Wy OT:Flash player install?

[prudden]

When opening the forum here,I just began getting a popup that tells me I need to update my Flash player to version 10. It won't allow me to close it,ignore it or install it. I have closed the browser(Firefox) and re-opened the forum several times with the same result.Any one else?

[lehigh96]

Yes, and it is very annoying. It doesn't happen on every thread and on threads that it does occur, it is only happening on the current page. I wanted to post a newp and had to open a previous page and then reply in order post. NGC's IT department needs to clean that up!

[Speedy-D]

I suspect a virus. I've never heard of Adobe doing anything nearly so annoying. And the download/install process is totally different from their standard.

[prudden]

I suspect a virus. I've never heard of Adobe doing anything nearly so annoying. And the download/install process is totally different from their standard.

 

You could be right.Gonna run my virus checker.Although it ran before the supposed download started.

[fishfinder]

I get the pop up with Jackyb thread only? I saw warning for older Flash Player version being corrupted. This is on Fire Fox only???

[James_OldeTowne]

I have a flash blocker installed, so I never see such message, nor do I have to view extremely annoying flash advertisements.

[bsshog40]

I get the pop up with JackyB thread only? I saw warning for older Flash Player version being corrupted. This is on Fire Fox only???

I got this popup on his thread also. I was able to close it tho'.

[Bugmann1974]

This is happening on any thread JackyB posts in, Must be something in his signature?

[robec1347]

This is not limited to Fire Fox or even Windows machines. I have a Mac with Safari and had this happen today also.

[robec1347]

I just opened a thread that JackyB posted in and it didn't happen.

[RareSov]

Do NOT install this update.

 

Jackyb's posts have a javascript pointing at msjupdate.com which must load the "update" screen

 

The downloaded file comes from adobeupdateserver.com which is also unknown, and was registered through GoDaddy

 

Neither site is known by McAfee site advisor, so have submitted both

[RareSov]

Downloaded file is undetected. Should be malware, judging by the other suspicious things noted above. Has been submitted through VirusTotal but I've now also notified some experts to get us a quicker response.

 

I hate Javascript.

[WoodenJefferson]

Who the heck is "Jackyb's" and how do I avoid them? If they have something imbedded in their sig line, should not our host be notified?

 

I have enough problems with my wife shopping on the net and visiting 100's if not 1000's of sites for shoes/shirts/pants/jewelry...spybot goes nutso.

[RareSov]

The user Jackyb could be infected and should run multiple scans immediately.

 

Such as

 

http://onecare.live.com/site/en-gb/center/howsafe.htm

 

http://www.bitdefender.com/scan8/

 

Online scanners generally require Internet Explorer amd Administrator access (for ActiveX control to be installed and run)

 

Unless it is an account created solely to infect collectors, which would be nasty.

 

Has anyone contacted NGC ? the posts should be all removed or at the very least moved for now, they are the server they can check more thoroughly than anyone

[RareSov]

Who the heck is "Jackyb's" and how do I avoid them? If they have something imbedded in their sig line, should not our host be notified?

 

Don't install any Adobe update that appears when browsing this forum.

 

 

Other options

 

- Disable javascript ! browser attacks such as this cannot operate without Javascript enabled. Using the noscript addon would be preferable for most I think

 

- Ensure browser and OS is fully updated.

 

- Also run multiple scans and have an updated Antivirus installed on the machine to ensure at least a lot of known infections can be ruled out

[RareSov]

Shouldn't be long until we have an answer NGC have also been notified.

 

If you use FireFox, a new addon would be installed. IE am unsure yet, will leave it to those who LIKE dealing with Javascript.

[RareSov]

Lots of conclusive evidence found. Large fake adobe update files are downloaded if you install this infection. Virus definition updates should be expected soon, probably within 48 hours for most AV

[DC Dawg]

Gee... another geek!

 

If you think that this person is causing problems (I am not seeing it on Safari with the deteriorating SafariBlock installed), the find a post from that person and click the Notify button.

 

Scott

[RareSov]

It's been fixed by the looks. I hope noone was affected..

[fishfinder]

I was affected! take this seriously, trying to close that phony popup gave me the bug...just now gettin back on my feet after losing 7 mos files

[WoodenJefferson]

WOW! After doing a bit of research and going directly to the site, not that I don't trust a link here, but stranger things have happened, I ran that bitdefender program on default where it would do my entire C hard drive and you'd be surprized what that program picked off in that 2 1/2 hour scan

 

Thanks for that site! My drive is running super smooth right now.

[Architecht]

 

Looks like this user had a link in their sig line that exploited some browser bugs to generate that pop up. Link is removed, user's posting privileges are revoked, and I'm looking into whether to make it a ban.

[RareSov]

TrojanHunter now has detection for a "Trojan Clicker" that this trojan dropped

 

It looks like mainly an adware attack, but could retrieve more malware if the attacker chooses to do so.

 

So, in light of that, another good online scanner is BitDefender

 

http://www.bitdefender.com/scanner/online/free.html

 

As far as I know, this does not YET detect the malware. So little point unless you really need another scan

[RareSov]

It starts from

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "smc"

 

The file is 95kb and in the System folder. Pretends to be Sygate Personal Firewall.

 

Other scanners that already detect this in a file scan are listed below. Any others with no detection did not detect the file as of now, at VirusTotal. Any which use detections based on behaviour may or may not detect the file

 

Ikarus (and A-Squared)

AntiVir

AVG

McAfee

Norman

Symantec

 

[RareSov]

Thankfully its all about banner ads by the looks. Complex banner ad system includes user (infected computer) registration and tracking.

 

Anyone who clicked it, are you getting popup ads ? I wasn't able to induce them.. hopefully the attacker has run with his tail between his legs.

[Bugmann1974]

I clicked it. I am not experiencing any pop up problems. For what its worth I am using Firefox.

 

And yes I am getting ready to run an AVG scan right now.

[RareSov]

I think it may have only been set up and not fully triggered, or was triggered for a while and then the target file changed. Hard to tell.

 

I forgot - should also check for any new firefox addons that may have been installed.

[Bugmann1974]

It did install an addon but I disabled it.

[RareSov]

More to come later.

 

The firefox addon should be removed. It will be how they get ads into Firefox..

 

The trojan can simply communicate with Internet Explorer directly, and accesses its memory space. Now it has control over the browser, whichever of the most popular ones you use..

 

On the server side, a complex system of adware controls. Users are uniquely identified and ad keywords can be adjusted by admin users logged into the controls..

[RareSov]

Hot off the press

 

http://blog.misec.net/2009/08/25/fake-adobe-flash-player-monitors-your-google-searches/