My security sucks lately. First my own negligence allowed spambots to walk into a website of mine, and now I've allowed a virus onto my computer.
The virus calls itself "Adobe Flash Updater". Symptom: A screen sometimes appears on startup telling me that there is an updated version of Adobe Flash and I should download it.
I only allow a very few items and services to run at startup, and Adobe Flash Player is not one of them. The updater is not in startup. It is not a service. It is not a scheduled task. It is not in HKLM/Windows/CurrentVersion/Run*. It is not listed in msconfig. Even Sysinternals Autoruns does not see it. The Flash updater is installed in a way that hides it very well from administrators.
- Unknown software is being run on my computer without my permission.
- The process which loads the software is invisible to the usual Windows tools and startup-checking procedures.
- The software is communicating with another host on the Internet. Since it runs at startup and outside of my control, I cannot tell what information it is sending.
- Since the software cannot be identified, it is not known what access rights it has.
There is an "AdobeUpdater" folder under HKCU/Microsoft/Windows/CurrentVersion/
The first time this happened, I killed the process before capturing its name and I destroyed enough of the registry to prevent Firefox or Safari from loading. This also seemed to have stopped the virus from reappearing until I reinstalled Safari. On the next reboot, the virus came back and I was able to identify it as FlashUtil10v_Plugin.exe even though the virus window tried to display over Task Manager.
No file in the \windows directory contains this name other than the virus itself, nor does any file contain the name in u.n.i.c.o.d.e 16-bit encoding. There was nothing in Program Files either. Its presence in the registry includes a record of my searching for it, a MUICache entry that resulted from it being run, and an uninstaller path.
I cannot find any entry point that would actually run the program. Will update this post if I do...
Opera's plugins folder is empty on my system. According to about:plugins, Opera pokes around other places on your file system to find plugins. Weird.