Copy link to clipboard
Copied
While visiting Apple.com, I got a message to update Adobe Flash. I did the update, and then noticed intermittent reloading of Safari and then all my tabs on Safari were deleted. After I downloaded the update, there was a page from Advanced Mac Cleaner (which I have not installed) to clean my Mac, installed new icon in my Dock that I didn't recognize, and changed the settings on my Dock. Finally, there was a link button in the Safari favorites bar that I didn't recognize and didn't make sense.
Looking at Safari's history, I found this link appearing just after I had visited Apple's webpage:
Unfortunately I deleted the icon in my Dock and don't remember what it was. I changed my user password on my mac, and also downloaded and used Malware Bytes, which recognized Advanced Mac Cleaner as spyware/adware and quarantined it.
I contacted Apple Support about this and they are unaware of this problem but I did find this website:
Remove Advanced Mac Cleaner virus from Mac OS X
Apple Support told me to continue using Malware Bytes and install MacOS High Sierra, which I am now doing.
I am puzzled as to how this could have happened with the Adobe Flash update, and are there any other effects of this virus? Does anyone else know about this?
Message was edited by: Jeromie Clark - Removed the blue text background
Copy link to clipboard
Copied
Hi,
Unfortunately, you were tricked into downloading and installing a malicious Flash Player installer. The only official site to download Flash Player from is adobe.com. I will forward the link you posted to the Security & Fraud team for follow-up and taken down.
--
Maria
Copy link to clipboard
Copied
Just happened to me today from this site: softreadynow.thecontentservice2update.review
I didn't run it once I saw where it came from and deleted it. I checked the Flash update tab and it said I am good to go.
So this is an FYI for anyone else.
Copy link to clipboard
Copied
Thanks. I notice they use Google's Captcha too, I might mention it to Google too. Coincidentally, I'm going there tomorrow, I'll add it to my list of topics!
Copy link to clipboard
Copied
I have just had this same problem. AND I went to Adobe.com to get the latest download for my iMac running the latest version of MacO. It installed the bogus scanware, deleted all my Safari and Chrome tabs, and who knows what else?!! I immediately deleted the app, and now I am in the process of doing a whole system restore from yesterday, taking no chances that something else is compromised.
So what is going on, Adobe? It appears your site has been compromised.
Copy link to clipboard
Copied
If you still have the DMG file, please do the following:
Copy link to clipboard
Copied
I am not absolutely certain this is the file, but the timeframe is right. Here is the screen capture, but there is no where from indicated. I have the file sitting in my trash.
Copy link to clipboard
Copied
The downloaded from URL path will not display if the DMG is in the Trash. If you move it out of the Trash, it should display the URL path.
Also, what is the bogus scan-ware it installed? Flash Player installer for Mac doesn't include any third party offerings (optional or otherwise).
Copy link to clipboard
Copied
Thanks, Maria. I had tried that, thinking the same thing, but saw no where from. BUT I just tried it again and got what is below. The bogus scan-ware is an app that acts like it is scanning your machine, and lo and behold, it finds a zillion problems that require immediate attention...that's when I knew I had been scammed. I do not remember the name of the app, because I immediately shut it down and deleted it.
Copy link to clipboard
Copied
Was it definitely an app, rather than a browser window? I have seen this trick with browser windows which look like apps, and if clicked lead you into downloading an actual app - the scan is of course spurious.
Copy link to clipboard
Copied
Thanks for posting the screenshot.
The path and website are from Adobe. It's highly unusual for a Flash Player installer, delivered from Adobe servers, to have a virus. In all the years I've been working on the product, I've not seen it happen. We have a secure deployment process and all files are regularly checked for viruses.
If you still have the installer, you can verify the md5/sha256 hash values, and the digital signature on the app. They should be the following:
md5 hash value for install_flash_player_osx.dmg: edec8c6e91d3263e066f1d0ba65d9c8b
sha256 hash value: 173d1201269371761460f36656edf92c23b90d1b21389c2b288c47be093951ae
To verify the digital signature do the following:
Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)
Authority=Developer ID Certification Authority
If the hash values and the codesign Authority match it's valid and doesn't have any viruses (ran a virus check on it again.
Another check is to upload the DMG to VirusTotal, which is used by many companies and people to check files for viruses, malware, etc. Go to https://www.virustotal.com then follow the instructions to upload the file and have VirusTotal scan it.
--
Maria
Copy link to clipboard
Copied
I'm pretty sure it was an app that popped up (could have been Advanced Mac Cleaner, as the original poster posted). I acted fast, and found it listed in my Applications list and deleted it, then reset my machine, hoping I cut it off fast enough.
