PC Applications

Alert

Adobe Shockwave Flash/Flash Player

by hikergirl / July 7, 2013 9:30 AM PDT

XP Pro SP3, Firefox, IE8, HP e-pc 40

It seems the 2 pieces of software listed above are synonymous.

When Shockwave Flash updated on June 12, 2013 (v. 11.7.700.224), it left behind the following: DomaIQ.exe (Trojan) and DomaIQ10.exe (Rootkit)(win32.Rootkit!IK) < I don't know what that last one is.

HitmanPro runs on its own and found these 2 infections. Because I do not (and cannot) pay for this program, I cannot delete the infections.

I went into my programming, to see what would happen if I tried to open either of them. This is what I found:
DomaIQ.exe DomaIQ2.4 v. 1.0.1.4 232kb (this is the set-up wizard, which I did not run) Tuguu S.L.U. Installer by: Amonetize ltd. v. 1.1.5.40 155kb. and
DomaIQ10.exe DomaIQ2.4 Tuguu S.L.U. v. 1.0.1.4 235kb.
When I tried to open DomaIQ10.exe, Avast put it in the sandbox for analysis and said, "...did not find enough evidence to identify file as malware. However, you should still use extreme caution when accessing it."

In my programs, Flash Player is listed as: FlashPlayer_151.

I have reported the malware to Avast, so it can add these to its arsenal.

Two or 3 days ago, I reported the malware to Adobe's security. No report from them.

I attempted to post on Adobe Flash forum, but there does not seem to be any way to find my post.

I have attempted to run an Adobe debugger program, specifically for Shockwave Flash; it is merely a new install for the program - no debugger.

In the FlashPlayer set-up wizard (DomaIQ.exe), there is no choice to retain my Google tool bar - very suspicious! There are a number of references to Value Apps. I would attach a screen shot of this set-up wizard, but I don't see where this forum allows that.

I don't know if any of this has anything to do with the plug-in???

So, to my question: Is anyone able to give me step by step instructions to delete this malware? I have Add/ Remove Pro, which I can run later, to get any remains of this malware, etc.

Thanks for any help out there. Please keep the terminology fairly simple.

Discussion is locked
You are posting a reply to: Adobe Shockwave Flash/Flash Player
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Adobe Shockwave Flash/Flash Player
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
What if it's a False Positive?
by R. Proffitt Forum moderator / July 7, 2013 9:41 AM PDT

It would be rare for Adobe to ship out a trojan like that so why not just delete those .exe's manually?

Collapse -
As already noted..
by Carol~ Forum moderator / July 8, 2013 2:09 AM PDT

Pat,

If you did not download the update from a Fake Adobe Flash Update page, which I suspect you did NOT, then it's adware which came bundled with Flash Player from the site you did download it from.

I see you wrote a comment (at download.com) warning user's of what you found. IF per chance you downloaded it from CNET, did you click on the "external download link" where it states, 'this software is available to download from the publisher site"?

As Bob already noted .. it's HIGHLY unlikely it came (directly) from Adobe.

And as System Explorer notes when describing DomaIQ.exe from the author:

"DomaIQ was created in 2011 as a pay-per-install affiliate program. It is the perfect system for distribution and monetization of any kind of software products." (The underlining is mine)

I too suggest just deleting the files. If you have a problem, run Malwarebytes' Anti-Malware. Or use some of the tools suggested here.

Lastly. How to determine if a Flash update notification is legitimate was written with Macs in mind. However, most of what it says holds true for all systems which make use of Flash Player and Reader.

Best of luck..
Carol

Collapse -
Great info, Carol
by hikergirl / July 9, 2013 8:20 AM PDT
In reply to: As already noted..

Carol -

I'll try to make this coherent...

I ALWAYS use the manufacturer's Web site for software. Always! When Adobe has a new version of a software that I have, it opens a window for notification. If I don't act on it at that time, the window will recur at a later time/date. I am extremely safe on-line user. Extremely. And, I am extremely careful about what is offered in the new versions. I don't want anything but Google tool bar.

