A new plague of Flash Trash on the way
Posted 18 September 2009 - 11:51 AM
They all appeared in
C:\Documents and Settings\Dad\Application Data\Adobe\Flash Player\AssetCache\75EJ9GA4
I think it should be called LIABILITYCache, not ASSETCache.
I never asked for it.
I have now added to my winapp2.ini
n.b. Till now Flash was fully controlled by
WARNING - Google gave me 18 results for 1C04C61346A1FA3139A37D860ED92632AA13DECF
I clicked on one and received an immediate ZIP download ! !
Approach at your own risk
Posted 18 September 2009 - 01:45 PM
Don't PM me for advice or help! I'll only ask you to read forum rule #15.
Posted 19 September 2009 - 08:28 AM
As well the ability to control it from the flash player settings manager.
Link for the settings manager start page:
It attempts to explain the settings. On the left are the actual page links
In the Global Storage Settings Panel you can turn the asset cache off by
unchecking "Store common Flash components to reduce download times" and confirming.
A file called cacheSize.txt is immediately created or updated. The contents
of mine is a zero followed by a null. 2 bytes total.
So I leave it alone. So far no more assetcache files and no complaints.
Don't be confused by Adobe's use of the word Global either. It's not Global for
all users of your machine but Global for all Websites for the current user.
If you need/want machine wide control you'll need to create a special
config file. The details can be found in adobe's own documents.
Available here for flash player 8,9
or for flash player 10
(search for "mms.cfg" within the pdfs)
Kind of boring stuff unless you are an admin or very curious.
I also found a .sol file (Local Settings Object) viewer/editor.
Portable Standalone Flash .Sol File Editor (2004)
Developers page: http://solve.sourceforge.net/
It's a work-in-progress but gets the job done for me.
I just wanted to decode a few files to further my understanding.
Happy to see the .sol file left by the bank was encrypted,
and found out You Tube just wants to know my preffered volume level.
A couple more links.
An adobe technote: How to manage and disable Local Shared Objects
A recent blog post at Tech Republic I ran across today:
Flash cookies: What's new with online privacy
CCleaner is mentioned several times in the comments. (There are many.)
Posted 20 September 2009 - 09:55 AM
I will now accept this is established technology, and not necessarily malware,
even though this sort of trash has never been on my machine before and arrived like a virus without invitation.
I was very disturbed that it arrived when I did nothing unusual.
I became paranoid when I searched the magic number and got 18 hits,
most of which were foreign and related to Torrent (which I think of as a malware carrier).
I clicked on one link and many thumbnails of girls in bikinis appeared
- the thumbnails were not adult content, but I decided to back out before ! ! ! ! !
Only one of the 18 was a site I recognised - geekstogo.
I clicked and immediately had the option to download or run.
I then copied the link and carefully inspected to see that it was what I thought,
and pasted in the address bar, and the download was repeated.
The download was a ZIP file. The link had a html extension.
I thought html gave browser pages, not ZIP downloads.
The Firefox Download manager confirmed that the ZIP came from geekstogo.
I asked geekstogo whether their site was infected or hijacked ! !
I Googled "SWZ MALWARE" and "HEU MALWARE" and got thousands of results.
When I finished and CCleaned, my new Winapp2.ini addition found a new item in
C:\Documents and Settings\Dad\Application Data\Adobe\Flash Player\AssetCache\
That was immediately purged.
Incidentally, earlier this year when I received the weekly bargain email (Gmail) from the NETTO discount grocery chain,
Google offered to put into my calendar those items that I often buy from Tesco.
Google knew me so well it was as if it had access to my Tesco "Loyalty Card" list of recent purchases,
but of course data protection laws mean that cannot happen ! ! !
Google always looks over my shoulder and selects and displays a relevant sponsored link.
Two days ago is when I first yielded to the temptation and clicked on the sponsored link.
Coincidence or what ! ! !
Posted 20 September 2009 - 08:19 PM
MVPS HOSTS File blocks their third-party intellitxt adverts. A ton of garbage can be automatically blocked by simply using a good HOSTS file along with for example Adblock Plus for Firefox.
the ZIP came from geekstogo.
Don't PM me for advice or help! I'll only ask you to read forum rule #15.
Posted 21 September 2009 - 11:38 AM
I use AdBlock Plus, but so far have not felt the need for the HOSTS file.
Two separate events.
1. I unexpectedly found 550 KB size 1C04C61346A1FA3139A37D860ED92632AA13DECF.swf etc.,
The Google adverts above my gmail messages never inconvenience me.
In fact I like them because they remind me that Google is watching and remembering everything I do, quite a sobering realisation ! ! !
Paranoia alert :-
For any Company X there may be a competitor Company Y, and knowledge of correspondence between X and its customers could be of great value to Y (e.g. to submit a bid that undercuts the final offer to/from X).
Is it possible that Company Y might pay Google a special referrer bonus for a "sponsored link" that results in a special "referrer cookie" that in 550kB not only identifies Google as the source, but also includes all the correspondence to and from a competing Company X ? ! ! !
2. Google search for 1C04C61346A1FA3139A37D860ED92632AA13DECF got 19 results.
The geekstogo result was
SysProt AntiRootkit v126.96.36.199 by swatkat ...
... Object: C:\Documents and Settings\Kelland\Application Data\Adobe\Flash Player\AssetCache\5SQ9YV37\1C04C61346A1FA3139A37D860ED92632AA13DECF.heu Status: ...
www.geekstogo.com/forum/post-a32410-.html - Cached - Similar
When I hovered over the first line, the browser status showed it went to
When I held down Ctrl and clicked on that first line Firefox opened a new TAB,
but the TAB remained empty instead of showing the rest of what swatkat wrote,
and the ZIP file was immediately sent to me and replaced the normal default with RUN.
Exactly the same happened when I selected and copied
and pasted into the address bar.
I have searched for "a32410", and the only instance geekstogo has found is my post on the subject.
I now suspect that a spam poster put something nasty on the geekstogo forum
and before geekstogo found it and removed it Google came along and cached it
and it is Google cache that gave me this unwanted ZIP.
Perhaps Google should place a warning about themselves "this site may harm your computer" ! ! !
I wish to continue visiting geekstogo, so I do not want MVPS HOSTS to block me,
and if it merely blocked adverts/pop-ups from geekstogo I suspect this sort of "invisible" ZIP download would still arrive.
I do accept that *.swf can have a legitimate presence and purpose,
but a 550 KB set of files where only a small cookie should happen is outside my experience, and thus suspect.
My paranoia clicks up 6 notches when I then search for the identifying 1C04C61346A1FA3139A37D860ED92632AA13DECF and :-
most results are related to Torrents (which might be illegal) ;
at least one seems to have links that could have adult content ;
somehow I get yet another monster set of *.swf with different names ;
and then I get an unsolicited 197 KB ZIP that appeared to come from geekstogo.
I still believe that man landed on the moon, but wonder if Google have the power to simulate it ! !