Jump to content
Rbuck117

Adobe ace.dll Backdoor.Remcos

Recommended Posts

Reaching out to see if others are having a similar issue. We just started getting heavy E-mail notifications on an apparent backdoor Trojan on ace.dll for Adobe Acrobat. (C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\ACE.dll) 

My first reaction is that this is a false positive due to how many machines we're getting notified are infected. Anyone else getting these notifications? 

Share this post


Link to post
Share on other sites

I am getting this notice on my personal computer - looking at the Malwarebytes log. I know nothing, however, and am totally out of my depth

Share this post


Link to post
Share on other sites

Just downloaded a PDF from one of my vendors -- a reliable site, done it before.  Malwarebytes quarantined the backdoor.remcos.  

Share this post


Link to post
Share on other sites

I'm getting this also. FIle hash: 9f82c4dda5943c508761166ce4a2fe1a32d23e7c20aba263134efd4cac1f32b3

Looks like a false positive.

Share this post


Link to post
Share on other sites

I contacted Adobe and was told to uninstall DC,  disable my anti-virus, and download a new copy of Acrobat DC.  Hesitant to try that.

Share this post


Link to post
Share on other sites

I’m getting a flood of these alert emails.  Looks like Monday might be a busy day for me releasing these from quarantine. 

Share this post


Link to post
Share on other sites

The file being picked up is a core.dll from Acrobat Reader which is required to open PDFs within their 'Protected Mode' sandbox (confined execution environment). 

Share this post


Link to post
Share on other sites
1 minute ago, Riggsbit said:

The file being picked up is a core.dll from Acrobat Reader which is required to open PDFs within their 'Protected Mode' sandbox (confined execution environment). 

Would it be wise to take the file out of quarantine and try to use adobe or reinstall?  

Share this post


Link to post
Share on other sites

Same here, added exception of c:\program files (x86)\adobe\acrobat reader dc\reader\ace.dll and restored file from quarantine, acrobat worked fine after that.  Seems to only be affecting Reader DC

Share this post


Link to post
Share on other sites

Yep Same here guys. Just created a PDF to test and as previously mentioned  File ACE.dll in acrobat... Can't be right.

Share this post


Link to post
Share on other sites

Yes, I've just had that issue too.  When I tell it to take it out of quarantine it does so but when I try to open a PDF again, the same thing happens!

Share this post


Link to post
Share on other sites

got to add c:\program files (x86)\adobe\acrobat reader dc\reader\ace.dll as an exception until they correct the definitions.  otherwise it will just keep re-quarantining 

Share this post


Link to post
Share on other sites
7 minutes ago, azvortex said:

Would it be wise to take the file out of quarantine and try to use adobe or reinstall?  

You can restore the file from quarantine, but MBAM will keep quarantining it at runtime until MBAM updates their AV definitions. Alternatively, if you still want to run Adobe Reader in the meantime you can add an exclusion rule (Exclusion Wizard) within MBAM under Settings. 

Share this post


Link to post
Share on other sites
1 minute ago, Riggsbit said:

You can restore the file from quarantine, but MBAM will keep quarantining it at runtime until MBAM updates their AV definitions. Alternatively, if you still want to run Adobe Reader in the meantime you can add an exclusion rule (Exclusion Wizard) within MBAM under Settings. 

Thank you for the tip!

Share this post


Link to post
Share on other sites
Hello everyone,
I just had this problem on two computers too.
I made an acrobat repair thinking that ACE.dll was corrupt. Malwarebytes quarantines the ACE.dll file each time.

Share this post


Link to post
Share on other sites

This issue is tied to Acrobat Reader DC. I thought it was a PDF at first, but then I tried to open the application directly. Once I put the ACE.dll in exceptions, I was able to use Reader as per usual.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.