Also when I was running the installation, I first realized all was not right when I got a screen offering to also install some other unrelated app (something like a travel or hotel booking app), and then realized that the previous screen probably also offered an app (like the spurious scanner), but I did not catch it, just clicked through assuming it was normal acceptance verbiage. When I tried to cancel the whole thing, it proceeded anyway and made a mess.
Here are the screenshots from terminal app and output from virus tool. Nothing appears amiss to me. Makes me wonder if this was indeed the file I tried to install from.
Copy link to clipboard
Copied
Thank you for the additional information and the screenshots. The info in the screenshots indicates it's the Flash Player installer, but the official installer does not include any 3rd party software. I suspect something else was downloaded/installed around the same time. You can view a complete installation history in the System Information app. To access the utility, go to /Applications/Utilities/System Information.app. In the left panel, in the Software categories, select Installations. This gives a complete history of all apps installed. You can sort by the Install Dates column to quickly search for the date/time the event occurred.
Copy link to clipboard
Copied
Possibly there was another file. Realize that I did a complete restore from Time Machine to the previous midnight backup, which wiped my disk clean first. I was surprised to find that installer at all since it was from 8am the same day. Looking at installation history as you suggest only shows the most recent actual installation before that on April 30.
What is interesting to me is that there is no version listed for this or any downloads of Adobe Flash Player. Which is the reason I went to Adobe.com in the first place to find out how to check if I had the latest version or not, since I got a message from a website saying it was out of date (and I had just updated it on April 30, as this shows).
Copy link to clipboard
Copied
Is there any installation entry for May 3rd? You're first post is on May 3rd stating "I have just had this same problem", so my assumption is the incident happened on May 3rd, not April 30.
Copy link to clipboard
Copied
Yes, the incident happened on May 3 right around 8:46am, the date of the file we have been examining. I did not post anything here until AFTER I had restored my machine to a May 3 at 12:06am backup. So I was surprised to see the 8:46am file. Nothing else is still around, since my machine was wiped clean as part of the restore.
I guess at this point there is nothing left to pursue. If I get time (not likely now, but maybe the next time I want to update), I can ty to visit Adobe.com and see what happens, going slowly and carefully. I suppose you could try the same as well. Maybe a page on the website had been hacked to provide a bad download link. Thanks for trying to get to the bottom of this, Maria.
Copy link to clipboard
Copied
The restore was definitely a good thing to do, unfortunately some forensics were lost that could possibly assist in resolving the issue. I had actually downloaded the installer file from get.adobe.com/flashplayer last week and nothing was amiss. While we do have the installers posted internally, I regularly download them from the Adobe site to follow the same workflow a user would follow.
We actually just deployed a new version (29.0.0.171) earlier today. I have downloaded (from adobe.com) and installed the latest version with no issues encountered.
The hash values for the latest version of install_flash_player_osx.dmg are:
md5: d5b8ae527718b38b4265c27ccb2cb7a3
sha256: 66c96d343af3bec3d4a76137ed62af35d844c7e5f2a905f878ed9806fe714baf
Copy link to clipboard
Copied
Ok, Maria. Had to try it again...just downloaded the .171 version and installed it. Nothing else came along for the ride. Installed fine, though it did make me enter my password twice which got me little anxious. All good now. Thanks for you help.
If you are in northern CA...go Dubs!
Copy link to clipboard
Copied
You're welcome. Glad it installed successfully without any issues. The second prompt for a password usually happens when taking too long to complete the installation (e.g. clicking Done in the final step) and there's a time-out (about a minute or so). Essentially a security measure, due to the APIs used.
I am in NorCal, not a basketball fan, but it is the local team - so yes, go Dubs
Copy link to clipboard
Copied
Hoje recebi notificação de atualização disponível e baixei. Havia programa malicioso junto - programa 1234 - deve ser jogo com cavalo de tróia. Flash Player não baixou.
Sempre observo barra de tarefas do site da Flash Player tinha cadeado verde - isto é - seguro!
Que confiança sobra para baixar novas atualizações ????
Favor solucionarem o problema de segurança.
Grata Vera
Copy link to clipboard
Copied
I'm confident that you didn't get a virus-infected payload from the Adobe's website. We've made huge investments to ensure that the downloads you get are legitimate, and there are a whole series of tight controls, separations of responsibility and continuous monitoring that ensure that we can confidently say that.
You were most likely tricked into downloading Flash Player from an impostor website.
What was the link to the page that offered the download? You should be able to find it in your browser and/or download history.
Also, what operating system and browser are you using?
Copy link to clipboard
Copied
Caro Senhor Jeromi:
Respondendo sua atenciosa msg informo que iniciei o PC e logo veio a
telinha escura, pequena do Adobe (como sempre ocorre) dizendo haver
atualização do Flash Player. Permiti o download e estranhei que não foi
para a devida pasta "download". Aparecia o ícone (integro) da Flash na
barra de ferramentas no pé do navegador (Chrome). Pensei ter me
equivocado na escolha da pasta e prontamente cliquei no ícone e iniciou a
instalação.
