Adobe Acrobat file tries to open by itself

thewolfe · Post by **thewolfe** » Sun Jan 17, 2010 6:29 pm

I have saved an Adobe Acrobat file from the Internet to my computer.

Just about every day a FireFox window pops up with no request from me.

See screenshot.http://screencast.com/t/NDRjOWUyYj

What's that all about, eyh?

TechPro · Post by **TechPro** » Sun Jan 17, 2010 7:00 pm

You got a Golf Buddy GPS? If so, it's trying to get the manual.

Otherwise, Me thinkin' you be \"bugged\"

Run the gambit of system cleaners (Malwarebyte's Antimalware, Trend Micro's Housecall, etc.) to clean up your system.

Good Luck.

Duper · Post by **Duper** » Sun Jan 17, 2010 7:02 pm

just fyi, some scanners will not allow micro trend scans to run. I've seen where it's considered a virus or malicious.

Krom · Post by **Krom** » Sun Jan 17, 2010 7:04 pm

Check scheduler, any auto-update program that has to do with the GPS, and your startup entries.

S13driftAZ · Post by **S13driftAZ** » Sun Jan 17, 2010 11:36 pm

Had the same problem.

Its adware

thewolfe · Post by **thewolfe** » Mon Jan 18, 2010 10:34 am

I don't have a GolfBuddy. Just downloaded the manual to help a \"buddy\".

Ran AdAware, HouseCall, AVG and found nothing.

I did find AcroRd32.exe running and tried the fix to stop it from running. http://www.allscoop.com/tools/acrord32-exe/

Don't know if that's it or not but time will tell.

Haven't deleted the manual yet either. As far as I can remember it's the only thing popping up so that will be my next step.

Thanks for the posts.

snoopy · Post by **snoopy** » Mon Jan 18, 2010 10:51 am

1. Have you tried a restart? I figure a good way to flush out residual processes is to do a good old restart.

2. Have you taken a look at your boot.ini with msconfig? Get rid of the extra junk, and it will prevent it from coming back after 1.

3. Is Adobe up-to-date? It might be related to the security hole found recently.

4. Krom's scheduler idea is that last thing that I can think of. A good cleaning of the boot items and the scheduler may not get it off your drive, but at least it will go a long way towards making it go dormant.

thewolfe · Post by **thewolfe** » Mon Jan 18, 2010 7:17 pm

File popped up again so I've deleted it. Well see \"how she do\" now.

1. Have restarted
2. I ck'd msconfig as well as CodeStuffStarter
3. Adobe is up to date
4. I must say I passed over \"scheduler\" because I didn't know what it was and then forgot to followup on it.

TechPro · Post by **TechPro** » Tue Jan 19, 2010 8:41 pm

I assume you're running XP (based on the looks of that dialog) ...

The \"scheduler\" is found in the Control Panel and is called \"Scheduled Tasks\".

thewolfe · Post by **thewolfe** » Wed Jan 20, 2010 11:57 am

Gotcha, thanks. Nothing there.

thewolfe · Post by **thewolfe** » Wed Feb 24, 2010 7:10 pm

Still getting the Firefox Downloader popping up with the same file.

I ran Housecall in Safemode.

Also have run AVG and Ad-Aware.

Deleted all the Temp files and flushed the cache and updated Adobe again.

Any other suggestion on what to do about this pest?

TechPro · Post by **TechPro** » Wed Feb 24, 2010 8:06 pm

Curious...

What is listed in your registry at:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

thewolfe · Post by **thewolfe** » Wed Feb 24, 2010 8:30 pm

http://screencast.com/t/NTdhZWY0

fliptw · Post by **fliptw** » Wed Feb 24, 2010 9:57 pm

and your startup folder?

thewolfe · Post by **thewolfe** » Wed Feb 24, 2010 10:07 pm

http://screencast.com/t/NzBhZDZhNj

fliptw · Post by **fliptw** » Wed Feb 24, 2010 10:31 pm

why is firefox there?

thewolfe · Post by **thewolfe** » Wed Feb 24, 2010 10:38 pm

First place I go to when I turn on the computer.

