Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adobe Updater, pevFind, and processes that won't show the file location


  • Please log in to reply
2 replies to this topic

#1 JustAnotherWittyName

JustAnotherWittyName

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 12 March 2011 - 07:23 PM

Today, I checked my hidden icons to check the Toshiba PC Health Monitor. When I opened the tray, there was an unfamiliar icon. I moused over it and it said 100%, and when it was opened it was Adobe Updater. I was worried, as I had never seen this program before. After a few searches, I founwd that there was a trojan Adobe Updater. I opened rkill (iexplore.exe). After I okay'd Avast to run in the sandbox, when iexplore opened, after the first messages of "preparing rkill" and "terminating malicious processes", a wall of text with "pestFind" and other information, such as the creator's name (rkill did work, but it only ended an Avast file). I thought it could have nothing to do with rkill, or Avast Sandbox, so I ran it two more times. Same thing, and no files ended for both. On the third try I got three errors stating "Installation failed", then rkill opened. I then went to Task Manager. Opening the file location took me to Program Files > Common Files > Adobe > Updater6, with 5 files, Adobe_Updater.exe, three security certificate files, AdobeAUM_rootCert, AdobeUpdate, and AdobeUpdater. There was also an .exe installer named AdobeUpdaterInstallManager. The fact that they were last modified 2 years ago, 1/8/09, lessened my worries. That is about the same time I downloaded Adobe Reader. Each of these files were scanned individualy by both Avast and Malwarebytes, and then the whole Adobe folder was scanned. No malicious files. On the Properties page for Adobe_Updater.exe, there was even more information than the Softpedia image of the Properties page for the file. However, the copyright was 2002-2008. There were some processes that had no description or username. One (atieclxx.exe) was apparently part of ATI, while the other two are system processes but could be malicious if not in System32. Properties and open file location both won't work on the two files, winlogon.exe and csrss.exe. Am I infected?

Edit: Some system information:

I run Windows 7 Home Premium 32-bit on a Toshiba Satellite L505D-S5983. I have an AMD Athalon II Dual-Core M300 processor. My hard drive is a Hitachi HTS 5450.

Edited by JustAnotherWittyName, 12 March 2011 - 07:36 PM.


BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:09:54 PM

Posted 12 March 2011 - 08:00 PM

csrss.exe and winlogon.exe are critical system processes. Their EXE files are located in the System32 folder. Malware does sometimes try to masquerade as one of these processes but if you have one each and only one each of these running then you can be certain that they are the real ones.

Running rkill inside the Avast sandbox would prevent it from terminating other processes.

Based on the info you've given I'd say there's no evidence of any infection. Have you been experiencing any unusual behavior or symptoms?




PS:

The built-in Windows Task Manager leaves a lot to be desired. I highly recommend using Process Explorer, which is made available for free by Microsoft.

It would also be a very, very good idea to make sure that Adobe Reader is completely up to date. There are a lot of security exploits out there for older versions. Many people have ditched Adobe Reader altogether for alternative applications.

Edited by Andrew, 12 March 2011 - 08:05 PM.


#3 JustAnotherWittyName

JustAnotherWittyName
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 13 March 2011 - 12:38 AM

There have been no other symptoms, and it turns out it really was out of date, and it was the legitimate Adobe Updater. Thank you for the advice, Andrew.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users