Flash Player Update Virus?

Report · Jun 05, 2012

My apologies if this has been discussed before, but I could not find an exact match.

Not exactly sure how it happened, but my "FlashPlayerUpdateService" was installed in Windows/System32/Macomed/Flash folder and harbored a nasty virus that put files in prefetch and executables (Oie7ij01.exe) in the scheduled tasks list that kept respawning, also put entries in the Registy "Run" key and effectively shut down my computer. Took me a day to find the root cause and have not seen this mentioned on any virus sites.

I figured out it was respawning every hour, so I took a look at the scheduled tasks. Once I paused them, the spawning stopped. I disabled the Flash Player Update and restarted the other scheduled tasks and all seemed OK all day. Still thought there were other remenants around, so I decided it was time for my "once very 2 years" rebuild.

Below is a picture of the Flash directory before I wiped the machine. The files with an ".eee" extension were originally .exe executables. The 3 files with a similar name look suspicious. I still have this directory saved to an off-line drive if someone wants to take a close look.

Thanks!

Report · Jun 05, 2012

This topic explains the automated background update mechanism http://forums.adobe.com/thread/981567

However, I have no idea what "Oie7ij01.exe" is; that is not part of Flash Player or the updater.

Report · Jun 05, 2012

I understand the automated mechanism when it works properly. I have been using Adobe products for years and they are generally designed superbly.

However, something affected its operation so that whenever it ran, it created an entry in the Windows prefetch folder titled "OEI7IJ01.EXE-02DFE2EF.pf" and also created multiple entries in the scheduled task list to run an 82KB process named "Oei7ij01.exe. Everytime I cleared out the processes they would show up an hour later. When I paused (and eventually disabled) the Flash Player Updater the creation and execution of this process stopped.

Report · Jun 05, 2012

Thank you for the additional information. Hopefully someone from the Adobe Flash Player team will have a look at this during US daytime.

Report · Jun 06, 2012

Thanks for the heads up. I haven't seen this before but I just forwarded your post along to the developer responsible for this feature. I'd definitely like to hear from any others that have also had this happen.

Report · Jun 06, 2012

Searching Google for 'oei7ij01' only returns this very topic; this seems to be a unique instance.

Adobe Community

Flash Player Update Virus?