Locked

VIRUS with new Adobe Flash installer

New Here ,
Sep 30, 2017 Sep 30, 2017

Copy link to clipboard

Copied

While visiting Apple.com, I got a message to update Adobe Flash. I did the update, and then noticed intermittent reloading of Safari and then all my tabs on Safari were deleted. After I downloaded the update, there was a page from Advanced Mac Cleaner (which I have not installed) to clean my Mac, installed new icon in my Dock that I didn't recognize, and changed the settings on my Dock. Finally, there was a link button in the Safari favorites bar that I didn't recognize and didn't make sense.

Looking at Safari's history, I found this link appearing just after I had visited Apple's webpage:

http://prepareupdate.theperfectsys2upgrade.date./?pcl=y6VPxBs3Pn8vJaswO9uFDee03s6zyagrT_eGS0Ozc_g.&c...

Unfortunately I deleted the icon in my Dock and don't remember what it was. I changed my user password on my mac, and also downloaded and used Malware Bytes, which recognized Advanced Mac Cleaner as spyware/adware and quarantined it.

I contacted Apple Support about this and they are unaware of this problem but I did find this website:

Remove Advanced Mac Cleaner virus from Mac OS X

Apple Support told me to continue using Malware Bytes and install MacOS High Sierra, which I am now doing.

I am puzzled as to how this could have happened with the Adobe Flash update, and are there any other effects of this virus? Does anyone else know about this?

Message was edited by: Jeromie Clark - Removed the blue text background

Views

44.3K

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 02, 2017 Oct 02, 2017

Copy link to clipboard

Copied

Hi,

Unfortunately, you were tricked into downloading and installing a malicious Flash Player installer.  The only official site to download Flash Player from is adobe.com.  I will forward the link you posted to the Security & Fraud team for follow-up and taken down.

--

Maria

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 05, 2017 Nov 05, 2017

Copy link to clipboard

Copied

Just happened to me today from this site: softreadynow.thecontentservice2update.review

I didn't run it once I saw where it came from and deleted it. I checked the Flash update tab and it said I am good to go.

So this is an FYI for anyone else.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Nov 05, 2017 Nov 05, 2017

Copy link to clipboard

Copied

Thanks. I notice they use Google's Captcha too, I might mention it to Google too. Coincidentally, I'm going there tomorrow, I'll add it to my list of topics!

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 03, 2018 May 03, 2018

Copy link to clipboard

Copied

I have just had this same problem. AND I went to Adobe.com to get the latest download for my iMac running the latest version of MacO. It installed the bogus scanware, deleted all my Safari and Chrome tabs, and who knows what else?!! I immediately deleted the app, and now I am in the process of doing a whole system restore from yesterday, taking no chances that something else is compromised.

So what is going on, Adobe? It appears your site has been compromised.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 03, 2018 May 03, 2018

Copy link to clipboard

Copied

If you still have the DMG file, please do the following:

  • right-click on the DMG file select Get Info
  • expand More info: section
  • post a screenshot of the entire where from: path the file was downloaded from

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 07, 2018 May 07, 2018

Copy link to clipboard

Copied

I am not absolutely certain this is the file, but the timeframe is right. Here is the screen capture, but there is no where from indicated. I have the file sitting in my trash.

Screen Shot 2018-05-07 at 11.21.40 AM.png

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 07, 2018 May 07, 2018

Copy link to clipboard

Copied

The downloaded from URL path will not display if the DMG is in the Trash.  If you move it out of the Trash, it should display the URL path.

Also, what is the bogus scan-ware it installed?  Flash Player installer for Mac doesn't include any third party offerings (optional or otherwise).

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 07, 2018 May 07, 2018

Copy link to clipboard

Copied

Thanks, Maria. I had tried that, thinking the same thing, but saw no where from. BUT I just tried it again and got what is below. The bogus scan-ware is an app that acts like it is scanning your machine, and lo and behold, it finds a zillion problems that require immediate attention...that's when I knew I had been scammed. I do not remember the name of the app, because I immediately shut it down and deleted it.

