Malware disguised as FlashPlayer

Hi, I also have malware posing as flash player on  my brand new laptop. iv reset my laptop a few times and still it comes back . can you help?

It sounds like there's a good chance that you're reinfecting your computer through some action that you keep repeating.  It's possible that you've backed up infected files, are installing software that has an infected payload, using an infected USB memory stick, or there's another infected machine on your network that keeps infecting your machine before it can get patched completely.

If it was my personal machine on my home network, I would:

• Back up all of the files that are important to me.
• Destroy any USB memory sticks that I've been using:
  • Malware can infect and persist on memory sticks, and is a common vector for malware infection.
    A cloud storage service like Google Drive or Dropbox is probably a better choice.
• Wipe the computer
• If the computer is connected to the network via Ethernet, disconnect it
• Reinstall a current operating system (Win7 or higher, and ideally, Win10) from pristine sources
• Disconnect everything else from my cable/DSL modem and plug the computer directly into it via ethernet
• Download and apply all of the available patches for the operating system
• Install and update a reputable Anti-Virus and Anti-Malware package.
  • Windows Defender (Windows 10 – Windows Defender - Microsoftand Malware Bytes (malwarebytes.org)
    are free and well respected.  There are plenty of commercial options as well.
• Install of the software from pristine sources (downloaded directly from the software developer, *not* from backups)
• Restore the critical data files I need from backups (pictures, music, documents, etc)
• Scan the disk with the virus scanner to make sure I'm not restoring obviously infected files
• Disconnect the computer from the network
• Plug your wireless router back in if you have one, connect to it, and make sure that the latest firmware updates have been applied to it.  There are malware packages that target commodity wireless routers and insert fake upgrade notifications on web pages.  Typically restarting the router is enough to temporarily clear the infection, but it will probably keep coming back until you apply current firmware.
• Install an Anti-Virus and Anti-Malware package on your other computers, and perform full scans there.  If you find malware, repeat the backup/wipe/reinstall process with each of those machines as well.

So, not a lot of fun, but just going through everything methodically, and then ensuring that you keep your software fully patched at all times (everything should have automatic updates enabled, routers should get checked regularly for available updates, etc) is the best way to keep malware off your system.

Depending on your current browser of choice, you might think about switching to one with a better reputation for resilience against malware.

Although fairly experienced, I was evidently fooled by a very official looking notification that my Flash Player may be out of date.  I ignored the notification several times but in a weak moment approved the installation.  What I got was the Kovter Malware.  This malware does not use files, so it is invisible to my two security products, Windows Defender and AVG.  Kovter mostly "lives" in the Registry and uses Windows modules Mshta, Powershell, Regsvr32, and perhaps others.  If you use the Windows Task Manager, and specify that you want to view ALL processes running, and see two or more instances of Regsvr32 running, I think that you can be confident that your PC has been infected with the Kovter Malware.  If there is a reliable way to remove this malware posted on the Internet, I have not yet found it.  I know that this, strictly speaking, is not Adobe's problem, but it would be wonderful to come to this site and see a manageable method for removing Kovter.  Thanks for reading this. 

A cursory Google search returns a number of results for "Kotver removal"; however, most are dated around 2015, and I have to imagine that the malware has evolved since those articles were written.  In addition, once an attacker establishes a foothold on the machine, it would be smart of them to pursue methods that ensure that their hold over the machine is resilient against the current state of the antivirus solutions.

There's an entire industry geared towards preventing, tracking and managing malware infections (and an industry-scale adversary focused on compromising machines through malware), and while we'd be happy to point you towards resources, they're easily discovered.  We're not in a position to endorse the accuracy or efficacy of a given tool or technique, and there are literally hundreds of thousands of malware variants that are discovered on a given day.

As you've observed, anti-malware software can detect many known threats; however, those threats are also accompanied by a universe of unknown unknowns, and the decision to trust an affected system after infection really comes down to your personal risk tolerance and the sensitivity of what you do with the machine.

As an aside, it's also probably a good time to make sure that your backup strategy is in order for any critical data, that all of the other systems on your network have been scanned and updated, and that any hardware on the network (routers, thermostats, refrigerators, etc.) have the latest updates and firmware installed.

Hopefully that helps, or at least makes sense.  The bottom line is that I'd rather see us give no answer instead of the wrong answer in this kind of situation.  You're better off seeking expert advise from a reputable malware or antivirus vendor, and/or simply wiping and restoring the machine from pristine sources for maximum confidence.  I totally empathize with your situation, but I don't want to give you a false sense of security, or an ineffective solution that puts you in a bad position down the road.

"Resilient" certainly applies.  I spent hours trying to remove suspicious items from the registry and other locations on my PC thinking I had made some progress but at the next shut down/startup my PC (running Windows 7 Ultra) had the same telltale processes Mshta, Powershell, and Regsvr32 running.

In case it helps anyone, I turned to Malwarebytes.com.  Their scan found 17 suspicious items, quarantined them, and I've since seen no instances of the above processes running.

Some of the quarantined items had "FlashPlayerPro" in their names.  Are these miscreants devious or what?

I wish there were a way for Adobe to warn people not to respond to the "your FlashPlayer may be out-of-date" pop-up which these perps are using.  In my opinion it looks extremely authentic.

I thank you for the response.

Unfortunately, you've hit on the intractable problem.  It's pretty trivial to make pixel-perfect anything on a computer.  Conversely, it's very difficult to install software without the user's consent.  This means that attackers instead focus on human factors, since that is the path of least resistance.  At best, we could lead attackers in a cat-and-mouse game, but that would further confuse the audience of people trying to determine what is and isn't legitimate.

Flash Player is ubiquitous (we serve up about 2.5 billion monthly installs, and that's not counting the browsers that ship it as a built-in component).  If you're an attacker looking to forge an update dialog that people are likely to get, Flash Player is a good choice, and it's exactly what happens in practice.

Here's our recommendation:

• Turn on Automatic Updates for Flash Player (and honestly, for everything)
  and/or
• Use a browser with Flash Player built in (Chrome, IE/Edge on Win8+) and use that browser's automatic update mechanism (or Windows Update, respectively) to ensure your copy is always current.
• Disregard all future update notifications as bogus
• When in doubt, fire up a browser and go directly to https://get.adobe.com/flashplayer/ to ensure you get an authentic update.

Again, sorry for the pain.  If you do see bogus installers, we're happy to forward them along to the team that provides the takedown notifications.  We need a screenshot and the full link to the page that shows the fake download notice.  Unfortunately, it's typically trivial for attackers to spawn new instances at other locations, but we're happy to do what we can to combat it.

See my post above from June 16, 2016.  It still applies.

I provided a little more detail to another Mac user yesterday in this vein. 

It's at the end of the thread, here: VIRUS with new Adobe Flash installer

Malware doesn't have a version. It's a collective name for all of the bad software created to attack computers, for all sorts of reasons (stealing personal info and credit cards; sending spam; hosting illegal pornography; making bitcoin; attacking other computers; blackmail; and many more).  Recommended is to have your computer professionally sorted out, which will need the computer to be wiped and all the apps installed again. This should use backups you took before the attack.