Copy link to clipboard
Copied
Greetings,
This morning we had numerous workstations pop up with an Adobe Flash error. The browser will be taken over by an Adobe Flash Critical Update Required page and won't let the browser go to any other internet site. Within the page, a box will pop up that says: "Attention! your current version of Adobe Flash Player is outdated! Your computer is vulnerable to malware now. Update your Adobe Flash player now."
This message pops up on IE Explorer version 9-11, Google Chrome and Firefox and the operating systems are Windows XP Pro and Windows 7 pro. It has all the behavior of a virus or malware so I don't want to run it's download file which is named install_flashplayer_12_x32_64_msaa_aax_latest.exe.
I've been able to download both flash player installs from the Adobe.com site for both IE and Other Browsers. Sometimes I've been able to run the installs and it shows that the download and install ran okay with Adobe Flash Player 12 ActiveX showing up in the installed programs list. Other times, the install won't run and the install file mysteriously gets deleted. Even after the successful download and install, the browser works briefly okay and then gets seized by the "Critical Update Required" page again.
We're running AVG Anti-Virus Business Edition which is kept updated. A scan with this program and an updated version of Malwarebytes isn't showing any viruses or malware that could cause this problem.
What can I do to get rid of this "Critical Update Required" problem and get our browsers working again?
Thanks.
Bill J., Lexington, KY
I got it fixed.
It's called the Moon virus or worm. It does not reside in your pc. It is malicious code that is embedded into your wireless router primarily Linksys but D-Link and Motorola have also been affected. Simple fix is to reinstall your firmware and simultaneously delete all web browsing and cache from the browser than even resetting your browser to factory default and YOUR PROBLEM IS FIXED.
dOUG
Copy link to clipboard
Copied
install_flashplayer_12_x32_64_msaa_aax_latest.exe.
is nothing that comes from here
http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe
and
http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe
are the ONLY legitimate files for Flash Player FULL installers
But, NOTHING with "latest.exe" would be legit.
Do a "clean install" on any machine you believe is out of date. http://forums.adobe.com/message/4041846
Also look into TDSSKiller from Kaspersky to remove adware.
Copy link to clipboard
Copied
I downloaded and ran Kaspersky's TDSSKiller. It's not finding anything.
Any suggestions as to what to try next?
Thanks so much for your help!
Bill J.
Copy link to clipboard
Copied
I've read about a router hack that redirects to the "update" page"
http://hackersnewsbulletin.com/2014/03/hackers-hacked-300000-wireless-routers-check-now.html
It may or may not have affected you.
Stick to those links I provided.
They're your best bet.
Copy link to clipboard
Copied
Mike,
Many thanks. I’ve downloaded and installed both versions of Adobe Flash as we’re using Explorer, Chrome and Firefox. The Kaspersky didn’t find anything, Malwarebytes didn’t find anything of any substance nor did our AVG Business AV software.
I ran the installation of both versions of Flash and it didn’t solve the problem
Whatever this thing is it’s propagating through the entire network domain and is now on all workstations in the domain. Not good stuff!
Bill Johnson
Copy link to clipboard
Copied
Mike,
The router hack might be the problem. It would explain why it’s showing up in the whole network. I’ll look into that next.
Thanks!
Bill J.
Copy link to clipboard
Copied
Hi Bill,
I have the same problem, the adobe (malware)update comes up on internet explorer and firefox. I tried TDSSkiller but it didn't work.
I don't think its my router, because im on another network now and i still have te problem.
Lars D.
Copy link to clipboard
Copied
Lars,
Thanks. I’m running in circles trying to get rid of this problem. Still haven’t had any luck.
Bill J.
Copy link to clipboard
Copied
How to tell if it's fake:
Copy link to clipboard
Copied
this comes up every time on firefox
and on internet explorer
Copy link to clipboard
Copied
What is the address in the bar when you see that?
Because that second shot shows a version (12.0.3.77) that doesn't exist.
Copy link to clipboard
Copied
it shows just shows www.google.com, but when i click ''ok'' or the x in the upper right corner, i get this ^
Copy link to clipboard
Copied
It's fake.
