Virused!

May. 9th, 2012 05:01 am

My security sucks lately. First my own negligence allowed spambots to walk into a website of mine, and now I've allowed a virus onto my computer.

The virus calls itself "Adobe Flash Updater". Symptom: A screen sometimes appears on startup telling me that there is an updated version of Adobe Flash and I should download it.

I only allow a very few items and services to run at startup, and Adobe Flash Player is not one of them. The updater is not in startup. It is not a service. It is not a scheduled task. It is not in HKLM/Windows/CurrentVersion/Run*. It is not listed in msconfig. Even Sysinternals Autoruns does not see it. The Flash updater is installed in a way that hides it very well from administrators.

Threats:

  • Unknown software is being run on my computer without my permission.
  • The process which loads the software is invisible to the usual Windows tools and startup-checking procedures.
  • The software is communicating with another host on the Internet. Since it runs at startup and outside of my control, I cannot tell what information it is sending.
  • Since the software cannot be identified, it is not known what access rights it has.

There is an "AdobeUpdater" folder under HKCU/Microsoft/Windows/CurrentVersion/Run, but it is empty and has no information in it that can be linked to a program. There is no other match for "AdobeUpdater" in the Registry, and there are no files in the Windows directory containing the text "AdobeUpdater". An unknown process reinstalls the AdobeUpdater folder after it is deleted.

The first time this happened, I killed the process before capturing its name and I destroyed enough of the registry to prevent Firefox or Safari from loading. This also seemed to have stopped the virus from reappearing until I reinstalled Safari. On the next reboot, the virus came back and I was able to identify it as FlashUtil10v_Plugin.exe even though the virus window tried to display over Task Manager.

No file in the \windows directory contains this name other than the virus itself, nor does any file contain the name in u.n.i.c.o.d.e 16-bit encoding. There was nothing in Program Files either. Its presence in the registry includes a record of my searching for it, a MUICache entry that resulted from it being run, and an uninstaller path.

I cannot find any entry point that would actually run the program. Will update this post if I do...


Update 2012/05/16: Explanation found: The flash updater is added to RunOnce and this startup entry is deleted when the updater runs. So what adds it? It is probably added whenever the flash plugin runs in a browser. The day before the most recent occurrence, I had just enabled "plugins" in Opera to attempt to run the NotScripts extension (a NoScript knockoff) on a page where I wanted to run Javascript. Earlier instances of the problem could have been caused by running freshly-installed Safari before turning off its plugins.

Opera's plugins folder is empty on my system. According to about:plugins, Opera pokes around other places on your file system to find plugins. Weird.

Page generated Jul. 22nd, 2017 10:36 am
Powered by Dreamwidth Studios