wasn’t home so the laptop wasn’t connected to my normal router.)

On return home, I found that I could reach Facebook and GMail so I could get the news out how to contact me.

Followed your instructions with AdwCleaner. “Scan” produced several lists of things to clean (I presume PUP items) so I didn’t clear any checkboxes before hitting “Clean”.

After reboot, no files opened, but I found two in C:\AdwareCleaner\

I’ve attached those. I’ve also attached the AdwCleaner Quarantine.txt file.

After the reboot when I started Chrome to browse here, I got a message that my Chrome preferences were not available and indeed they aren’t loaded.

Now I can’t have the malware problem again since that reboot.

Sorry, but I’m slightly worse off even though just before the end I managed to make contact with the world. Incidentally, today while I was out I met someone who has exactly the same problem on their computer at home.

Three questions:

1. If it might be an infected router, why don’t I just removed it from the phone line and LAN, reset it to factory settings manually and then set it up again with a direct connection to my laptop? After disconnecting, but before connecting it direct to the laptop, I could redo the steps in your last post. It just seems quicker to do that than to

2. Should I repeat the instructions in your last post except with the laptop connected to my home router?

3. Once all this is done, is there a way to get my Chrome preferences back?

Thanks.

Are you still getting the flash update popup ?

If so then go ahead and reset the router to factory

For Chrome defaults

1. Create a backup copy of your browser user profile. Go to the Windows Start button > Run > enter the following:

◦Windows XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\

◦Windows Vista/ Windows 7: %LOCALAPPDATA%\Google\Chrome\User Data\

2. After you have created a backup copy of the User Data folder, you can remove the Web Data and Web Data-journal files from the User Data folder in step 1 above.
3. Exit Chrome (wrench > Exit), and restart Chrome.

Thanks Essex. You guys are great.

"Are you still getting the flash update popup ? " Yes

“If so then go ahead and reset the router to factory”

Did that (several times) and it didn’t solve anything.

By the way, the Router Firewall has always been active and it’s admin has always been password protected. Immediately after setting up and factory resets I change that password.

One point about the last scans by OTL. Windows threw up an error message that there was a critical error and it said it would reboot in one minute without chance of postponing. I assumed that was the reboot you mentioned.

How long would that OTL Run Fix be expected to take? Is it a matter of several hours?

Switched the router. I can now get to GMail and other google service, YouTube, Yahoo, Bing, Facebook etc etc.

My new tab is Google and that comes up fine. Searches at Google via the browser bar in Chrome work fine.

When I browsed to www.google.com I got the Flash Player Pro thing again… however when I cleared the first four items in the browsing data “from the beginning of time” (that’s Browsing history, Download history, Cookies and other site and plug-in data, and Cached images and files) the problem went away.

I thought I’d post this before attempting the other router as it may take me a while to get back here if the problem persists in that router, but enquiring minds will want to know! Be back later with the result.

Hello Briton, I have been investigating this problem as well.
What router did you use? Can you share some additional information?
If memory serves, my was a TP-link TD8840-T. I’m trying to understand how exactly this router has been compromised.
Also, for the purpose of easier google hits, it was pulling 128.199.225.64 as primary DNS server. Reported to be located in Singapore.

Yes Max it’s a TP-Link TD8840T wired modem/router. I hadn’t used it for a while as it’s 10/100 and I use 1000 on the LAN, but I had to return the main router so I reverted to it.

The DNS is obtained automatically from my ISP so I’m not sure how that would get changed, but I have to admit that networking isn’t anywhere close to my strong suit!

I haven’t got round to switching back to that router to test it. I’ll check the DNS if I get the problem again when I do.

(I have found two friends with different ISPs both using wireless modems (so not that model) who have told me they’ve got the same problem but as I haven’t seen their devices I have no idea whether they really are or whether they are just confused by Adobe genuinely telling them they need to update.)

Re Adobe Flash Updates: See this link for off-line Adobe Flash Installer http://www.adobe.com/products/flashplayer/distribution3.html

Anytime you see a request to upgrade, check here. BTW, using an offline installer is always safer as long as it is known to be at the Adobe website.

Personally, only use Google Chrome to view streaming video as that comes with an up-to-date Flash player and do not have either IE or FF running flash.

Thanks mchain. In fact this has nothing to do with “Adobe” anything. Neither does it have to do with Chrome browser as it affects all browsers.

It appears to be a router infection. Some evidence suggests it modifies the ISP set by the ISP when the modem connects to DSL. So far I haven’t found any evidence that it actually did anything and I am hoping that one of the many protections in the computer would have caught it if it did. It just provided a rogue DNS so traffic to certain sites was diverted to rogue sites. So far, we’ve only had one model of router reporting this. (We haven’t identified anything much yet, but that’s the suspicion.)

Personally, I rely mostly on the avast! software updater which, with a few early glitches which were sorted out soon after release has turned out to be really good! At least one of the Adobe updaters always fails to update despite downloading the file and running it. Good old avast!

True.

It is a bait-and-switch attack that will lead to a malware infection, using a fake adobe download notice, a much more common tactic than one might think.

That the root cause is an infected router (fixable by downloading the latest firmware that fixes security holes and bugs in the prior version), is not to disprove that was or is not the cause. Information was provided above for others who may be following this thread and who may not be aware of this tactic.

They can now check to see if there is indeed a newer version of Adobe Flash, using the link provided above, and can safely ignore the malicious warning if there is no newer version. Never click on something just because it says to do so. Suspicion is how you found the infected router, so…