Copy link to clipboard
Copied
It's happening to mine now. Firefox seems okay for now though.
Copy link to clipboard
Copied
I have the same problem, tried uninstalling flash, any remnants afterwards, deleted personal settings in internet exploxer and reset, ran adware, malware and hitman. Nothing found. Virus is still there. Can change internet search option in control panel i.e. from google to bing and eventually shows up again. After two days of searching and trying different virus and malware removal programs I have backed up my data an am now trying an image restore from a different date. Anyone find another answer yet?
Copy link to clipboard
Copied
yesterday i tried to remove it in save mode with malwarebytes, but that didn't work. Then i restored my data from a different date, that also didn't work. I have no idea how to remove it...
Copy link to clipboard
Copied
Lars,
It appears that the redirect may be coming from malicious code that’s been put into the router. Are you by chance using a Linksys or DLink router?
I’m going to go over later this morning and remove our Linksys E2500 router from service and put one of our spare Cradlepoint routers (we use them in charter buses for WIFI access) as a temporary measure and see if this fixes the problem. I’ve done repeated scans of the computers that are popping up the bogus Adobe Flash message and am finding nothing so either the redirect is occurring in the router itself or this is new malware whose signature is not yet being recognized.
I’m feeling pretty strongly that the problem is malicious code in the router. In the meantime, we’re having all the passwords changed via phone to any online sites, accounts, etc.
I’ll let you know what happens with the temporary replacement router. The new Cisco I ordered should be here tomorrow.
Bill J.
Copy link to clipboard
Copied
In my experience, Malwarebytes reported finding Trojan.Happili within install_flashplayer_12_x32_64_msaa_aax_latest.exe. It seemed a bit suspicious from the get go (very un-Chrome like behavior to hijack the start page with an Adobe Flash Install page). This was a redirect of http://www.google.com but not https://www.google.com.
Changing my router settings to disable Remote Management solved the persistent redirct problem. My security settings already included Filter Anonymous Internet Requests.
Very glad to have found this page. Thankful for everyone's contribution.
Copy link to clipboard
Copied
I experienced the very same issue being discussed here last night via all browers. I have a Cisco/LinkSys E3000, there is quite a bit documented on this 'Moon' worm from SANS but very little from Cisco directly. Disabling remote management on the router has done the trick but i see that only as a temporary workaround to disable the hacking/ridirecting via the HNAP, the real fix would be firmware update and I can't find any reference on that from the horse's mouth.
Copy link to clipboard
Copied
Got this problem recently too.
Can anyone help solving this issue as it is very annoying that everytime I use Mac safari or Firefox, then it will redirect to the link and download automatically:
install_flashplayer_12_x32_64_msaa_aax_latest.exe
Copy link to clipboard
Copied
http://hackersnewsbulletin.com/2014/03/hackers-hacked-300000-wireless-routers-check-now.html
It's a hardware problem. Adobe can't fix that.
Copy link to clipboard
Copied
Thanks Mike M for the explaination in the webiste.
wondering is there anything we can do to get rid of the problem?
Copy link to clipboard
Copied
If the router can be "flashed" (erased and rewritten) then have that done (your ISP may be able to do it). If not, it has to be replaced.
Copy link to clipboard
Copied
The router hack still seems to be the best explanation. However, does this mean that the redirect that could be in the router has caused the connected workstations to download malicious software? None of my security software is showing anything so I've ordered a replacement Cisco router and will see if that helps the problem.
Copy link to clipboard
Copied
Okay folks, here's the latest. Thanks to Mike M's post above I've been able to do some additional research and have come to the conclusion that our Linksys E2500 router has been hacked. I pulled it out of service and set up a router from a different manufacturer and we're now able to access the internet.
However, the redirects from the infected router had installed some additional settings in the browsers themselves, so I had to do a complete browser reset and that took care of the problem. To do this in Internet Explorer, I clicked on Internet Options/Advanced Tab and then click on the Reset link at the bottom and also reset all personal settings. In Google Chrome, I've had to go to Settings, click on Show Advanced Settings at the bottom, then click on Reset Browser Settings in the link at the very bottom.
So far, we've been back up and running without any problems.