Link to home
Start Free TrialLog in
Avatar of stevenjcane
stevenjcane

asked on

Flash update virus

Am getting a fake Flash warning on my brand new Win7 64 systems.

"Attention! Your current version of adobe Flash player is outdated! Your computer is vulnerable to malware now. Update your adobe Flash player now."

then it will try to download the file "Install_flashplayer_12_x32_64_msaa.aax_latest.exe"
This appears as a popup  on an otherwise clean computer (brand new)

Has to be coming in over LAN but I need to know where from.  Have run many anti malware & virus programs, don't see how a new computer with MS intune is getting this pop up.
Thanks for your time,
PS, have run Rkill, malware bytes, Combo Fix, tdskiller, JRT, MS offline defender. and maybe a few others I don't remember, Keeps getting pop up when on internet,
Thanks
Avatar of Kimputer
Kimputer

Why would you say it's fake?  Where does the download come from (which server? ).
Download the app, burn the cd, boot from it, start the scanner, let it download the latest definition file and run the full scan over-night. It’s free and works very well. You can move the CD to any pc and run it as needed.

I tried it last week and was surprised at what it found. It works great!

http://www.comodo.com/business-security/network-protection/rescue-disk.php
Tell if you have this in Programs and Features

Window key + r

Type: appwiz.cpl  and press ENTER

Look for these programs and uninstall them

    DefaultTab
    DownloadTerms
    LessTabs
    TidyNetwork.com
    WebCake
    and any other recently installed application

Plus check "addons" in your Internet browsers and remove them as well.
Avatar of stevenjcane

ASKER

It's fake because all the scanners I ran say it a virus. I have updated flash to ver 13 anyway.
No extra programs. This is a brand new computer, no web browsing, just joined domain. Not a drive by down load, not a phishing site.
Could you restore your computer to an earlier point then?

[Recommended way: Boot up into safe mode with command prompt and type rstrui.exe to restore.]

Also you could try going to the adobe site and install the flash player from there:

http://get.adobe.com/flashplayer/ >
This is an BRAND NEW computer, no restore points, already updated to flash 13
Boot up to safe mode with networking. And try. Does the same problem happens?

Could you provide any more details?
stevenjcane--
Are you still getting the warning pop-up now that you have installed Flash Player 13?  What does Control Panel|Programs and Features indicate as the installed version of Flash?
Control panel is 13.0.0.206
Seems to happen most often when going to google.com while using IE 10.
Have moved to another network, First time booting and went to google.com, got popup.
Ran malwarebyets, and got no errors.
Deleted reg entries with "IFlashBroker5" entries (as these showed as locked for everyone)
Have been random surfing with  both IE and Chrome. so far nothing bad, Will keep surfing and rebooting.
Crossing fingers.
Just as a point of procedure, I had done all updates offsite before delivering computers to client, Did all updates, install flash, install reader, install Microsoft Intune.
I had thought installing Intune (full paid subscription) would stop any of this nonsense.

Got popup for flash when IE was open, is happening on an irregular basis. Sometime can x out of popup window and continue, sometimes it goes to what sure looks like the official Adobe site and auto downloads the file referenced in the opening post.

I look like a bumkin to my client. Can't make any headway. No other posts with my exact systems.
Not phishing, no rootkits found, WTF
screen shot of popup
User generated image
after closing popup this is the next site to appear
User generated image
Did it happen after you delivered the computer, and you were working on it? Or did it happen after a few days you delivered them? Any of the users have admin rights?
Was the firewall down during any time during first installations and updates, or did you use IE to browse websites? Did you install any programs while you were at the customer's site?
Did you run that anti virus scan from the rescue CD I suggested above?  If so, did it find the virus? Any feedback?
Hi TG-TIS, yes I ran the comodo disk, nothing found. Downloaded update and am running now.
We were having the same problem on the network before I installed the new Win7 computers.
The users have Admin rights on the local computers. Is part of a domain. Windows firewall was, and is still up.
Your PC is infected. How? I don't know. Please use a stand-alone boot up CD (from any reputable antivirus vendor) and scan with it.

Also, before you do that, scan your PC with TDSSKiller from:

http://www.bleepingcomputer.com/download/tdsskiller/ >
Upgrade IE to 11, make sure only Java 7 is installed.
Seems to only happen now when using IE and going to google.com, and then not every time.
Remove google as search provider.

Seems like something in the stack got changed, when it sees www.google.com it somehow kicks me to the first screenshot. The address bar (which I didn't get in the shot) shows google.com
aadih, already did so. nothing found. Offline with comodo and Microsoft Offline defender.
Ran several rootkit removers including TDSSKiller. no joy.
OK, seems as though the bad download has been stopped/removed.
Now the only thing bad is that I can no longer user www.google.com with IE. goes directly to popup as in first screen shot.
Can user bing or other sites, just not google. What and where could create this behavior?
Host file is blank.
[Does the same thing happen from safe mode with networking?]

What addons have you installed? Toolbars?  Disable them all.

Scan with AdwCleaner:

http://www.bleepingcomputer.com/download/adwcleaner/ >
ADW shows nothing, no toolbars no addons.
OK safe mode is working correctly. Any Ideas?
Certainly some program or service is the cause.

You may try selective startup to diagnose.

http://windows.microsoft.com/en-us/windows/run-selective-startup-system-configuration#1TC=windows-7 >

or using msconfig.
aadih-
OK good Idea. Am tinkering now.
ASKER CERTIFIED SOLUTION
Avatar of stevenjcane
stevenjcane

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Great. You solved the problem. :-)
Was not a virus as such, bad router, after elimination of everything else, replacing router cleared everything up.