Hello,
I downloaded this file https://torrentz.eu/e33e613e5a98b2484087ead40f4c188747cdaaa0 which is huge. It looked OK, but I just couldn't find anything meaningful inside using 7-zip browser, which is weird. Anyway, I took the risk to run that file, then I was infected.
By default, this file tried to extract the actual contents (yes, the real portable version of acrobat DC that really works) to C:\Users\Administrator\AppData\Local\Temp\, but it also provided a prompt so I can extract the real contents to other folder, and I did that. However, after the extraction, I found that there was a "System.exe" file in the %Temp% and this file was running! I was scared and realized that I was infected, so I launched Process Hacker and tried to kill this process. But once I did that, EVERY other process triggered another process "WindowsDefender.exe" and my computer almost froze. After a while, the "System.exe" and all the ~80 "WindowsDefender.exe" processes created by other processes disappeared, but there is one "WindowsDefender.exe" left there. This file was in C:\ProgramData\850395\WindowsDefender.exe. I tried to kill this process again, but again, every other process launched one instance of this "WindowsDefender.exe" and all these disappeared after freezing for a while, but the original "WindowsDefender.exe" was still alive. I noticed there were some text files generated in C:\ProgramData\850395\, and these files contained what I input in Firefox's search bar or some other programs.
I noticed the severity of this problem, so I reboot into another OS (I have dual boot, Win8.1 Enterprise and Win8.1 Pro, the Enterprise was infected), then I took the ownership of C:\ProgramData\850395\ of the infected OS and deleted the WindowsDefender.exe and also cleared the %Temp% of the infected OS. Then I rebooted back to the original OS, and it looked fine without suspicious processes. I then run several scanning tools, including the actual windows defender, Spybot, TDSSKiller, and McAfee Stinger. All passed without finding any threats. However, this spyware seemed to modify something:
(1) The only short cut file in C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ was modified and pointed to the deleted C:\ProgramData\850395\WindowsDefender.exe, but since I had already deleted this file before rebooting into the infected OS, this file became empty, so I had to restore what I originally had.
(2) In task scheduler, C:\ProgramData\850395\WindowsDefender.exe was added as a task, and the trigger is whenever any user log on. I had already deleted this task.
(3) Windows firewall stopped working and cannot be restarted. I had to assign NT SERVICE\mpssvc a full control permission of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess such that the firewall can be restarted. In windows firewall, I didn't find any new rules added by this spyware.
Now my computer looked fine. But I'm not 100% sure of that, especially I don't know what name of this spyware is and what else did it modify to my OS. I have re-downloaded this spyware by uTorrent, extracted by 7-zip (although showing checksum error), and scanned using several tools, but still couldn't find anything. Theoretically I can use sandboxie to see what happens after double click this Acrobat.DC.15.017.exe file, but I'm afraid I don't have that time. I only want to go back to the original state of my OS before I run the Acrobat.DC.15.017.exe file, because I disabled the system recovery of Windows.
Can anyone help me? Thanks a lot!
Edited by testplayer, 25 July 2016 - 09:28 PM.
Back to top