I used the malware***.com site. It's a treasure trove! So, I ran everything (I think) that was suggested:

I reset Firefox.

I reset IE8.

HitmanPro 3.7.6. Build 201 began running, without any instruction on my part. Here's what I got: After Firefox had rebooted, HitmanPro's results window opened and said: No threats found. But, on the first line listing what was found: 659 threats were detected. I did not look at what was found, because, for the first time, it was offering me the opportunity to delete the threats. So, I took it.

I ran AdwCleaner - a phenomenal program. Here is what it found:

***** [Files / Folders] *****

File Deleted : C:\WINDOWS\Uninstall.exe
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\customer\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\customer\Local Settings\Application Data\Wondershare
Folder Deleted : C:\Program Files\Common Files\Wondershare
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Program Files\Wondershare

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0BDF6C42-132C-45F5-92DE-DC13F40C6DAB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{16FE2505-F2A0-4782-B035-AF0E5188C02C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{23B0AE65-17D2-4491-98E5-B1AA6228DDA2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2D205ADF-C992-4EDA-99C3-096E13F38AB4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{411B1946-3277-4A7F-9F60-745266360613}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{457A4CB8-0391-409D-98B4-C4CCB2849670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4D8EACBC-E293-4462-B91E-42EA5B54B743}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{84576F6E-0660-4B4F-8918-BC6C975044D4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{86D02BCF-0E0E-444F-8A8D-2D5C4A9E6578}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8867AC9B-4426-44A2-A693-C95850D3405C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B3F577-D54A-4831-B2B4-8AACEEDA85CF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C2DF3856-676C-41DC-A73B-FACBDF8E81E9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DEF07ACD-BCEA-4269-933A-4087D20842BB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EBBC4E43-292A-40DF-88E3-3262B7521460}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{041278C7-DF92-486D-AE85-921BDFC75A43}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{21D9997E-5D2A-4737-BCBA-C958C0590295}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{36A7148B-639E-423C-90BB-30B6E1A40BD7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{56965DCF-718F-4148-BECF-5A2B466F4556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{58E64AEE-516A-4DFC-AC38-31C50E8AF0F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{61DAB0AD-AD23-4E40-84AC-7C6CE64D4EB3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{65D8E17B-312E-4E12-913B-A841A8631143}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6BDA50D2-5597-4C68-A842-9B857FCCDA49}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{860AF5D1-0735-409D-8E5F-E3E99356D7E9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8997561D-CF0B-42C7-AAE6-78801B3ADC7F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{92580E8C-88F5-4551-9D9E-8147E7EE2C32}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC4DAE-7794-4E16-9A98-F6001303DCD0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAB77009-B974-48DF-8229-E70CFAA11C69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EBAA6283-B61F-4DDD-9659-56635433A307}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB0C189-5077-4340-9838-AF7B8E792A54}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F9D45087-1CF1-452E-9649-FDFDAC578E03}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{20BCCE5A-C687-46FF-8DD2-AD8235F5F2B4}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{53CA18E7-5223-4358-9FD9-97C62C66C5BD}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{60FC9013-4A5A-4306-9695-FCE0A6617F22}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{7924FD2B-877C-4395-A063-A88AB887EA6D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8542E415-0E53-4261-8BE4-0D1598229D90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A4116F8C-A634-4536-B9EF-6B9EBCC5BAE1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C7E7FB02-C4FD-446E-8F5B-463A049935BF}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EBAF2B4F-510A-47C7-86BA-E7D94D1162F6}
Key Deleted : HKLM\Software\iWon
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16FE2505-F2A0-4782-B035-AF0E5188C02C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AF08E71-3657-462F-898C-F7E791948F94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965DCF-718F-4148-BECF-5A2B466F4556}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225F6C9-CF64-4D6D-AE8A-169779FD7B4D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\CouponAlert_2pbar Uninstall
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0BDF6C42-132C-45F5-92DE-DC13F40C6DAB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8867AC9B-4426-44A2-A693-C95850D3405C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{95B3F577-D54A-4831-B2B4-8AACEEDA85CF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C2DF3856-676C-41DC-A73B-FACBDF8E81E9}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\lt3jdb3m.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\customer\Application Data\Mozilla\Firefox\Profiles\0a9utsjt.default\prefs.js

