I've become very good at getting rid of it quickly after having dealt with it so many times. But it boggles my mind how I could see it recur again on my own machines. Well, today, after half a year of first seeing this, I got infected again, and here's what I noticed:
I was using Google Chrome. I did a Google search for Acer Aspire X1301 quieter fan replacements and was going through the search results and one of them was one of those "FixYa.com" web results. I think its a site that harvests posts and puts ads all over their pages, not exactly sure though, but the instant I clicked on it I knew something was wrong, Chrome wasn't responding so I immediately shut it down, then I got an error about Adobe Acrobat and a memory allocation error (my big clue if you read on).
I closed all the open programs (not through Taskmgr, just closing open windows), and then restarted Chrome and continued my browsing. Within 30 seconds I had the popup in my taskbar saying I was infected with spyware and it was scanning my system, and I had the wonderful splash screen with the good ol' Anti-Virus Live or 2010 or whatever it said, I didn't pay too much attention, I recognized it immediately. I just hit power on my computer instantly and rebooted into safe mode and let MalwareBytes do its job (which it did nicely since it was already updated two days ago).
So, then I started thinking... WHY? And it occurred to me that on all of my machines, and all of my Acquaintances machines the one thing we all had in common, was that we all were using the same last version of Acrobat Professional 6, the last one that you can just install without activation codes.
So, my theory is that there's a security hole in Acrobat 6 Pro that they take advantage of. Maybe there's a security patch, I don't know. I simply uninstall-ed it, and installed CutePDF for creating the once in 4 months need for me to create a PDF.
So, I'm asking you experts, what do you think? I apologize for having no logs or hard evidence for you, but just my gut feeling and what I know is in common on many of the instances I have seen. If this is truly the main possible security hole for this, I need to make sure that everyone is at least patched or have it removed, as it is a nasty one to a layperson who doesn't have a clue how to fix it. And I'm hoping I'm doing some good by possibly finding a clue for others to use to prevent it in the future.
Edited by Orange Blossom, 26 June 2010 - 02:48 PM.
Move to AII as no logs posted and prep. guide not followed. ~ OB