- #Js:pdfka exploit mac cleaner pdf
- #Js:pdfka exploit mac cleaner Pc
- #Js:pdfka exploit mac cleaner windows 7
Note that there may be additional registry settings that should be reverted to their previous settings. O4 - HKCU\.\Run: C:\DOCUME~1\\LOCALS~1\Temp\glqvcorac\poylsfolajb.exe(For the O4 entry above, note that the path to the file inside the Temp folder will match the one where the file had previously been located on your system it won't be named exactly as above.)Īfter cleaning these entries, the system was able to get online again.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074 I ran HijackThis and found the following registry entries which needed to be deleted:
#Js:pdfka exploit mac cleaner Pc
Variously identified as: (v), Exploit.JS.Pdfka.dcq, Exploit.PDF-JS!IK,, Exploit.PDF.1654,, .I, JS:Pdfka-APU, PDF/, PDF/Pidief!generic, PDF/Piedf.F2EB!exploit, TROJ_PIDIEF.SMZB, Troj/PDFJs-ML, etc.Since the file was located in the browser cache (the Temporary Internet Files folder), simply emptying the cache should delete this file if it resides on your system.Īfter rebooting from the hard drive again, the PC could not access the Internet. (Incidentally, the infected PC was running an old and vulnerable copy of Adobe Reader, version 9.2.0, and had not been configured for better security.) Here's the current VirusTotal analysis of the PDF, which is currently only detected by about a third of major antivirus vendors:
#Js:pdfka exploit mac cleaner pdf
Sure enough, a scan on VirusTotal showed that the file was a PDF exploit, and Wepawet also identified it as suspicious. Searching through the main index.dat History file, I identified a suspicious URL for a PDF file, and I searched the hard drive for that file. In addition to the classifications above, this variant is also identified as: Gen:Variant.Kazy.7430, Generic20.BOWF, High Risk Cloaked Malware, Riskware, Suspicious file, TR/Kazy.7430, TROJ_FAKEAV.GKR, Trojan.Agent/Gen-Frauder, Trojan.FakeAV!F3J+Da8Hqx4, Trojan.FakeAV!gen39,, , Trojan/, W32/FakeAV.ACHN, W32/FakeAV.ZUG!tr, Win32:FakeAV-BCI,, Win32/FraudAntivirusScan.F, Win32/, etc.I continued my investigation to try to discover the origin of the infection. Variously identified as:, Gen:Variant.Kazy.7105, !IK, Generic Malware, Generic4.AZEH, Mal/FakeAV-DO, Mal/FakeAV-IC, Medium Risk Malware, Rogue:Win32/FakeSpypro, Rogue.FakeSpypro (Not a Virus), TR/FakeAV.zrt, Trj/CI.A, TROJ_FAKEAV.SMT1, Trojan.Agent/Gen-Venue, Trojan.FakeAV, Trojan.FakeAV!6BsmWKRLcxY, Trojan.FakeAV!gen39, Trojan.Siggen.64617,, !cobra, Trojan/, UnclassifiedMalware, W32/FakeAV.ACHR, W32/FakeAV.ZRT!tr, Win-Trojan/, Win32:FakeAV-BCD, Win32:FakeAV-BCI,, Win32/Adware.SpywareProtect2009, Win32/AntivirusAction.AM, etc.Here's another variant that I later discovered on another computer: The file is currently detected by 28 out of 43 antivirus engines according to VirusTotal: It turns out that both of these files were actually copies of the same file with different names.
#Js:pdfka exploit mac cleaner windows 7
Also note that this is the Windows XP directory structure, so if you're running Windows Vista or Windows 7 the path will be different, possibly C:\Users\\AppData\Local\Temp or C:\Users\\Local Settings\Temp)
In fact, you can usually safely delete the entire contents of that Temp folder. While that scan was running, I searched the hard drive for files modified within the past two days (the machine had reportedly become infected the previous day) and I noticed Windows prefetch (.PF) files for two suspicious executables, which I subsequently discovered residing here:Ĭ:\Documents and Settings\\Local Settings\Temp\glqvcorac\poylsfolajb.exeĬ:\Documents and Settings\\Local Settings\Temp\0.9249067424896712.exe(Note that the name of the folder and files inside the Temp directory are random, so if you're cleaning this infection you'll have to look for similarly suspicious files inside your Local Settings\Temp folder. Not only had McAfee been unhelpful at detecting or preventing the infection, but running a fully updated Spybot-Search & Destroy while booted from the CD didn't find any malicious files either. I had to boot the machine from a CD (a previously made UBCD4Win disc) in order to examine and repair the computer. It also cleverly prevented opening McAfee's main window. The malware prevented opening the Task Manager or regedit, even after I copied the the exe files to the desktop and renamed them.
0 kommentar(er)
