Skip navigation
alanintx
alanintx
Currently Being Moderated

Flash Player Update Virus?

Jun 5, 2012 4:11 PM

My apologies if this has been discussed before, but I could not find an exact match.

 

Not exactly sure how it happened, but my "FlashPlayerUpdateService"  was installed in  Windows/System32/Macomed/Flash folder and harbored a nasty virus that put files in prefetch and executables (Oie7ij01.exe) in the scheduled tasks list that kept respawning, also put entries in the Registy "Run" key and effectively shut down my computer. Took me a day to find the root cause and have not seen this mentioned on any virus sites.

 

I figured out it was respawning every hour, so I took a look at the scheduled tasks. Once I paused them, the spawning stopped. I disabled the Flash Player Update and restarted the other scheduled tasks and all seemed OK all day. Still thought there were other remenants around, so I decided it was time for my "once very 2 years" rebuild.

 

Below is a picture of the Flash directory before I wiped the machine. The files with an ".eee" extension were originally .exe executables. The 3 files with a similar name look suspicious. I still have this directory saved to an off-line drive if someone wants to take a close look.

 

SNAG_Program-0002.PNG

 

Thanks!

40137 Views   5 Replies   Latest reply: Pat Willener, Jun 6, 2012 7:28 PM
 
Replies
  • Pat Willener
    Currently Being Moderated
    1. Pat Willener,
    Jun 5, 2012 6:42 PM   in reply to alanintx
    Report

    This topic explains the automated background update mechanism http://forums.adobe.com/thread/981567

     

    However, I have no idea what "Oie7ij01.exe" is; that is not part of Flash Player or the updater.

     
    |
    Mark as:
  • alanintx
    Currently Being Moderated
    2. alanintx,
    Jun 5, 2012 9:18 PM   in reply to Pat Willener
    Report

    I understand the automated mechanism when it works properly. I have been using Adobe products for years and they are generally designed superbly.

     

    However, something affected its operation so that whenever it ran, it created an entry in the Windows prefetch folder titled "OEI7IJ01.EXE-02DFE2EF.pf" and also created multiple entries in the scheduled task list to run an 82KB process named "Oei7ij01.exe. Everytime I cleared out the processes they would show up an hour later. When I paused (and eventually disabled) the Flash Player Updater the creation and execution of this process stopped.

     
    |
    Mark as:
  • Pat Willener
    Currently Being Moderated
    3. Pat Willener,
    Jun 5, 2012 9:58 PM   in reply to alanintx
    Report

    Thank you for the additional information.  Hopefully someone from the Adobe Flash Player team will have a look at this during US daytime.

     
    |
    Mark as:
  • Chris Campbell
    8,544 posts
    May 4, 2010
    Currently Being Moderated
    4. Chris Campbell,
    Jun 6, 2012 6:01 PM   in reply to Pat Willener
    Report

    Thanks for the heads up.  I haven't seen this before but I just forwarded your post along to the developer responsible for this feature.  I'd definitely like to hear from any others that have also had this happen.

     
    |
    Mark as:
  • Pat Willener
    Currently Being Moderated
    5. Pat Willener,
    Jun 6, 2012 7:28 PM   in reply to Chris Campbell
    Report

    Searching Google for 'oei7ij01' only returns this very topic; this seems to be a unique instance.

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points