C:\Windows\SysWOW64\FlashPlayerInstaller.exe suspicious network activity

[kolicha]

Hi,

I was just wondering if I could get someone's thoughts on this. Comodo Firewall has just popped up asking if C:\Windows\SysWOW64\FlashPlayerInstaller.exe could connect to several IP addresses owned by BSKYB-BROADBAND on port 80. Now admittedly my ISP is Sky Broadband, so it could be some system Sky has in place for caching adobe updates, but it just seems very strange for a legitimate Adobe program not to be connecting to an IP address on one of Adobe's netblocks, but to what looks to be a broadband connection. Unfortunately the files no longer appear to exist (I have hidden files and hidden protected operating system files both shown) so I can't submit it to virus total or antivirus companies for analysis. I checked my browser history at the time that this cropped up and worryingly it was whilst I was using internet banking - further adding suspicion.

Anyway, my question, do you think this merits suspicion? If so, I'm tempted by a clean install of Windows. Before I do this though, does anyone have any ideas of where I may find/recover this file? I'm obviously not familiar with malware writers’ techniques for hiding malicious programs. I might try a data recovery tool to see if it recovers anything before it's too late and gets overwritten.

I noticed on Adobe's website it mentions the SysWOW64 folder http://forums.adobe.com/thread/928315 and I also noticed the folder is only writable when granted permission with Windows' UAC.

My firewall logs:

Date Application Action Direction Protocol Source IP Source Port Destination IP Destination Port 2012-07-26 22:04:26 C:\Windows\Temp\{E6B5EC2D-CD06-4208-A4B5-E1C441FB0FFF}\InstallFlashPlayer.exe Asked Out TCP 192.168.0.3 55047 176.255.246.9 80 2012-07-26 22:04:36 System Blocked In UDP 192.168.0.1 34294 192.168.0.3 137 2012-07-26 22:04:42 C:\Windows\Temp\{E6B5EC2D-CD06-4208-A4B5-E1C441FB0FFF}\InstallFlashPlayer.exe Blocked Out TCP 192.168.0.3 55047 176.255.246.9 80 2012-07-26 22:04:45 C:\Windows\SysWOW64\FlashPlayerInstaller.exe Asked Out TCP 192.168.0.3 55052 176.255.246.50 80 2012-07-26 22:05:06 System Blocked In UDP 192.168.0.1 41547 192.168.0.3 137 2012-07-26 22:05:18 C:\Windows\SysWOW64\FlashPlayerInstaller.exe Blocked Out TCP 192.168.0.3 55052 176.255.246.50 80 2012-07-26 22:05:19 C:\Windows\SysWOW64\FlashPlayerInstaller.exe Blocked Out TCP 192.168.0.3 55055 176.255.246.66 80 2012-07-26 22:05:21 C:\Windows\SysWOW64\FlashPlayerInstaller.exe Blocked Out TCP 192.168.0.3 55056 176.255.246.74 80

Thanks

[kolicha]

Ah those logs were formatted nicely in the preview. Let's try again:

Date							 Application																															  Action	   Direction  Protocol  Source IP	   Source Port  Destination IP	 Destination Port
2012-07-26 22:04:26   C:\Windows\Temp\{E6B5EC2D-CD06-4208-A4B5-E1C441FB0FFF}\InstallFlashPlayer.exe   Asked	  Out		   TCP	    192.168.0.3   55047		   176.255.246.9    80
2012-07-26 22:04:42   C:\Windows\Temp\{E6B5EC2D-CD06-4208-A4B5-E1C441FB0FFF}\InstallFlashPlayer.exe   Blocked   Out		   TCP	    192.168.0.3   55047		   176.255.246.9    80
2012-07-26 22:04:45   C:\Windows\SysWOW64\FlashPlayerInstaller.exe																   Asked	  Out           TCP	    192.168.0.3   55052		   176.255.246.50  80
2012-07-26 22:05:18   C:\Windows\SysWOW64\FlashPlayerInstaller.exe																   Blocked   Out		   TCP        192.168.0.3   55052		   176.255.246.50  80
2012-07-26 22:05:19   C:\Windows\SysWOW64\FlashPlayerInstaller.exe		                                                           Blocked   Out           TCP        192.168.0.3   55055		   176.255.246.66  80
2012-07-26 22:05:21   C:\Windows\SysWOW64\FlashPlayerInstaller.exe																   Blocked   Out		   TCP        192.168.0.3   55056		   176.255.246.74  80