Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


AntiVirus Live - Recurrences - Theory

  • Please log in to reply
1 reply to this topic

#1 jonas914


  • Members
  • 42 posts
  • Local time:04:03 PM

Posted 26 June 2010 - 02:15 AM

I have had two different infections on two XP machines that I use, one at home and one I travel with for work. Acquaintances of mine have also had similar if not the same infections in the past since before December 2009 approximately.

I've become very good at getting rid of it quickly after having dealt with it so many times. But it boggles my mind how I could see it recur again on my own machines. Well, today, after half a year of first seeing this, I got infected again, and here's what I noticed:

I was using Google Chrome. I did a Google search for Acer Aspire X1301 quieter fan replacements and was going through the search results and one of them was one of those "FixYa.com" web results. I think its a site that harvests posts and puts ads all over their pages, not exactly sure though, but the instant I clicked on it I knew something was wrong, Chrome wasn't responding so I immediately shut it down, then I got an error about Adobe Acrobat and a memory allocation error (my big clue if you read on).

I closed all the open programs (not through Taskmgr, just closing open windows), and then restarted Chrome and continued my browsing. Within 30 seconds I had the popup in my taskbar saying I was infected with spyware and it was scanning my system, and I had the wonderful splash screen with the good ol' Anti-Virus Live or 2010 or whatever it said, I didn't pay too much attention, I recognized it immediately. I just hit power on my computer instantly and rebooted into safe mode and let MalwareBytes do its job (which it did nicely since it was already updated two days ago).

So, then I started thinking... WHY? And it occurred to me that on all of my machines, and all of my Acquaintances machines the one thing we all had in common, was that we all were using the same last version of Acrobat Professional 6, the last one that you can just install without activation codes.
So, my theory is that there's a security hole in Acrobat 6 Pro that they take advantage of. Maybe there's a security patch, I don't know. I simply uninstall-ed it, and installed CutePDF for creating the once in 4 months need for me to create a PDF.

So, I'm asking you experts, what do you think? I apologize for having no logs or hard evidence for you, but just my gut feeling and what I know is in common on many of the instances I have seen. If this is truly the main possible security hole for this, I need to make sure that everyone is at least patched or have it removed, as it is a nasty one to a layperson who doesn't have a clue how to fix it. And I'm hoping I'm doing some good by possibly finding a clue for others to use to prevent it in the future.

Edited by Orange Blossom, 26 June 2010 - 02:48 PM.
Move to AII as no logs posted and prep. guide not followed. ~ OB

BC AdBot (Login to Remove)


#2 jonas914

  • Topic Starter

  • Members
  • 42 posts
  • Local time:04:03 PM

Posted 26 June 2010 - 02:21 AM

I just realized I had the Mbam log... so here is what it found today just by the Google search and the FixYa.com link I clicked on and about a minute later...


Database version: 4214

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/25/2010 8:09:20 AM
mbam-log-2010-06-25 (08-09-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 306370
Time elapsed: 1 hour(s), 21 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brroruta (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brroruta (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\jonas\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\jonas\Local Settings\Application Data\emwtodefh\cksgvxltssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users