Outro fato curioso é que na segunda régua do download, onde fica o download
do Scan Mcafee havia uma linha truncada, mas como já tenho esse item
instalado o próprio Adobe não reprisa a instalação, achei não haver
preocupação.
Sempre observo na barra superior se o site é aquele mesmo e se o cadeado
está verde e se o ícone do Avast on line security também está. Ainda uso o
Trusteer Endpoint Protection, da IBM, obrigatório na utilização do
internet bank.
Logo o Avast Internet Security interveio com tela dizendo haver programa
malicioso se instalando.
Tentei parar a instalação e não consegui, pois comandos não respondiam.
Demorou algum tempo para o antivírus perguntar se era para guardar o
programa malicioso na caixa de vírus: o programa é o IDP generic
gamecenter.exe - Confirmei e foi feito, estando lá confinado.
Limpei o histórico, o menu de programas instalados, fiz a varredura
completa do antivírus. Observei que o programa malicioso desativou o
módulo dados sigilosos do antivirus.
Agora parece estar normalizada a situação, mas confesso que estou com medo
de fazer novas atualizações e o pior que não se pode prescindir delas pela
própria segurança.
Espero ter relatado este fato de forma compreensível e agradeço sua
atenção.
Vera
2018-06-12 19:49 GMT-03:00 jeromiec83223024 <forums_noreply@adobe.com>:
VIRUS with new Adobe Flash installer created by jeromiec83223024
<https://forums.adobe.com/people/jeromiec83223024> in Using Flash Player
- View the full discussion
<https://forums.adobe.com/message/10441156#10441156>
Copy link to clipboard
Copied
Caro Senhor Jeromi:
Desculpe, mas acabou de ocorrer novamente, do mesmo jeito, mas desta vez
não instalei e fotografei as telas de instalação, que anexo para seu
conhecimento.
Espero que ajude a sanar o problema
Grata.
Vera
2018-06-13 10:08 GMT-03:00 Verars2003@gmail.com <verars2003@gmail.com>:
Caro Senhor Jeromi:
Respondendo sua atenciosa msg informo que iniciei o PC e logo veio a
telinha escura, pequena do Adobe (como sempre ocorre) dizendo haver
atualização do Flash Player. Permiti o download e estranhei que não foi
para a devida pasta "download". Aparecia o ícone (integro) da Flash na
barra de ferramentas no pé do navegador (Chrome). Pensei ter me
equivocado na escolha da pasta e prontamente cliquei no ícone e iniciou a
instalação.
Outro fato curioso é que na segunda régua do download, onde fica o
download do Scan Mcafee havia uma linha truncada, mas como já tenho esse
item instalado o próprio Adobe não reprisa a instalação, achei não haver
preocupação.
Sempre observo na barra superior se o site é aquele mesmo e se o cadeado
está verde e se o ícone do Avast on line security também está. Ainda uso o
Trusteer Endpoint Protection, da IBM, obrigatório na utilização do
internet bank.
>
Logo o Avast Internet Security interveio com tela dizendo haver programa
malicioso se instalando.
Tentei parar a instalação e não consegui, pois comandos não respondiam.
Demorou algum tempo para o antivírus perguntar se era para guardar o
programa malicioso na caixa de vírus: o programa é o IDP generic
gamecenter.exe - Confirmei e foi feito, estando lá confinado.
>
Limpei o histórico, o menu de programas instalados, fiz a varredura
completa do antivírus. Observei que o programa malicioso desativou o
módulo dados sigilosos do antivirus.
Agora parece estar normalizada a situação, mas confesso que estou com medo
de fazer novas atualizações e o pior que não se pode prescindir delas pela
própria segurança.
Espero ter relatado este fato de forma compreensível e agradeço sua
atenção.
Vera
>
2018-06-12 19:49 GMT-03:00 jeromiec83223024 <forums_noreply@adobe.com>:
>> VIRUS with new Adobe Flash installer created by jeromiec83223024
>> <https://forums.adobe.com/people/jeromiec83223024> in *Using Flash
>> Player* - View the full discussion
>> <https://forums.adobe.com/message/10441156#10441156>
>>
Copy link to clipboard
Copied
Hi Vera,
The forums software blocks email attachments. Please log onto the forums and attach the screenshot you mention.
Also, can you go into downloads history and obtain the URL the file was downloaded from?
Thank you.
--
Maria
Copy link to clipboard
Copied
Hi - same thing happened with me today. I downloaded Adobe from a random pop up and don't know what to do now