Screen Shot 2018-05-07 at 5.40.55 PM.png

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Most Valuable Participant ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

Was it definitely an app, rather than a browser window? I have seen this trick with browser windows which look like apps, and if clicked lead you into downloading an actual app - the scan is of course spurious.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

Thanks for posting the screenshot.

The path and website are from Adobe.  It's highly unusual for a Flash Player installer, delivered from Adobe servers, to have a virus.  In all the years I've been working on the product, I've not seen it happen.  We have a secure deployment process and all files are regularly checked for viruses.

If you still have the installer, you can verify the md5/sha256 hash values, and the digital signature on the app.  They should be the following:

md5 hash value for install_flash_player_osx.dmg: edec8c6e91d3263e066f1d0ba65d9c8b

sha256 hash value: 173d1201269371761460f36656edf92c23b90d1b21389c2b288c47be093951ae

To verify the digital signature do the following:

  1. Mount the install_flash_player_osx.dmg file (double-click on the DMG file)
  2. Launch terminal app (/Applications/Utilities/Terminal.app)
  3. In the terminal, type: codesign -vvd /Volumes/Flash\ Player/Install\ Adobe\ Flash\ Player.app
    • Note that there is a space between -vvd and the path to the Install Adobe Flash Player.app file.
    • Alternatively, type codesign -vvd and then drag and drop and Install Adobe Flash Player.app onto the terminal app
  4. Click Enter
  5. The Authority Developer ID should be:

        Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)

        Authority=Developer ID Certification Authority

If the hash values and the codesign Authority match it's valid and doesn't have any viruses (ran a virus check on it again.

Another check is to upload the DMG to VirusTotal, which is used by many companies and people to check files for viruses, malware, etc.  Go to https://www.virustotal.com then follow the instructions to upload the file and have VirusTotal scan it.

--

Maria

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

I'm pretty sure it was an app that popped up (could have been Advanced Mac Cleaner, as the original poster posted). I acted fast, and found it listed in my Applications list and deleted it, then reset my machine, hoping I cut it off fast enough.

Also when I was running the installation, I first realized all was not right when I got a screen offering to also install some other unrelated app (something like a travel or hotel booking app), and then realized that the previous screen probably also offered an app (like the spurious scanner), but I did not catch it, just clicked through assuming it was normal acceptance verbiage. When I tried to cancel the whole thing, it proceeded anyway and made a mess.

Here are the screenshots from terminal app and output from virus tool. Nothing appears amiss to me. Makes me wonder if this was indeed the file I tried to install from.

Screen Shot 2018-05-08 at 9.42.32 AM.png

Screen Shot 2018-05-08 at 9.07.52 AM.png

Screen Shot 2018-05-08 at 9.11.11 AM.png

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

Thank you for the additional information and the screenshots.  The info in the screenshots indicates it's the Flash Player installer, but the official installer does not include any 3rd party software. I suspect something else was downloaded/installed around the same time.  You can view a complete installation history in the System Information app.  To access the utility, go to /Applications/Utilities/System Information.app.  In the left panel, in the Software categories, select Installations.  This gives a complete history of all apps installed.  You can sort by the Install Dates column to quickly search for the date/time the event occurred.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

Possibly there was another file. Realize that I did a complete restore from Time Machine to the previous midnight backup, which wiped my disk clean first. I was surprised to find that installer at all since it was from 8am the same day. Looking at installation history as you suggest only shows the most recent actual installation before that on April 30.

Screen Shot 2018-05-08 at 11.49.01 AM.png

What is interesting to me is that there is no version listed for this or any downloads of Adobe Flash Player. Which is the reason I went to Adobe.com in the first place to find out how to check if I had the latest version or not, since I got a message from a website saying it was out of date (and I had just updated it on April 30, as this shows).

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

Is there any installation entry for May 3rd? You're first post is on May 3rd stating "I have just had this same problem", so my assumption is the incident happened on May 3rd, not April 30.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

Yes, the incident happened on May 3 right around 8:46am, the date of the file we have been examining. I did not post anything here until AFTER I had restored my machine to a May 3 at 12:06am backup. So I was surprised to see the 8:46am file. Nothing else is still around, since my machine was wiped clean as part of the restore.

