I was prompted to update my Adobe Flashplayer on 13 May 2020. I allowed the download, ran a Bitdefender scan on the executable (it was clean), and then permitted the installation (it appeared legitimate) ; however I became suspicious as soon as the update completed because the executable file did not disappear from my download directory, as it usually does. I then researched the name, and it is malware. I checked the properties, and it wasn't a system file like usual. The fake file is called flashplayer32au_a_install.exe (I believe the legitimate file is flashplayer32_a_install.exe).
My question for the community is how do I remove this from my system? Is there a fix? I uninstalled Flashplayer, deleted the executable, ran a full system scan with Bitdefender, but there is still malware on my computer. It keeps launching an update process in the background, and I end the task each time it restarts. There are 3 fake folders (as far as I know) that have been created and I can't delete them - a popup asks for admin details to change permissions, but I definitely won't provide anything. Two folders associated with the fake Adobe program appear in the top level of the Program Data directory (I used CCleaner to empty them, but I can't delete the folders) and the third is called Update6 and appears in Program Data / Adobe. I am presently working offline because I think the virus is a browser hijacker adware program. I don't know how to remove the malware and would greatly appreciate some guidance. (lesson learned - in the future I will block Flashplayer). Thank you in advance.
If this is actually malware there is no fix or magic to remove it. The nature of malware is that it is ever-changing, hides itself well, and installs lots of tricks to stay hidden and reinstall itself. There are MANY many different Flash impersonating attacks. Best to wipe the computer and start again.
BUT, check first whether the file is actually legitimate. You can't tell from the name, because fakes use the same name as the real thing. Check the file properties of what you downloaded, look to see if it has a digital signature, and whether it is a real Adobe signature. It's the only way to be sure.
Thanks very much for your reply. I stayed offline for a couple of weeks to check my computer system thoroughly. Unfortunately (or fortunately?) I uninstalled the software immediately and can't comment on the digital signature now; although I did look at the file details before I installed, and nothing struck me as unusual. I haven't had any unusual pop-ups or processes appear on my machinee, and I'm inclined to think my machine is clean, and that I incorrectly assumed the executable was invalid. I really appreciate your rapid reply, and apologize for my delayed response. Stay safe during this COVID crisis. Cheers.
When Adobe (or any other software developer) publishes software executables (like installers), they cryptographically sign them.
That signature says two things:
The filenames don't mean anything. Anyone can name a file anything. In the context of Flash Player, there's a distribution team that determines the individual file names. The names change over time, but again, it doesn't really matter because anyone can name a file anything. If I knew the exact filename, the corresponding sha256 hash and the download date, I could probably confirm with the team that it matches what was available at the time, but it's easier to just check the code signature of that file yourself. It's the authoritative data point.
This is a decent explanation of how to do that here:
If you found that you did install something sketchy, there's no good answer. You need to do a gut-check about what you do with the machine, and what your risk tolerance is. If someone logging your keystrokes means that you might lose your retirement savings or your house, probably better to just burn the whole thing down and start fresh. There are plenty of third party clean-up tools, but they require some degree of faith.
Thank you so much for your reply. I uninstalled the software shortly after I installed it, so unfortunately I can't give you the sha256 hash. I will however save the link you provided and verify digital signatures in the future. If it still helps, the file was called flashplayer32au_a_install.exe and the prompt from my installed Flashplayer indicating an update for my flashplayer was available, appeared on 13 May 2020 . I took a screen shot of the file properties, but not the hash unfortunately. This is what the file indicated:
I went to the official Adobe site afterwards and downloaded flashplayer in order to compare the files - the file name from the Adobe site was flashplayer32_a_install.exe (both this file and the first one that I installed were the exact same file size - there was just a slight difference in the file name: 32au_a versus 32_a ).
I compared the 2 executables properties under the Security tab. The authentic script from the Adobe website identified the Group or username as "SYSTEM" while the script that downloaded from the software already installed on my computer identified the Group or username as a series of numbers and dashes ((as an aside, I just downloaded a CCleaner update after a prompt from the installed version on my computer, and it too identified the Group with a similar series of numbers and dashes. Before installing it, I went to CCleaner and downloaded the latest version to compare, and noted that the Group was identified as "SYSTEM." - everything else about the 2 files was identical. It appears that there may be a difference in group properties when you download a file update using installed software versus download directly from the website itself. ))
In retrospect, it is possible that the Adobe executable was a valid file - I had my Adobe settings set to prompt me when an update was available, and everything about the prompt, the download and even the installation appeared legitimate. I got concerned when the executable was still present in my downloads folder after I installed it, because in the past, the file always disappeared once the installation was completed. Is the executable supposed to disappear or reside on your computer once installed? I grew more concerned when I googled the script name, and found a site that declared it to be malware - that's what really panicked me. I've monitored all of my processes since, and nothing unusual has appeared. I ran a full system scan with Bitdefender and everything was clean.
The whole experience has made me very nervous, but I think my system might be okay. Thank you so much for taking the time to respond - the link to check digital signatures will be really helpful going foward. Much appreciated.
I got this very same update about 10 minutes ago when I rebooted. It looked exactly like it always does...I have mine set to notify me as well. It popped up the usual window as all my programs were loaded.
Oddly, I had my mind on something else and instead of telling it to download (which I intended) I clicked on the Remind Me Later button. The window disappeared and has not returned. I rebooted again to get it back, but it didn't come up the second time. I play a lot of Facebook games, and most require Flash. Now I'm afraid to let it update!
I am mentioning this in case you missed it, because it is very important. At the end of 2020 Flash Player reaches end-of-life and will be blocked for almost all users. Almost all Flash-based web sites and apps will stop working including many Facebook games. More info from Adobe https://www.adobe.com/products/flashplayer/end-of-life.html