Acrobatupdate.exe unknown virus to Eset Smart Security 5.0.93.0 Virus Signature7137

Discussion in 'ESET Smart Security' started by somerandomguy, May 14, 2012.

Thread Status:
Not open for further replies.
  1. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    Hi I picked up a virus off a torrent site.

    Eset Smart Security 5.0.93.0 Virus Signature Database 7137 (20120514) was unable to delete it, but was able to quarantine.

    I was able to manually clean it off in safe mode.

    Code:
    -Virus creates files in your user's AppData folder, hidden by default. 
    C:\Users\(Insert Username)\AppData\Local\Temp\Team.exe
    C:\Users\(Insert Username)\Appdata\Roaming\Acrobatupdate.exe
    C:\Users\(Insert Username)\Appdata\Roaming\TEAM (No file name extension)
    
    
    -Virus adds keys to the registy called "scvhost" to make windows automatically run the code each time you start your computer.
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ "scvhost" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe
    
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run  "scvhost" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe
    
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "scvhost" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe
    
    -Virus creates a firewall opening under the name "Windows Messanger".
    
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ "C:\Users\master\AppData\Roaming\Acrobatupdate.exe" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe:*:Enabled:Windows Messanger
    
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ "C:\Users\master\AppData\Roaming\Acrobatupdate.exe" REG_SZ C:\Users\master\AppData\Roaming\Acrobatupdate.exe:*:Enabled:Windows Messanger
    
    
    Please add to definitions file, thanks.

    Somerandomguy
     
    Last edited: May 16, 2012
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    have you submitted the files to eset?
     
  3. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    yes i right clicked the file and sent for analysis and filled out some description.

    i googled for this virus but it's not well known yet

    update

    #1 top hit on goggle when searching Acrobatupdate.exe virus !

    The files residing in C:\Users\IUNH\AppData\ are not visible without first enabling hidden files and protected operating system files to be show in explorer.
     
    Last edited: May 14, 2012
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    If the threat was detected and ESET could not remove it even after a computer restart, I'd suggest contacting ESET's viruslab as per the instructions here. We haven't received any file with the name Acrobatupdate.exe, are you positive it didn't have a different name? Was a successful submission of the file logged in the ESET Event log?
     
    Last edited: May 15, 2012
  5. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Unfortunately, I still cannot find the file. You should see something like this when a threat is detected in memory:
    Operating memory » C:\Documents and Settings\Admin\Desktop\1ccd0866f8181008f828e7410e9d25e4772eda22f5e951d9acfc7c1da46c9aaa.exe - a variant of Win32/Injector.RGT trojan - cleaned by deleting (after the next restart) - quarantined [1,2]

    Please provide a screen shot with details of an on-demand scanner log displayed after double-clicking the log in the main Log pane as well as MD5 or SHA1 hash of the file in question.
     
  7. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    I opened up my quarantine and submit for analysis from there. I took screenshot of exactly what you asked for, and no I'm not going to do MD5 check sum on something in quarantine as I don't even know how or where on the file hierarchy this quarantined file is located. Did you see the screenshot I made above?

    Hm come to think of it, this was a virus off a torrent site, not porn. The timestamp on the file shows this, and if I remember correctly I was looking for an app on demonoid to make iphone ringtones. The torrent in question was a copy of -http://www.imtoo.com/iphone-ringtone-maker.html-...
     
    Last edited by a moderator: May 16, 2012
  8. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    I'm certain I know now where I got this worm from. It was from the iphone ringtone app I downloaded, I looked at the timestamps of when I got the worm and when I downloaded and installed that app and they are almost identical. Now when I open up it's properties, it looks identical to the properties of the Acrobatupdate.exe. I am unable to submit for analysis, I could zip it up or something and upload it somewhere. I'm getting an error when trying to submit for analysis.

    http://i48.tinypic.com/2h2gqw8.jpg
     
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    follow the instructions here
     
  10. somerandomguy

    somerandomguy Registered Member

    Joined:
    May 14, 2012
    Posts:
    6
    sent per instructions
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.