Jump to content
Piriform Community Forums
Alan_B

A new plague of Flash Trash on the way

Recommended Posts

Today I was given another 554 KB of unwanted rubbish, 3 files with names

1C04C61346A1FA3139A37D860ED92632AA13DECF.heu

1C04C61346A1FA3139A37D860ED92632AA13DECF.swz

cacheSize.txt

 

They all appeared in

C:\Documents and Settings\Dad\Application Data\Adobe\Flash Player\AssetCache\75EJ9GA4

 

I think it should be called LIABILITYCache, not ASSETCache.

I never asked for it.

 

I have now added to my winapp2.ini

FileKey4=%APPDATA%\Adobe\Flash Player\|*.*|RECURSE

 

n.b. Till now Flash was fully controlled by

FileKey1=%APPDATA%\Macromedia\Flash Player\|*.*|RECURSE

 

WARNING - Google gave me 18 results for 1C04C61346A1FA3139A37D860ED92632AA13DECF

I clicked on one and received an immediate ZIP download ! !

Approach at your own risk

 

Alan

Share this post


Link to post
Share on other sites

The only thing though is some people that use sites which store settings in there for example some online games would be upset if they had to start over from scratch. Suppose it's security/privacy vs. convenience. However like you I wipe that folder clean!

Share this post


Link to post
Share on other sites

The asset cache feature has been around since v9.0.115.0 (late 2007).

As well the ability to control it from the flash player settings manager.

 

Link for the settings manager start page:

http://www.macromedia.com/support/document...gs_manager.html

It attempts to explain the settings. On the left are the actual page links

In the Global Storage Settings Panel you can turn the asset cache off by

unchecking "Store common Flash components to reduce download times" and confirming.

 

A file called cacheSize.txt is immediately created or updated. The contents

of mine is a zero followed by a null. 2 bytes total.

So I leave it alone. So far no more assetcache files and no complaints.

 

Don't be confused by Adobe's use of the word Global either. It's not Global for

all users of your machine but Global for all Websites for the current user.

 

If you need/want machine wide control you'll need to create a special

config file. The details can be found in adobe's own documents.

Available here for flash player 8,9

http://www.adobe.com/devnet/flashplayer/ar...admin_guide.pdf

or for flash player 10

http://www.adobe.com/devnet/flashplayer/ar...admin_guide.pdf

(search for "mms.cfg" within the pdfs)

 

Kind of boring stuff unless you are an admin or very curious.

 

I also found a .sol file (Local Settings Object) viewer/editor.

Portable Standalone Flash .Sol File Editor (2004)

Developers page: http://solve.sourceforge.net/

Download: http://sourceforge.net/projects/solve/

It's a work-in-progress but gets the job done for me.

 

I just wanted to decode a few files to further my understanding.

Happy to see the .sol file left by the bank was encrypted,

and found out You Tube just wants to know my preffered volume level.

 

A couple more links.

An adobe technote: How to manage and disable Local Shared Objects

http://kb2.adobe.com/cps/526/52697ee8.html

 

A recent blog post at Tech Republic I ran across today:

Flash cookies: What's new with online privacy

http://blogs.techrepublic.com.com/security/?p=2299

CCleaner is mentioned several times in the comments. (There are many.)

Share this post


Link to post
Share on other sites

Thank you both.

 

I will now accept this is established technology, and not necessarily malware,

even though this sort of trash has never been on my machine before and arrived like a virus without invitation.

 

I was very disturbed that it arrived when I did nothing unusual.

 

I became paranoid when I searched the magic number and got 18 hits,

most of which were foreign and related to Torrent (which I think of as a malware carrier).

I clicked on one link and many thumbnails of girls in bikinis appeared

- the thumbnails were not adult content, but I decided to back out before ! ! ! ! !

 

Only one of the 18 was a site I recognised - geekstogo.

I clicked and immediately had the option to download or run.

I then copied the link and carefully inspected to see that it was what I thought,

and pasted in the address bar, and the download was repeated.

The download was a ZIP file. The link had a html extension.

I thought html gave browser pages, not ZIP downloads.