I guess at this point there is nothing left to pursue. If I get time (not likely now, but maybe the next time I want to update), I can ty to visit Adobe.com and see what happens, going slowly and carefully. I suppose you could try the same as well. Maybe a page on the website had been hacked to provide a bad download link. Thanks for trying to get to the bottom of this, Maria.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 08, 2018 May 08, 2018

Copy link to clipboard

Copied

The restore was definitely a good thing to do, unfortunately some forensics were lost that could possibly assist in resolving the issue. I had actually downloaded the installer file from get.adobe.com/flashplayer last week and nothing was amiss.  While we do have the installers posted internally, I regularly download them from the Adobe site to follow the same workflow a user would follow.


We actually just deployed a new version (29.0.0.171) earlier today.  I have downloaded (from adobe.com) and installed the latest version with no issues encountered.

The hash values for the latest version of install_flash_player_osx.dmg are:

md5: d5b8ae527718b38b4265c27ccb2cb7a3

sha256: 66c96d343af3bec3d4a76137ed62af35d844c7e5f2a905f878ed9806fe714baf

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 09, 2018 May 09, 2018

Copy link to clipboard

Copied

Ok, Maria. Had to try it again...just downloaded the .171 version and installed it. Nothing else came along for the ride. Installed fine, though it did make me enter my password twice which got me little anxious. All good now. Thanks for you help.

If you are in northern CA...go Dubs!

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 09, 2018 May 09, 2018

Copy link to clipboard

Copied

You're welcome.  Glad it installed successfully without any issues.  The second prompt for a password usually happens when taking too long to complete the installation (e.g. clicking Done in the final step) and there's a time-out (about a minute or so).  Essentially a security measure, due to the APIs used.

I am in NorCal, not a basketball fan, but it is the local team - so yes, go Dubs

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 12, 2018 Jun 12, 2018

Copy link to clipboard

Copied

Hoje recebi notificação de atualização disponível e baixei. Havia programa malicioso junto - programa 1234 - deve ser jogo com cavalo de tróia.   Flash Player não baixou.

Sempre observo barra de tarefas do site da Flash Player tinha cadeado verde - isto é - seguro!

Que confiança sobra para  baixar novas atualizações  ????

Favor solucionarem o problema de segurança.

Grata Vera

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 12, 2018 Jun 12, 2018

Copy link to clipboard

Copied

I'm confident that you didn't get a virus-infected payload from the Adobe's website.  We've made huge investments to ensure that the downloads you get are legitimate, and there are a whole series of tight controls, separations of responsibility and continuous monitoring that ensure that we can confidently say that.

You were most likely tricked into downloading Flash Player from an impostor website.

What was the link to the page that offered the download?  You should be able to find it in your browser and/or download history.

Also, what operating system and browser are you using?

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 13, 2018 Jun 13, 2018

Copy link to clipboard

Copied

Caro Senhor Jeromi:

Respondendo sua atenciosa msg informo que iniciei o PC e logo veio a

telinha escura, pequena do Adobe (como sempre ocorre) dizendo haver

atualização do Flash Player. Permiti o download e estranhei que não foi

para a devida pasta "download". Aparecia o ícone (integro) da Flash na

barra de ferramentas no pé do navegador (Chrome). Pensei ter me

equivocado na escolha da pasta e prontamente cliquei no ícone e iniciou a

instalação.

Outro fato curioso é que na segunda régua do download, onde fica o download

do Scan Mcafee havia uma linha truncada, mas como já tenho esse item

instalado o próprio Adobe não reprisa a instalação, achei não haver

preocupação.

Sempre observo na barra superior se o site é aquele mesmo e se o cadeado

está verde e se o ícone do Avast on line security também está. Ainda uso o

Trusteer Endpoint Protection, da IBM, obrigatório na utilização do

internet bank.

Logo o Avast Internet Security interveio com tela dizendo haver programa

malicioso se instalando.

Tentei parar a instalação e não consegui, pois comandos não respondiam.