Deleted : user_pref("avg.toolbar.websearchlink", "hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg");
Deleted : user_pref("extensions.toolbar.mindspark._4jMembers_.homepage", "hxxp://home.mywebsearch.com/index.jh[...]

*************************

AdwCleaner[R1].txt - [7470 octets] - [09/07/2013 16:19:36]
AdwCleaner[S1].txt - [7557 octets] - [09/07/2013 16:48:10]

########## EOF - C:\AdwCleaner[S1].txt - [7617 octets] ##########

I had run some other program (HitmanPro?) earlier. It found DomaIQ.exe (Trojan), in PreFetch, which it would not allow me to delete, because I had not purchased the software. It must still be there - it was not found by AdwCleaner.

There is no mention of DomaIQ10.exe, the Rootkit. So, this piece of garbage is still floating around somewhere.

While I was getting the results from AdwCleaner, an Adobe window opened to alert me to a new version of Flash Player. Now I am running very fast away from this. I really don't know what I should do: install? ignore?

A short while later, while I was working on-line, another window opened: "An action script error occurred." The Flash Player plug-in had crashed.

If nothing else, my computer should run a bit faster. There is not much space left, and I keep it as clean as possible, with ccleaner and defraggler.

So, what do you think about the DomaIQ.exe and DomaIQ10.exe, still lurking in the dark shadows?

Thanks, so much, for all of your help!

Collapse -
I forgot to include this...
by hikergirl / July 9, 2013 8:25 AM PDT
In reply to: As already noted..

This was from HitmanPro:

C:\Documents and Settings\customer\My Documents\Downloads\FlashPlayer_V.90860746b.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.Files Detected: 1
C:\Documents and Settings\customer\My Documents\Downloads\FlashPlayer_V.90860746b.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.

Collapse -
According to what I see ..
by Carol~ Forum moderator / July 11, 2013 5:41 AM PDT

Pat..

The scans seemed have done their job. And according to the results of Hitman Pro, Adware.DomalQ was deleted.

I hate to belabor the point when you're convinced you downloaded the update from Adobe. The only reason I question it is due to your mention of downloading it as a result of a notification. I know I can say with 100% certainty mine are legitimate only because I go to Adobe's site or download it from a direct link. (I'll provide it below)

Please read what I posted at the end of May. FAKE Adobe Flash Player Updates | Sweetpacks | Removal, etc I think you'll find it of interest. 3 people were convinced they were infected as a result of a Flash Player update.

Be sure to read, "How Fake Adobe Flash Updates Put Your Security At Risk. And especially what it says under "Watch out for fake Adobe Flash Player updates!" and also "How they work".

Flash Player updated to v11.8.800.94 on Tuesday. I would recommend first verifying which version you presently have installed. Go the About Flash Player page, or right-click on the content running in Flash Player and select "About Adobe Flash Player" from the menu. Do it with with both browsers.

As mentioned above, I usually use these direct links. It's up to you which method you wish to choose.

Non-IE (Opera, Firefox, Etc.):
http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe

Windows XP, Vista and 7:
Flash Player For Internet Explorer 7, 8, 9, 10:
http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe

If you're not completely convinced the adware is gone, I would suggest posting at the Malwarebytes' Forum. It may be worth it for your peace of mind.

Carol

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech Tip

Know how to save a wet phone?

It's not with a dryer and it's not with rice. CNET shows you the secret to saving your phone.