BUBBALOU · Post by **BUBBALOU** » Thu Feb 25, 2010 9:22 am

Finish the Reader update, problem will solve itself (plugin deletes itself out of your browser when the update completes). If it continues after that, then check for malware.

thewolfe · Post by **thewolfe** » Thu Feb 25, 2010 10:28 am

Updates complete and popped up again this morning.

Don't know if it would do anything for this problem but I tried to put the \"127.0.0.1 www.golfbuddyglobal.com\" address in my host file but I could still get to their site after a re-start.

Thought I'd try an add-on for Firefox to block site to see if that helped. Any suggestions on \"block sites\" add-on?

fliptw · Post by **fliptw** » Thu Feb 25, 2010 11:34 am

try this: remove the link for firefox from your startup folder.

thewolfe · Post by **thewolfe** » Thu Feb 25, 2010 12:04 pm

Will do.

TechPro · Post by **TechPro** » Thu Feb 25, 2010 7:59 pm

You might also remove the Adobe item from the Run section of your Registry. Adobe Reader likes it to be there, but you don't need it ... and if you've got an out of date (and therefore a critically vulnerable Adobe Reader) ... you're best to remove that item anyway.

thewolfe · Post by **thewolfe** » Thu Feb 25, 2010 8:43 pm

OK, I'm going to see if I get the popup. Then I'll remove it. Thanks.

thewolfe · Post by **thewolfe** » Fri Feb 26, 2010 3:23 pm

Poprd up this morning again so I removed the Adobe in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

roid · Post by **roid** » Sat Feb 27, 2010 1:53 am

you could remove adobe acrobat reader completely and replace it with a non-shitty alternative
http://www.google.com.au/search?q=pdf+alternative

thewolfe · Post by **thewolfe** » Sat Feb 27, 2010 10:35 am

Still popped up after removing HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

thewolfe · Post by **thewolfe** » Sat Feb 27, 2010 10:39 am

Any info on my post regarding my Host file or site blocker ad-on for Firefox or should I start a new thread?

Krom · Post by **Krom** » Sat Feb 27, 2010 10:52 am

Post a hijack this log from that machine.

thewolfe · Post by **thewolfe** » Sat Feb 27, 2010 12:15 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:42 AM, on 2/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Program Files\\AVG\\AVG9\\avgchsvx.exe
C:\\Program Files\\AVG\\AVG9\\avgrsx.exe
C:\\Program Files\\AVG\\AVG9\\avgcsrvx.exe
C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedul2.exe
C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe
C:\\Program Files\\AVG\\AVG9\\avgwdsvc.exe
C:\\Program Files\\Bonjour\\mDNSResponder.exe
C:\\Program Files\\LogMeIn\\x86\\RaMaint.exe
C:\\Program Files\\Google\\Update\\GoogleUpdate.exe
C:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe
C:\\Program Files\\AVG\\AVG9\\avgnsx.exe
C:\\Program Files\\LogMeIn\\x86\\LMIGuardian.exe
C:\\WINDOWS\\system32\\nvsvc32.exe
C:\\Program Files\\Slawdog\\Smart Shutdown\\Smart Shutdown.exe
C:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Program Files\\AVG\\AVG9\\avgemc.exe
C:\\Program Files\\AVG\\AVG9\\avgcsrvx.exe
C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe
C:\\WINDOWS\\system32\\taskswitch.exe
C:\\Program Files\\Hotkeycontrol XP\\hkcontrol.exe
C:\\Program Files\\LogMeIn\\x86\\LogMeInSystray.exe
C:\\Program Files\\LogMeIn\\x86\\LMIGuardian.exe
C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe
C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe
C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\ctfmon.exe
C:\\PROGRA~1\\AVG\\AVG9\\avgtray.exe
C:\\Program Files\\tinySpell\\tinyspell.exe
C:\\Program Files\\Google\\Google Talk\\googletalk.exe
C:\\Program Files\\johnsadventures.com\\John's Background Switcher\\BackgroundSwitcher.exe
C:\\Program Files\\TiVo\\Desktop\\TranscodingService.exe
C:\\Program Files\\TiVo\\Desktop\\TiVoNotify.exe
C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe
C:\\Program Files\\1-Click Answers\\answers.exe
C:\\Program Files\\Digital Line Detect\\DLG.exe
C:\\Documents and Settings\\Doug\\Start Menu\\Programs\\Startup\\TiTime.exe
C:\\PROGRA~1\\1-CLIC~1\\agtserv.exe
C:\\Program Files\\Common Files\\TiVo Shared\\Transfer\\TiVoTransfer.exe
C:\\Program Files\\Mozilla Firefox\\firefox.exe
C:\\Documents and Settings\\Doug\\Local Settings\\Application Data\\Yahoo!\\BrowserPlus\\2.5.1\\BrowserPlusCore.exe
C:\\Documents and Settings\\Doug\\Local Settings\\Application Data\\Yahoo!\\BrowserPlus\\2.5.1\\BrowserPlusService.exe
C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080528
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://mail.live.com/default.aspx?wa=wsignin1.0
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080528
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\\Program Files\\AVG\\AVG9\\avgssie.dll
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - C:\\Program Files\\Google\\Advertising Cookie Opt-out\\opt_out.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\\Program Files\\Dell\\BAE\\BAE.dll
O4 - HKLM\\..\\Run: [NvCplDaemon] RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup
O4 - HKLM\\..\\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\\..\\Run: [WinPatrol] C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe -expressboot
O4 - HKLM\\..\\Run: [CoolSwitch] C:\\WINDOWS\\system32\\taskswitch.exe
O4 - HKLM\\..\\Run: [Hotkeycontrol] C:\\Program Files\\Hotkeycontrol XP\\hkcontrol.exe
O4 - HKLM\\..\\Run: [LogMeIn GUI] \"C:\\Program Files\\LogMeIn\\x86\\LogMeInSystray.exe\"
O4 - HKLM\\..\\Run: [TrueImageMonitor.exe] C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe
O4 - HKLM\\..\\Run: [Acronis Scheduler2 Service] \"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\"
O4 - HKLM\\..\\Run: [ZoneAlarm Client] \"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"
O4 - HKLM\\..\\Run: [AVG9_TRAY] C:\\PROGRA~1\\AVG\\AVG9\\avgtray.exe
O4 - HKLM\\..\\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\\..\\Run: [QuickTime Task] \"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime
O4 - HKCU\\..\\Run: [tinySpell] C:\\Program Files\\tinySpell\\tinyspell.exe
O4 - HKCU\\..\\Run: [googletalk] \"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart
O4 - HKCU\\..\\Run: [BackgroundSwitcher] \"C:\\Program Files\\johnsadventures.com\\John's Background Switcher\\BackgroundSwitcher.exe\"
O4 - HKCU\\..\\Run: [TranscodingService] \"C:\\Program Files\\TiVo\\Desktop\\TranscodingService.exe\" /auto
O4 - HKCU\\..\\Run: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe
O4 - HKCU\\..\\Run: [TivoNotify] \"C:\\Program Files\\TiVo\\Desktop\\TiVoNotify.exe\" /service /registry /auto:TivoNotify
O4 - HKCU\\..\\Run: [TivoServer] \"C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe\" /service /registry /auto:TivoServer
O4 - Startup: TiTime.exe
O4 - Global Startup: 1-Click Answers.lnk = C:\\Program Files\\1-Click Answers\\answers.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Answers... - file://C:\\Program Files\\1-Click Answers\\Html\\atiemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~4\\OFFICE11\\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\\PROGRA~1\\MICROS~4\\OFFICE11\\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\\Program Files\\AVG\\AVG9\\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\\WINDOWS\\SYSTEM32\\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\\Program Files\\Citrix\\GoToAssist\\514\\G2AWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\\Program Files\\AVG\\AVG9\\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\\Program Files\\AVG\\AVG9\\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\\Program Files\\Bonjour\\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\\Program Files\\Citrix\\GoToAssist\\514\\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c948ce3caeaa74) (gupdate1c948ce3caeaa74) - Google Inc. - C:\\Program Files\\Google\\Update\\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\\Program Files\\Common Files\\InstallShield\\Driver\\1050\\Intel 32\\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\\Program Files\\iPod\\bin\\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\\Program Files\\Lavasoft\\Ad-Aware\\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\\Program Files\\LogMeIn\\x86\\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\\WINDOWS\\system32\\nvsvc32.exe
O23 - Service: Slawdog Smart Shutdown - Slawdog E-Solutions, Inc. - C:\\Program Files\\Slawdog\\Smart Shutdown\\Smart Shutdown.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\\Program Files\\Common Files\\SureThing Shared\\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe

--
End of file - 9810 bytes

TigerRaptor · Post by **TigerRaptor** » Sun Feb 28, 2010 8:35 pm

thewolfe did you run malwarebytes yet? I didn't see it in your post.

Edit: If you want give a program called Hitman Pro a try. It uses 5 signatures by Antivir, NOD32, A Sqaured, G Data, and PervX. No installation required and the scan is fast.

http://www.surfright.nl/en

thewolfe · Post by **thewolfe** » Sun Feb 28, 2010 9:45 pm

I ran Ad-Aware but don't think I ran Malwarbytes. And I'll certainly run Hitman Pro. Thanks.

thewolfe · Post by **thewolfe** » Mon Mar 01, 2010 2:08 pm

Ran Malwarebytes and Hitman. They found nothing.

I added golfbuddypro to my host file and haven't had anything popup yet.

If it pops up again I'll try deleting Adobe.

Stay tuned.

fliptw · Post by **fliptw** » Mon Mar 01, 2010 2:18 pm

you do realize that the picture of dialog box in question is firefox's download box?

thewolfe · Post by **thewolfe** » Mon Mar 01, 2010 2:25 pm

Yep! And just in case, I just updated Firefox.

TigerRaptor · Post by **TigerRaptor** » Tue Mar 02, 2010 12:37 pm

There is a chance the infection is gone. But still keep an eye on it as you're doing now. Since Acobat, and Adobe Flash Player is under heavy fire.

Keep Malwarebytes your system and scan with it often. Quick scan will do the job most of the time as it scans in known infected areas.

AdAware is ok. But a better alternative to it is SuperAntiSpyware. It does a nice job in detecting and remove adware. Along with tracking cookies. Use it if you want, but disable the auto start up. Since the active protection is useless in the free version.

Since you're running Firefox. Install Adblock Plus
with Rick752's EasyList and NoSript. If you haven't already.

Secunia is another good program to help prevent infection. As its scans for vulnerabilities in the OS and applications. Its free!

thewolfe · Post by **thewolfe** » Tue Mar 02, 2010 3:18 pm

Thanks for the referrals, I'll ck them out.

Haven't had a pop up since I added \"golf.....\" to my host file but it's still too soon to tell.

thewolfe · Post by **thewolfe** » Wed Mar 03, 2010 9:19 pm

Still no popup. Adding the web address to the Host file must have killed it.

thewolfe · Post by **thewolfe** » Thu Apr 21, 2011 5:48 pm

It's back......I know we pretty well went through everything but just thought I'd see if any new ideas emerge.

Is there a log file that would shed any light on the subject?

thewolfe · Post by **thewolfe** » Mon Apr 25, 2011 6:14 pm

Anyone know if event viewer (eventvwr.msc) would help me track the "you have chosen to open" window?

I've got a lot going on with "Log Name: Media Center MCUpdate. What's that?

Krom · Post by **Krom** » Mon Apr 25, 2011 7:42 pm

Ever check out a program called "autoruns" from technet?

Adobe Acrobat file tries to open by itself

Adobe Acrobat file tries to open by itself

Resolved...I hope

Re: Adobe Acrobat file tries to open by itself

Re: Adobe Acrobat file tries to open by itself

Re: Adobe Acrobat file tries to open by itself