Participant

Question

Legitimate upgrade?

Forum|Forum|9 years ago
August 31, 2016
3 replies
2801 views

I keep receiving a request to upgrade my W10 FlashPlayer with a file called FlashPlayer.hta. What makes me suspicious is two things. First, I only receive this request when logged into Yahoo. Secondly, when I test my system it appears FlashPlayer is working.

Does anyone know about this FlashPlayer.hta upgrade?

Is it legitimate?

This topic has been closed for replies.

C

c_s99414826

Participant

I forgot to include the latest screenshot...sorry .

jeromiec83223024

Inspiring

No worries, thanks for the head's up.

We work with an external company that issues takedown requests for stuff like this, but they generally require both a screenshot and the full URL. There's a lot of stuff going on under the hood to make it difficult to get the remote site to attempt to deliver that payload, so having the fully in-tact string with all of the tokens can be very helpful (in the event that you can get to it). We're always happy to forward these things on for follow-up, but it's a persistent game of whack-a-mole.

The other thing that you can do if you want to be proactive in protecting the community is to upload the payload to virustotal.com. While the payload might not get flagged immediately by existing signatures, there are researchers on the backend that flag and evaluate new samples that look suspicious. Simply uploading suspicious payloads can help to burn them (at least for people running any reasonable virus scanner) as long as you can confidently do that without infecting yourself in the process.

C

c_s99414826

Participant

Hi Again.

Yesterday, I had just logged on to my PC, my homepage as usual and then a moment later, looked up and there was yet another bogus Flash Player redirect. As in the past, I took a screenshot and saved. I looked at the URL in the address bar, and noted that beyond the .com, there was the long set of letters, number, etc. Unfortunately, since the 'bogus' Internet Explorer box in the center of the screen is there just waiting to snag you into hitting anything (I do not hit the "X" or "close," I could not move the cursor, so that I could try and see the entire line of characters in the URL bar. I did what I have in the past. I shut down via task manager, and ran only Malwarebytes but as usual, nothing ever comes up. So after working with someone at bleepingcomputer a few months back, and them not finding anything, and I always scan with Malwarebytes, SAS, and Windows Defender is on, I had done a little researching a few weeks ago (probably after the last fake Adobe redirect) and did a little reading on how routers can be affected. I have never had the remote access on, do not have the default SSID, and do not have the default password...everything setting-wise appears to be okay, I called my ISP to see if there was anything they could look at. The tech rep seemed to be clueless as to what info I wanted to verify, and had me "reset" the modem while on the call, and said that everything should be fine...including with my wifi router, and asked if I was still getting a redirect. I told the rep that it doesn't happen everyday nor every week, so even what measures just performed, there would still be no way of knowing the status until or unless it happened again.

Looking back at your response, I hope you can clarify something for me.(Keep in mind, I am just an average user...not extremely tech savy,) what do you mean by "payload?" That is a term I am vaguely familiar with by looking up the definition but, I can't figure out how I could obtain that info. I thought perhaps it does have to do with getting the full URL but again, not sure how I can do that without being able to move my cursor 'safely'. Is there any other way that I can get the full URL?

And you mention " (at least for people running any reasonable virus scanner)" I'm not sure what you mean by this. Are you referring to what a user utilizes on their systems....such as my using Windows Defender (or Windows Security Essentials) and running on demand SAS & Malwarebyte's scans both every week or so, and at any point I experience any 'odd' or suspicious behavior (the redirects?)

I know I will go have to go back to bleepingcomputer and start all over again. Since I did take a screenshot of yesterday's phony Adobe Flash Player scam, should I still post it hear for Adobe's benefit? I am beginning to feel like a pain-in-the-butt as this is the third one.

C

c_s99414826

Participant

Although I have had a number of sources help looking into any possible malware on my PC, nothing has been found. In fact, I have had someone at bleepingcomputer help. In the meantime, I am looking into my router and even my ISP, as I got another "Adobe" (fake) redirect.

Although the look is the same, I noted that the URL bar had a different name listed, again another .org. I'm not sure if it is useful to post each one of these. I don't know if the info in the screenshot helps anyone at Adobe. Is there a recommendation as to whom all should this info be reported to...Microsoft? My ISP? Any security source that I may not be thinking of?

In the meantime, I am working to get to the bottom of this, and hopefully will no longer have this problem with any redirects. For now, I thought I would share this in case anyone is getting the same and is not sure if it is a legit page or not. I do not want to see anyone get scammed by these people who make it their mission to fool people.

thanks.

C.S.

_maria_

Legend

From your description it's most likely not legitimate. None of the FP installer file names are FlashPlayer.hta. Posting screenshot of the notification request is always helpful.

C

c_s99414826

Participant

Hi.

Just today, I ran into the same questionable situation. Was working in one tab of IE and noticed the only other open tab, began to flash in a non-typical yellow shade. I also noticed the tab sais "Adobe - Adobe Flash..." So I looked at the tab (which should have been my homepage) and there is this 'Adobe looking page saying my Flash Player may be out of date." Thought highly odd because I remember the security issues in news about a week/2weeks ?? ago, and made sure I was up-to-date. What really caught my eye was the address bar contents: https://laeyeadha.org/ followed by an extremely long string of letters & numerals. Knew it had to be a scam. There were instructions on the Adobe-like page....and when it tells you to go to your download folder and locate something "named like "FlashPlayer.hta", that just was weird...who words it "like" as I would think any vendor would know the name of a particular file, etc. Hopefully the screenshot I took is readable & helpful.

After I took the screenshot, (paid not attention to the Internet Explorer box options superimposed over the page) I used Task Manager to exit out of IE. I hope this is the correct thing to do, and the other question I really need to know about, is does this mean that something is already on my PC? Obviously my homepage was redirected to this laeyeadha thing when I was in another open tab. So this is where I get a bit concerned as recently I had some redirects with odd entries in my browser history and someone over at BleepingComputer helped troubleshoot. All seemed fine until this came up today. Should I be looking anywhere to see if there is some malicious file or malware that has been uploaded or is the scam just in the directions when it stated "To proceed, open you download folder and locate, etc., etc.?

_maria_

Legend

Hi c.s99414826 ,

Thanks for posting this. It's definitely not an official Adobe Flash Player download page. We had numerous reports of this 'Flash Player.hta" browser redirect/file in the past couple of months and I forward each one to our fraud department. I will forward your post and screenshot to our fraud department for follow-up.

Browser hijacking (the behaviour you describe) does suggest you have some virus or malware on your system. Unfortunately, diagnosing and fixing browser hijacking is beyond the scope of these forums (and my expertise). When it happens on my personal computer I go to sites, such as beepingcomputer, for assistance.

--

Maria

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded