Flash plugin executable starts automatically in background

Discussion in 'other software & services' started by phkhgh, Mar 26, 2014.

Thread Status:
Not open for further replies.
  1. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Recently - in last couple weeks? - saw FlashPlayerPlugin.exe started & running in background. I'm assuming that Flash running "automatically" is associated somehow w/ Firefox 28 or TorBrowser (Fx 24.4 ESR), but it's disabled in both (never activate) in Addons. Flash is set to NOT update automatically (I check regularly).

    I don't use it - don't play flash content *IN* the browsers (certainly haven't used it recently, when it's popped up as running in background).

    If on websites, there's no alternative to Flash for playing something, I don't play it. The couple of times I found it running in Task Mgr, Flash was still disabled in both browsers' addon mgrs.

    Is there a way I can see what, if anything, called flash to start? Process Explorer or something of that nature? As said, I've not used flash recently. Definitely not after I killed it, then it reappeared later in task manager. I've never seen this in years of having flash plugin installed. Thanks.
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Sounds very fishy to me. I would at least look around in Process Explorer. See if you can get the full path and checksum of the EXE and compare those to the real item (or find the checksum on VirusTotal or such).

    BTW, while I personally stay far far away from things like Tor, I know that Javascript can compromise anonymous browsing quite easily, and the same is probably true of Flash. I very much doubt it's associated with the Tor browser, and I know for a fact that it does not come bundled with Firefox.

    Edit: also, the Flash browser plugin should be a DLL, not not an EXE. And there is a "Flash Plugin" and standalone "Flash Player", but I have not once heard of anything called "FlashPlayerPlugin.exe."

    I sure hope you have your data backed up.

    Edit 2: NB, I'm not a Windows geek; others here might know better what is considered okay on Windows. But I will say again, this sounds very fishy and not at all like the behavior of the real Flash plugin.

    Edit 3: at least try right-click -> "Properties" on the process in Task Manager, and get

    - Location
    - Size
    - Digital signatures

    And try to get an md5sum if you can. (7Zip lets you do this I think.)
     
    Last edited: Mar 26, 2014
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    If I didn't play Flash content on sites, I would not have it installed in my computer.

    Bo
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    I missed that.

    @phkhgh: did you ever deliberately install the Flash plugin? If not then it (or anything that looks like it) should not be there.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    I would use Process explorer to chek what is the parent process. Using PE you can also send the process to Virustotal for checking with multiple Avs.

    hqsec
     
  6. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Good idea. I was hoping to find if some other app was calling this, but may not be possible? NOTE for all: the "FlashUtil64_12_0_0_77_Plugin.exe" occasionally running in background is the correct name for the Flash *Installer.*

    Not really the point, but thanks. The only time I'd use it is on very trusted sites, like several financial institutions where it might occasionally be used.
    Thanks. Are you suggesting going to Adobe / their forum, etc., to find the checksum(s) of the original file? What I see running in background (on very rare occasions) is:
    FlashUtil64_12_0_0_77_Plugin.exe. So it's the Flash installer I've seen a couple times, running in background, kinda "sitting." Unfortunately, I can't "make it come back."
    No flash windows, task bar icons ever appear; no interference w/ other apps, AFAIK. In the past, anytime Flash installer was manually run, it appears on top of all other apps.

    Checking in Windows, that is the exact name for the plugin installer for the Fx / Chrome plugin. I'll check the checksums - but I downloaded installer directly from Adobe, then installed (not using their "download / install manager." So corruption / hacking is possible, but not likely. Here are checksums for downloaded "install_flash_player_12.0.0.77_plugin.exe", that contains the installer .exe mentioned above, and the .dll plugin for the browsers.
    CRC32: 38CFBE14
    MD5: 16A84718FB300915E3C7CA7EA271EDDC
    SHA-1: 5C265EBCE54854885C860AA7F81466D4267923F6
    SHA-256: 9BD1FFD7D32DD95AF9A7365F99FE0CCEC18C6766B60499C5D82216AAC69D2B87
    SHA-512: 27C1064DAB6E21958DA4BD0F3FC01D5C685CE976CB16E2B407C475B280FB8D330610E5AC959384E0311A0F9E2802DA4AD9082CE35CF1229D139D0B5F5244AB9D
    Whirlpool: 2B6866756B665B8EC7F48B5BB08749D9BB67DB425CF5B4AD1B84F581999FC607580E40AB6A0D23AE41DF6A5B5D13F4DB0AB4E8E0CDCEBC28F031ECCCC730C2B2

    The 1st time I noticed (after recent updates in regular Fx, TorBrowser(also Fx ESR) & Flash plugin for non-IE browsers, I just killed the process. Didn't think much about it. The next time, before I attempted look at it in Process Explorer (for actual path, start time, etc.), it disappeared. At that approx. time, I also closed TorBrowser & couple? other apps, which could be reason the flash process closed.
     
    Last edited: Mar 26, 2014
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Oh! In that case it might be the Flash auto-update scheduled task...
     
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    Then again, since you are obviously talking about a Windows platform, have you checked your startup list of executables?

    -- Tom
     
  9. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    AFAICT, Flash updater is disabled (update set = 0) for all found instances. The installer I download from Adobe (full package, not a d/l "manager"), installs a 32 & 64 bit plugin (the .dll); found in \system32\macromedia\flash\, & in \sysWOW64\macromedia\flash\. I believe that's normal for a 64 bit OS, using a 32 bit browser.

    I don't have stand alone Flash or Shockwave player - at least not visibly.

    Using Windows Search parameters of "Computer", "including non-indexed, hidden & system files," I found usual macromedia / flash files in the usual folders (above).

    Yes, I checked AutoRuns - searched for "flash," "macromedia," "adobe" - under the Everything tab; found nothing. Also looked in task scheduler - nothing.

    One odd thing - I found "NPSWF64_12_0_0_77.dll" in the \system32\macromedia\flash\ folder, & file "NPSWF32_12_0_0_77.dll" in \sysWOW64\macromedia\flash\" folder. Bass-ackwards.

    No idea if them being in wrong location (or not being detected in right location) is triggering the install prgm to launch. AFAIK, the full flash installer for "plugin-based" browsers doesn't have separate 32 / 64 bit versions. And I don't choose the install destination.

    Before each flash update (I d/l a new, complete plugin installer pkg), Flash is uninstalled via it's uninstaller UI (thru add/remove prgms). But, UNinstaller could've messed up, or may be a bug in the newest package (12.0.0.77) installer - reversing file locations for 32 / 64 bit. I'll uninstall again, manually del leftover files, then reinstall.

    The flash install log (if correct) shows files installed to ONLY "\sysWOW64\macromedia\flash\", but obviously it installed the 64 bit file mentioned, to \System32\macromedia...". Seeing the "32 bit" plugin.dll on my 64 bit system is / has been normal - it just appears to be in wrong place this time. In past, it's ALWAYS been in \System32.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Do you have Chrome installed? Just a thought...
     
  11. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    No Chrome installed. Besides, this turned out to be the INSTALLER running (sitting in background). And it's not related to IE (installed, but not used) - at least if it's a legit file (& VirusTotal says it / they are), because it doesn't have "activeX" in the filename. The flash installer for IE uses "activeX" in the name. Unless VT is wrong & this is an impersonator file.

    Virus Total found no problem w/ any of the flash .dll or .exe files - in the overall report. On VT's "Behavioral Information" tab, it shows some "failed" instances for "Opened Files." Don't know significance of the failed items, but VT didn't mention anything.
    One reason for "Failed" may be the files C:\WINDOWS\system32\Macromed\Flash\mms.cfg and C:\WINDOWS\system32\mms.cfg - don't exist.

    NOTE: On the scan of FlashUtil32_12_0_0_77_Plugin.exe, top of VT results > Behavioral Info, it shows checksum:
    SHA256: 869448775b491641f4d460d5939e8f2434bac21705d4a9abb99bc19e23e2d38e

    Then on 1st line of test results (see 1st line in quote above), it shows a "file?", where the "name" appears to be same as the checksum, EXCEPT for last character of file name, which doesn't match the checksum. Again, don't know the significance.
     
    Last edited: Mar 26, 2014
  12. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974


    When I run the NON-IE flashplayer plugin.exe to install flash it automatically
    installs into system32/ Macromed folder. I'm showing 7 files including one dll file.
    I do have mms.cfg file installed in C:\WINDOWS\system32\Macromed\Flash\ ... so it does exist.


    If I uninstall flash player plugin I'm left with some leftover files which I remove with
    CCleaner.(C:\WINDOWS\system32\Macromed\Flash\*.*)
    I also do check to see if my plugins are up to date in Firefox.
    Once flash is installed with most current version I block flashplayerupdateservice.exe
    from executing.


    Because of all flash player vulnerable exploits that need patching I would recommend using
    a "sandboxed" browser when using flash player or one may choose not to install it.
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I would say just uninstall it and remove all traces of it then if you don't use it anyway. I've been using HTML5 for some time now. But I'm sure the adventurer in you wants to get to the bottom of this now.
     
  14. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    NOTE: What I saw running in task mgr wasn't actually the FlashPlayerPlugin.exe starting up (trying to install something?) - though that's what shows in Processes > Image Name column (which mislead me). If I expand the command line column WAY out, it shows the plugin dll as the real running process (I think). From Process Explorer:
    Whew! As Michael Scott would say, that's a long one (that's what she said).
    Main point is, there's no rogue file running.

    This file (2 instances) appears when doing a test & actually enable Flash, then play flash vid.
    BUT... sometimes don't close after (again) disabling flash plugin (sometimes DO close "voluntarily"o_O No idea why.); continue to use ~ 130 MB memory.
    The memory isn't a huge deal, but privacy aspect might be - if running flash file still leaks system info to sites, even if not playing. I think that IS possible - if you check various browse fingerprinting sites. Search "what system / browser info flash may reveal."

    Do others w/ 64 bit OSes, running 32 bit plugin based browers see the 32 bit flash dll in SysWOW64 & the 64 bit dll in System32?

    Keyper4life - thanks.
    After uninstalling / reinstalling flash again, I now see mms.cfg in the sywWOW64 folder (assume because that's where installer also installs the 32 bit flash plugin dll file - right or wrong).
    Not sure if because I have 64 bit Windows, Flash installs the 32 bit dll file to sysWOW64 flash folder. But installing the 64 bit flash plugin dll file to the 32 bit folder doesn't make sense (it shows a 64 bit dll, but Fx wouldn't use that): C:\Windows\System32\Macromed\Flash\NPSWF64_12_0_0_77.dll.

    Main reason I keep flash installed is for the few trusted sites using Flash, that won't play in HTML5. Even then, I try copying the vid URL & inserting in VLC player (or SMPlayer). Quite simple in either player using kybd shortcuts, for those that haven't tried it. Usually much better quality. I'd think it would eliminate security holes in flash player. It usually works, but rarely must resort to Flash player.

    I'm not sure if this is the way it's always installed flash for Fx. Anyway, Fx seems to find / call the 32 bit flash plugin OK - from the 64 bit folder.
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,972
    Location:
    U.S.A.
  16. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks. I knew that. Really - I'm not lying. Why are you looking at me?
    I seem to remember that from long ago, but as most things, forgot.

    WoW64, i.e., Windows 32-bit (apps / drivers) on Windows 64-bit (OS / architecture) - they could've done better by naming it "W32oW64" - but would've taken an extra letter & made too much sense.
     
  17. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,972
    Location:
    U.S.A.
    It happens to the best of us. ;) You're welcome! Take care.
     
Loading...
Thread Status:
Not open for further replies.