Flash update virus

stevenjcane
stevenjcane used Ask the Experts™
on
Am getting a fake Flash warning on my brand new Win7 64 systems.

"Attention! Your current version of adobe Flash player is outdated! Your computer is vulnerable to malware now. Update your adobe Flash player now."

then it will try to download the file "Install_flashplayer_12_x32_64_msaa.aax_latest.exe"
This appears as a popup  on an otherwise clean computer (brand new)

Has to be coming in over LAN but I need to know where from.  Have run many anti malware & virus programs, don't see how a new computer with MS intune is getting this pop up.
Thanks for your time,
PS, have run Rkill, malware bytes, Combo Fix, tdskiller, JRT, MS offline defender. and maybe a few others I don't remember, Keeps getting pop up when on internet,
Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Why would you say it's fake?  Where does the download come from (which server? ).
Download the app, burn the cd, boot from it, start the scanner, let it download the latest definition file and run the full scan over-night. It’s free and works very well. You can move the CD to any pc and run it as needed.

I tried it last week and was surprised at what it found. It works great!

http://www.comodo.com/business-security/network-protection/rescue-disk.php
Tell if you have this in Programs and Features

Window key + r

Type: appwiz.cpl  and press ENTER

Look for these programs and uninstall them

    DefaultTab
    DownloadTerms
    LessTabs
    TidyNetwork.com
    WebCake
    and any other recently installed application

Plus check "addons" in your Internet browsers and remove them as well.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
It's fake because all the scanners I ran say it a virus. I have updated flash to ver 13 anyway.

Author

Commented:
No extra programs. This is a brand new computer, no web browsing, just joined domain. Not a drive by down load, not a phishing site.
Top Expert 2013

Commented:
Could you restore your computer to an earlier point then?

[Recommended way: Boot up into safe mode with command prompt and type rstrui.exe to restore.]

Also you could try going to the adobe site and install the flash player from there:

http://get.adobe.com/flashplayer/ >

Author

Commented:
This is an BRAND NEW computer, no restore points, already updated to flash 13
Top Expert 2013

Commented:
Boot up to safe mode with networking. And try. Does the same problem happens?

Could you provide any more details?
Top Expert 2013

Commented:
stevenjcane--
Are you still getting the warning pop-up now that you have installed Flash Player 13?  What does Control Panel|Programs and Features indicate as the installed version of Flash?

Author

Commented:
Control panel is 13.0.0.206
Seems to happen most often when going to google.com while using IE 10.
Have moved to another network, First time booting and went to google.com, got popup.
Ran malwarebyets, and got no errors.
Deleted reg entries with "IFlashBroker5" entries (as these showed as locked for everyone)
Have been random surfing with  both IE and Chrome. so far nothing bad, Will keep surfing and rebooting.
Crossing fingers.

Author

Commented:
Just as a point of procedure, I had done all updates offsite before delivering computers to client, Did all updates, install flash, install reader, install Microsoft Intune.
I had thought installing Intune (full paid subscription) would stop any of this nonsense.

Got popup for flash when IE was open, is happening on an irregular basis. Sometime can x out of popup window and continue, sometimes it goes to what sure looks like the official Adobe site and auto downloads the file referenced in the opening post.

I look like a bumkin to my client. Can't make any headway. No other posts with my exact systems.
Not phishing, no rootkits found, WTF

Author

Commented:
screen shot of popup
Fake Flash Popup

Author

Commented:
after closing popup this is the next site to appear
2nd site to open

Commented:
Did it happen after you delivered the computer, and you were working on it? Or did it happen after a few days you delivered them? Any of the users have admin rights?
Was the firewall down during any time during first installations and updates, or did you use IE to browse websites? Did you install any programs while you were at the customer's site?
Did you run that anti virus scan from the rescue CD I suggested above?  If so, did it find the virus? Any feedback?

Author

Commented:
Hi TG-TIS, yes I ran the comodo disk, nothing found. Downloaded update and am running now.
We were having the same problem on the network before I installed the new Win7 computers.
The users have Admin rights on the local computers. Is part of a domain. Windows firewall was, and is still up.
Top Expert 2013

Commented:
Your PC is infected. How? I don't know. Please use a stand-alone boot up CD (from any reputable antivirus vendor) and scan with it.

Also, before you do that, scan your PC with TDSSKiller from:

http://www.bleepingcomputer.com/download/tdsskiller/ >

Author

Commented:
Upgrade IE to 11, make sure only Java 7 is installed.
Seems to only happen now when using IE and going to google.com, and then not every time.
Remove google as search provider.

Seems like something in the stack got changed, when it sees www.google.com it somehow kicks me to the first screenshot. The address bar (which I didn't get in the shot) shows google.com

Author

Commented:
aadih, already did so. nothing found. Offline with comodo and Microsoft Offline defender.
Ran several rootkit removers including TDSSKiller. no joy.

Author

Commented:
OK, seems as though the bad download has been stopped/removed.
Now the only thing bad is that I can no longer user www.google.com with IE. goes directly to popup as in first screen shot.
Can user bing or other sites, just not google. What and where could create this behavior?
Host file is blank.
Top Expert 2013

Commented:
[Does the same thing happen from safe mode with networking?]

What addons have you installed? Toolbars?  Disable them all.

Scan with AdwCleaner:

http://www.bleepingcomputer.com/download/adwcleaner/ >

Author

Commented:
ADW shows nothing, no toolbars no addons.

Author

Commented:
OK safe mode is working correctly. Any Ideas?
Top Expert 2013

Commented:
Certainly some program or service is the cause.

You may try selective startup to diagnose.

http://windows.microsoft.com/en-us/windows/run-selective-startup-system-configuration#1TC=windows-7 >

or using msconfig.

Author

Commented:
aadih-
OK good Idea. Am tinkering now.
Trouble was a hacked router, replaced and everything is fine
Top Expert 2013

Commented:
Great. You solved the problem. :-)

Author

Commented:
Was not a virus as such, bad router, after elimination of everything else, replacing router cleared everything up.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial