DescentBB

I have saved an Adobe Acrobat file from the Internet to my computer.

Just about every day a FireFox window pops up with no request from me.

See screenshot.http://screencast.com/t/NDRjOWUyYj

What's that all about, eyh?

You got a Golf Buddy GPS? If so, it's trying to get the manual.

Otherwise, Me thinkin' you be \"bugged\"

Run the gambit of system cleaners (Malwarebyte's Antimalware, Trend Micro's Housecall, etc.) to clean up your system.

Good Luck.

just fyi, some scanners will not allow micro trend scans to run. I've seen where it's considered a virus or malicious.

Check scheduler, any auto-update program that has to do with the GPS, and your startup entries.

Had the same problem.

Its adware

I don't have a GolfBuddy. Just downloaded the manual to help a \"buddy\".

Ran AdAware, HouseCall, AVG and found nothing.

I did find AcroRd32.exe running and tried the fix to stop it from running. http://www.allscoop.com/tools/acrord32-exe/

Don't know if that's it or not but time will tell.

Haven't deleted the manual yet either. As far as I can remember it's the only thing popping up so that will be my next step.

Thanks for the posts.

1. Have you tried a restart? I figure a good way to flush out residual processes is to do a good old restart.

2. Have you taken a look at your boot.ini with msconfig? Get rid of the extra junk, and it will prevent it from coming back after 1.

3. Is Adobe up-to-date? It might be related to the security hole found recently.

4. Krom's scheduler idea is that last thing that I can think of. A good cleaning of the boot items and the scheduler may not get it off your drive, but at least it will go a long way towards making it go dormant.

File popped up again so I've deleted it. Well see \"how she do\" now.

1. Have restarted
2. I ck'd msconfig as well as CodeStuffStarter
3. Adobe is up to date
4. I must say I passed over \"scheduler\" because I didn't know what it was and then forgot to followup on it.

I assume you're running XP (based on the looks of that dialog) ...

The \"scheduler\" is found in the Control Panel and is called \"Scheduled Tasks\".

Gotcha, thanks. Nothing there.

Still getting the Firefox Downloader popping up with the same file.

I ran Housecall in Safemode.

Also have run AVG and Ad-Aware.

Deleted all the Temp files and flushed the cache and updated Adobe again.

Any other suggestion on what to do about this pest?

Curious...

What is listed in your registry at:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

and your startup folder?

why is firefox there?

First place I go to when I turn on the computer.

Finish the Reader update, problem will solve itself (plugin deletes itself out of your browser when the update completes). If it continues after that, then check for malware.

Updates complete and popped up again this morning.

Don't know if it would do anything for this problem but I tried to put the \"127.0.0.1 www.golfbuddyglobal.com\" address in my host file but I could still get to their site after a re-start.

Thought I'd try an add-on for Firefox to block site to see if that helped. Any suggestions on \"block sites\" add-on?

try this: remove the link for firefox from your startup folder.

Will do.

You might also remove the Adobe item from the Run section of your Registry. Adobe Reader likes it to be there, but you don't need it ... and if you've got an out of date (and therefore a critically vulnerable Adobe Reader) ... you're best to remove that item anyway.

OK, I'm going to see if I get the popup. Then I'll remove it. Thanks.

Poprd up this morning again so I removed the Adobe in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

you could remove adobe acrobat reader completely and replace it with a non-shitty alternative
http://www.google.com.au/search?q=pdf+alternative

Still popped up after removing HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Any info on my post regarding my Host file or site blocker ad-on for Firefox or should I start a new thread?

Post a hijack this log from that machine.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:42 AM, on 2/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Program Files\\AVG\\AVG9\\avgchsvx.exe
C:\\Program Files\\AVG\\AVG9\\avgrsx.exe
C:\\Program Files\\AVG\\AVG9\\avgcsrvx.exe
C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedul2.exe
C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe
C:\\Program Files\\AVG\\AVG9\\avgwdsvc.exe
C:\\Program Files\\Bonjour\\mDNSResponder.exe
C:\\Program Files\\LogMeIn\\x86\\RaMaint.exe
C:\\Program Files\\Google\\Update\\GoogleUpdate.exe
C:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe
C:\\Program Files\\AVG\\AVG9\\avgnsx.exe
C:\\Program Files\\LogMeIn\\x86\\LMIGuardian.exe
C:\\WINDOWS\\system32\\nvsvc32.exe
C:\\Program Files\\Slawdog\\Smart Shutdown\\Smart Shutdown.exe
C:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Program Files\\AVG\\AVG9\\avgemc.exe
C:\\Program Files\\AVG\\AVG9\\avgcsrvx.exe
C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe
C:\\WINDOWS\\system32\\taskswitch.exe
C:\\Program Files\\Hotkeycontrol XP\\hkcontrol.exe
C:\\Program Files\\LogMeIn\\x86\\LogMeInSystray.exe
C:\\Program Files\\LogMeIn\\x86\\LMIGuardian.exe
C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe
C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe
C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\ctfmon.exe
C:\\PROGRA~1\\AVG\\AVG9\\avgtray.exe
C:\\Program Files\\tinySpell\\tinyspell.exe
C:\\Program Files\\Google\\Google Talk\\googletalk.exe
C:\\Program Files\\johnsadventures.com\\John's Background Switcher\\BackgroundSwitcher.exe
C:\\Program Files\\TiVo\\Desktop\\TranscodingService.exe
C:\\Program Files\\TiVo\\Desktop\\TiVoNotify.exe
C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe
C:\\Program Files\\1-Click Answers\\answers.exe
C:\\Program Files\\Digital Line Detect\\DLG.exe
C:\\Documents and Settings\\Doug\\Start Menu\\Programs\\Startup\\TiTime.exe
C:\\PROGRA~1\\1-CLIC~1\\agtserv.exe
C:\\Program Files\\Common Files\\TiVo Shared\\Transfer\\TiVoTransfer.exe
C:\\Program Files\\Mozilla Firefox\\firefox.exe
C:\\Documents and Settings\\Doug\\Local Settings\\Application Data\\Yahoo!\\BrowserPlus\\2.5.1\\BrowserPlusCore.exe
C:\\Documents and Settings\\Doug\\Local Settings\\Application Data\\Yahoo!\\BrowserPlus\\2.5.1\\BrowserPlusService.exe
C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080528
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://mail.live.com/default.aspx?wa=wsignin1.0
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080528
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\\Program Files\\AVG\\AVG9\\avgssie.dll
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - C:\\Program Files\\Google\\Advertising Cookie Opt-out\\opt_out.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\\Program Files\\Dell\\BAE\\BAE.dll
O4 - HKLM\\..\\Run: [NvCplDaemon] RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup
O4 - HKLM\\..\\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\\..\\Run: [WinPatrol] C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe -expressboot
O4 - HKLM\\..\\Run: [CoolSwitch] C:\\WINDOWS\\system32\\taskswitch.exe
O4 - HKLM\\..\\Run: [Hotkeycontrol] C:\\Program Files\\Hotkeycontrol XP\\hkcontrol.exe
O4 - HKLM\\..\\Run: [LogMeIn GUI] \"C:\\Program Files\\LogMeIn\\x86\\LogMeInSystray.exe\"
O4 - HKLM\\..\\Run: [TrueImageMonitor.exe] C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe
O4 - HKLM\\..\\Run: [Acronis Scheduler2 Service] \"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\"
O4 - HKLM\\..\\Run: [ZoneAlarm Client] \"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"
O4 - HKLM\\..\\Run: [AVG9_TRAY] C:\\PROGRA~1\\AVG\\AVG9\\avgtray.exe
O4 - HKLM\\..\\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\\..\\Run: [QuickTime Task] \"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime
O4 - HKCU\\..\\Run: [tinySpell] C:\\Program Files\\tinySpell\\tinyspell.exe
O4 - HKCU\\..\\Run: [googletalk] \"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart
O4 - HKCU\\..\\Run: [BackgroundSwitcher] \"C:\\Program Files\\johnsadventures.com\\John's Background Switcher\\BackgroundSwitcher.exe\"
O4 - HKCU\\..\\Run: [TranscodingService] \"C:\\Program Files\\TiVo\\Desktop\\TranscodingService.exe\" /auto
O4 - HKCU\\..\\Run: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe
O4 - HKCU\\..\\Run: [TivoNotify] \"C:\\Program Files\\TiVo\\Desktop\\TiVoNotify.exe\" /service /registry /auto:TivoNotify
O4 - HKCU\\..\\Run: [TivoServer] \"C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe\" /service /registry /auto:TivoServer
O4 - Startup: TiTime.exe
O4 - Global Startup: 1-Click Answers.lnk = C:\\Program Files\\1-Click Answers\\answers.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Answers... - file://C:\\Program Files\\1-Click Answers\\Html\\atiemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~4\\OFFICE11\\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\\PROGRA~1\\MICROS~4\\OFFICE11\\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\\Program Files\\AVG\\AVG9\\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\\WINDOWS\\SYSTEM32\\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\\Program Files\\Citrix\\GoToAssist\\514\\G2AWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\\Program Files\\AVG\\AVG9\\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\\Program Files\\AVG\\AVG9\\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\\Program Files\\Bonjour\\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\\Program Files\\Citrix\\GoToAssist\\514\\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c948ce3caeaa74) (gupdate1c948ce3caeaa74) - Google Inc. - C:\\Program Files\\Google\\Update\\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\\Program Files\\Common Files\\InstallShield\\Driver\\1050\\Intel 32\\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\\Program Files\\iPod\\bin\\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\\Program Files\\Lavasoft\\Ad-Aware\\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\\Program Files\\LogMeIn\\x86\\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\\WINDOWS\\system32\\nvsvc32.exe
O23 - Service: Slawdog Smart Shutdown - Slawdog E-Solutions, Inc. - C:\\Program Files\\Slawdog\\Smart Shutdown\\Smart Shutdown.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\\Program Files\\Common Files\\SureThing Shared\\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe

--
End of file - 9810 bytes

thewolfe did you run malwarebytes yet? I didn't see it in your post.

Edit: If you want give a program called Hitman Pro a try. It uses 5 signatures by Antivir, NOD32, A Sqaured, G Data, and PervX. No installation required and the scan is fast.

http://www.surfright.nl/en

I ran Ad-Aware but don't think I ran Malwarbytes. And I'll certainly run Hitman Pro. Thanks.

Ran Malwarebytes and Hitman. They found nothing.

I added golfbuddypro to my host file and haven't had anything popup yet.

If it pops up again I'll try deleting Adobe.

Stay tuned.

you do realize that the picture of dialog box in question is firefox's download box?

Yep! And just in case, I just updated Firefox.

There is a chance the infection is gone. But still keep an eye on it as you're doing now. Since Acobat, and Adobe Flash Player is under heavy fire.

Keep Malwarebytes your system and scan with it often. Quick scan will do the job most of the time as it scans in known infected areas.

AdAware is ok. But a better alternative to it is SuperAntiSpyware. It does a nice job in detecting and remove adware. Along with tracking cookies. Use it if you want, but disable the auto start up. Since the active protection is useless in the free version.

Since you're running Firefox. Install Adblock Plus
with Rick752's EasyList and NoSript. If you haven't already.

Secunia is another good program to help prevent infection. As its scans for vulnerabilities in the OS and applications. Its free!

Thanks for the referrals, I'll ck them out.

Haven't had a pop up since I added \"golf.....\" to my host file but it's still too soon to tell.

Still no popup. Adding the web address to the Host file must have killed it.

It's back......I know we pretty well went through everything but just thought I'd see if any new ideas emerge.

Is there a log file that would shed any light on the subject?

Anyone know if event viewer (eventvwr.msc) would help me track the "you have chosen to open" window?

I've got a lot going on with "Log Name: Media Center MCUpdate. What's that?

Ever check out a program called "autoruns" from technet?