Recently, one system that I worked on was infiltrated by something that manipulated FlashUtil32_11_5_502_135_ActiveX.exe. Being that it usurped a legitimate Flash component so that no one would be the wiser, I am leaning towards calling this a Trojan, hence the title. If a Symantec Employee desires to amend the name, feel free to do so.
Background Info:- On said computer, it looked as though an ad for something or anouther had been clicked on a list of Google search results.
Symptoms:- Internet connectivity- pretty much zero. CPU usage at a stubborn 25%. Performing a full system scan with N360 in Safe Mode with Networking hung. Interestingly, the programme reported three [3] threats but only resolved two [2] tracking cookies. Next up, Malwarebytes’ Anti-Malware full scan turned up nothing. Windows Defender- nothing. Norton Power Eraser (NPE)- nothing malicious found. Kaspersky’s TDSS Killer- not much better. It revealed Akamai (part of Net Session) which I know to be benign. This dastardly bogger even went under the radar (so to speak) of enhanced security measures in Win7 such as I.E.7’s Internet Protected Mode and system “change” warnings.
I attempted to “pin down” whatever it was examining background processes/ services in MSCONFIG. I went under HKEY_LOCAL_MACHINE- Software- Microsoft- Windows- Current Version- Run to see if anything lodged there. No luck. I then had the idea of leaving up Windows Task Manager (processes tab) whilst I.E.7 tried to connect. That is where I discovered that FlashUtil32_11_5_502_135_ActiveX.exe would briefly load and then make a hasty exit. So much so that I had to employ Print Screen function to catch the sneaky devil. Now I knew what I was dealing with. Next came the question of where in the registry to properly purge this corruption. For that, I had to utilise ComboFix. ComboFix provided me with the framework required to correctly handle this situation. I should have “zipped” the compromised Flash files in order for Symantec Employees to study the manner in which they were exploited, however, in my fervor, I was just “bent on” destruction of the maliciousness and nothing else. If it is any consolation, I have attached before/after ComboFix logs.
Please note- Once items pertaining to Flash were exterminated under the “Locked Registry Entries” section, that is when symptoms abated. For example, Internet operating through Verizon FiOS would load pages quickly such like before infection, CPU usage was no longer stuck at a stale 25% that would not budge. These logs may only be crumbs from the Master’s Table, however, it is my sincere hope that Symantec Employees will be able to study them and potentially see to it that Flash entries are provided with more security in future updates for N360/ Internet Security.
Please note also- Obviously, in this scenario, Flash had to be freshly re-installed. Uncompromised FlashUtil32_11_5_502_135_ActiveX.exe will NOT appear then quickly disappear. Rather, it will “stay up” in the background processes as was the case when I played a video on YouTube.
I must admit, after confronting this situation, I have about one-hundred [100] times more respect for the threat remediation Quads provides users of this forum on a consistent basis.
Regards,
H.B.