The Firefox Download manager confirmed that the ZIP came from geekstogo.

I asked geekstogo whether their site was infected or hijacked ! !

 

I Googled "SWZ MALWARE" and "HEU MALWARE" and got thousands of results.

 

When I finished and CCleaned, my new Winapp2.ini addition found a new item in

C:\Documents and Settings\Dad\Application Data\Adobe\Flash Player\AssetCache\

That was immediately purged.

 

Incidentally, earlier this year when I received the weekly bargain email (Gmail) from the NETTO discount grocery chain,

Google offered to put into my calendar those items that I often buy from Tesco.

Google knew me so well it was as if it had access to my Tesco "Loyalty Card" list of recent purchases,

but of course data protection laws mean that cannot happen ! ! !

 

Google always looks over my shoulder and selects and displays a relevant sponsored link.

Two days ago is when I first yielded to the temptation and clicked on the sponsored link.

Coincidence or what ! ! !

 

Alan

Share this post


Link to post
Share on other sites
MVPS HOSTS File blocks their third-party intellitxt adverts. A ton of garbage can be automatically blocked by simply using a good HOSTS file along with for example Adblock Plus for Firefox.

 

I use AdBlock Plus, but so far have not felt the need for the HOSTS file.

 

Two separate events.

 

1. I unexpectedly found 550 KB size 1C04C61346A1FA3139A37D860ED92632AA13DECF.swf etc.,

The Google adverts above my gmail messages never inconvenience me.

In fact I like them because they remind me that Google is watching and remembering everything I do, quite a sobering realisation ! ! !

Paranoia alert :-

For any Company X there may be a competitor Company Y, and knowledge of correspondence between X and its customers could be of great value to Y (e.g. to submit a bid that undercuts the final offer to/from X).

Is it possible that Company Y might pay Google a special referrer bonus for a "sponsored link" that results in a special "referrer cookie" that in 550kB not only identifies Google as the source, but also includes all the correspondence to and from a competing Company X ? ! ! !

 

2. Google search for 1C04C61346A1FA3139A37D860ED92632AA13DECF got 19 results.

The geekstogo result was

SysProt AntiRootkit v1.0.1.0 by swatkat ...

... Object: C:\Documents and Settings\Kelland\Application Data\Adobe\Flash Player\AssetCache\5SQ9YV37\1C04C61346A1FA3139A37D860ED92632AA13DECF.heu Status: ...

www.geekstogo.com/forum/post-a32410-.html - Cached - Similar

 

When I hovered over the first line, the browser status showed it went to

www.geekstogo.com/forum/post-a32410-.html

When I held down Ctrl and clicked on that first line Firefox opened a new TAB,

but the TAB remained empty instead of showing the rest of what swatkat wrote,

and the ZIP file was immediately sent to me and replaced the normal default with RUN.

Exactly the same happened when I selected and copied

www.geekstogo.com/forum/post-a32410-.html

and pasted into the address bar.

 

I have searched for "a32410", and the only instance geekstogo has found is my post on the subject.

I now suspect that a spam poster put something nasty on the geekstogo forum

and before geekstogo found it and removed it Google came along and cached it

and it is Google cache that gave me this unwanted ZIP.

Perhaps Google should place a warning about themselves "this site may harm your computer" ! ! !

 

I wish to continue visiting geekstogo, so I do not want MVPS HOSTS to block me,

and if it merely blocked adverts/pop-ups from geekstogo I suspect this sort of "invisible" ZIP download would still arrive.

 

I do accept that *.swf can have a legitimate presence and purpose,

but a 550 KB set of files where only a small cookie should happen is outside my experience, and thus suspect.

My paranoia clicks up 6 notches when I then search for the identifying 1C04C61346A1FA3139A37D860ED92632AA13DECF and :-

most results are related to Torrents (which might be illegal) ;

at least one seems to have links that could have adult content ;

somehow I get yet another monster set of *.swf with different names ;

and then I get an unsolicited 197 KB ZIP that appeared to come from geekstogo.

 

I still believe that man landed on the moon, but wonder if Google have the power to simulate it ! !

 

Regards

Alan

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×