Demorou algum tempo para o antivírus perguntar se era para guardar o

programa malicioso na caixa de vírus: o programa é o IDP generic

gamecenter.exe - Confirmei e foi feito, estando lá confinado.

Limpei o histórico, o menu de programas instalados, fiz a varredura

completa do antivírus. Observei que o programa malicioso desativou o

módulo dados sigilosos do antivirus.

Agora parece estar normalizada a situação, mas confesso que estou com medo

de fazer novas atualizações e o pior que não se pode prescindir delas pela

própria segurança.

Espero ter relatado este fato de forma compreensível e agradeço sua

atenção.

Vera

2018-06-12 19:49 GMT-03:00 jeromiec83223024 <forums_noreply@adobe.com>:

VIRUS with new Adobe Flash installer created by jeromiec83223024

<https://forums.adobe.com/people/jeromiec83223024> in Using Flash Player

- View the full discussion

<https://forums.adobe.com/message/10441156#10441156>

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 13, 2018 Jun 13, 2018

Copy link to clipboard

Copied

Caro Senhor Jeromi:

Desculpe, mas acabou de ocorrer novamente, do mesmo jeito, mas desta vez

não instalei e fotografei as telas de instalação, que anexo para seu

conhecimento.

Espero que ajude a sanar o problema

Grata.

Vera

2018-06-13 10:08 GMT-03:00 Verars2003@gmail.com <verars2003@gmail.com>:

Caro Senhor Jeromi:

Respondendo sua atenciosa msg informo que iniciei o PC e logo veio a

telinha escura, pequena do Adobe (como sempre ocorre) dizendo haver

atualização do Flash Player. Permiti o download e estranhei que não foi

para a devida pasta "download". Aparecia o ícone (integro) da Flash na

barra de ferramentas no pé do navegador (Chrome). Pensei ter me

equivocado na escolha da pasta e prontamente cliquei no ícone e iniciou a

instalação.

Outro fato curioso é que na segunda régua do download, onde fica o

download do Scan Mcafee havia uma linha truncada, mas como já tenho esse

item instalado o próprio Adobe não reprisa a instalação, achei não haver

preocupação.

Sempre observo na barra superior se o site é aquele mesmo e se o cadeado

está verde e se o ícone do Avast on line security também está. Ainda uso o

Trusteer Endpoint Protection, da IBM, obrigatório na utilização do

internet bank.

>

Logo o Avast Internet Security interveio com tela dizendo haver programa

malicioso se instalando.

Tentei parar a instalação e não consegui, pois comandos não respondiam.

Demorou algum tempo para o antivírus perguntar se era para guardar o

programa malicioso na caixa de vírus: o programa é o IDP generic

gamecenter.exe - Confirmei e foi feito, estando lá confinado.

>

Limpei o histórico, o menu de programas instalados, fiz a varredura

completa do antivírus. Observei que o programa malicioso desativou o

módulo dados sigilosos do antivirus.

Agora parece estar normalizada a situação, mas confesso que estou com medo

de fazer novas atualizações e o pior que não se pode prescindir delas pela

própria segurança.

Espero ter relatado este fato de forma compreensível e agradeço sua

atenção.

Vera

>

2018-06-12 19:49 GMT-03:00 jeromiec83223024 <forums_noreply@adobe.com>:

>> VIRUS with new Adobe Flash installer created by jeromiec83223024

>> <https://forums.adobe.com/people/jeromiec83223024> in *Using Flash

>> Player* - View the full discussion

>> <https://forums.adobe.com/message/10441156#10441156>

>>

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 13, 2018 Jun 13, 2018

Copy link to clipboard

Copied

Hi Vera,

The forums software blocks email attachments.  Please log onto the forums and attach the screenshot you mention.

Also, can you go into downloads history and obtain the URL the file was downloaded from?

Thank you.

--

Maria

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 19, 2018 Jun 19, 2018

Copy link to clipboard

Copied

Hi - same thing happened with me today. I downloaded Adobe from a random pop up and don't know what to do now

Screen Shot 2018-06-20 at 12.53.15 AM.png

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines