Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

save PDF file as pop-up malware


  • Please log in to reply
11 replies to this topic

#1 roberth5

roberth5

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:10:59 PM

Posted 08 February 2011 - 09:37 AM

I have a workstation infected with a pop-up program that every few seconds puts up a "save PDF file as" window. I am using Symantec endpoint protection, scanned with SUPERAntiSpyware Free Edition, Malwarebytes, MS Malware Remover, McAfee on line scan, nothing found, nothing removed.

I also ran SFC /scannow.

I think the problem is in the spoolsv.exe file. When I end it, the pop-up stops for a while, it is also 24,016KB.

I also followed the Bleepingcomputer Preparation Guide that lead me to this post, so the log scans are done and .txt files are ready for review.

I am out of ideas, please send in the troups...

Thanks

Merged posts and removed my reply. ~ OB

Here are the logs.

Attached Files


Edited by Orange Blossom, 16 February 2011 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:59 PM

Posted 16 February 2011 - 08:59 PM

hi roberth5,

Your post is a few days old. If you still need help reply back.

How Can I Reduce My Risk to Malware?


#3 roberth5

roberth5
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:10:59 PM

Posted 21 February 2011 - 10:18 AM

Yes, still need help, I was just going to re-install, as it would be quicker and a sure thing. However I was interested in seeing it this was removable. So I am holding of on the re-install.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:59 PM

Posted 22 February 2011 - 09:36 PM

so all it does is the one pop up message thats the same (save pdf as) all the time?

navigate here:
c:\documents and settings\amyw.detroitflex\local settings\application data\udalntles\duhvlabuqiw.exe
delete the entire udalntles folder.
If it gives you problems you can boot into safe mode to delete it. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list safe mode.Log in to your normal account. When done reboot computer nromally and post a new DDS log.
To help show all files you can do this first:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

How Can I Reduce My Risk to Malware?


#5 roberth5

roberth5
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:10:59 PM

Posted 24 February 2011 - 03:41 PM

After I blew out that folder (in safe mode) and re-booted, the save PDF Filepop-up was still present.

I preformed a find in regedit, and sure enough, there is a registry entry for duhvlabuqiw.exe and spoolsv.exe (directly under the duhvlabuqiw.exe entry, both located in the 5603 folder)(HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\SEARCH ASSISTANT\ACMru\5603).

Does that tell you anything?

Did this bug plant a fake spoolsv.exe in my windows program files that is still causing the pop-up?

If I kill the spoolsv process in task manager, the pop-up dies, but returns later as does the spoolsv.exe process.

I will post another DDS log shortly, scan is running, but it take a while...

Any idea how this got on the computer? I would like to prevent it in the future.

#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:59 PM

Posted 24 February 2011 - 07:15 PM

Maybe it attempts to download a pdf file. Lately adobe pdf reader has been targeted do to multiple vulnerabilities. Adobe cant patch them fast enough. In order to exploit the vulnerability you would have to be using a unpatched/older version of adobe reader and download and open the pdf. this is all guessing on my part.
Please post a combofix log. There is a guide to read first. Read the guide then apply the directions on your own machine:

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#7 roberth5

roberth5
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:10:59 PM

Posted 25 February 2011 - 09:49 AM

Here are the logs (DDS x2 and the ComboFix (CF_log.txt). I also attached a screen shot of the pop-up.

The window continues pop up upon log on, following a reboot. You can click the "X" button and close it 3 times, and then it will stop popping up for a while, however it eventually returns.

BTW, I try to keep Window processes running to a min., only 40 running, I could trim that back more, I see some more nonessential stuff running wasting resources.

The user of this box surfs the net a lot...

Attached Files



#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:59 PM

Posted 26 February 2011 - 06:25 PM

Try deleting these items out of your start up folder Start>Programs>Startup


WSTDMessaging.exe
wstdPldReminder.exe

How Can I Reduce My Risk to Malware?


#9 roberth5

roberth5
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:10:59 PM

Posted 03 March 2011 - 04:35 PM

Those programs should be part of the UPS Worldship.

I disabled them and rebooted. still get the Save PDF file as pop-up...

I checked all the startup folders under programs (all users, etc...).

#10 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:59 PM

Posted 04 March 2011 - 05:31 PM

that popup dosnt look like malware. Logs look ok. I assume you have saved the pdf before and still get prompted to save it again? Can you find the invoice document its trying to save (My documents/INVOICE). If so why dont you try right clicking on it (INVOICE) and select "open with" and chose .txt, just to try something else.

How Can I Reduce My Risk to Malware?


#11 roberth5

roberth5
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:10:59 PM

Posted 07 March 2011 - 12:19 PM

Oh My..., how stupid of me :huh: . I never thought it might be a legit process.

Sure enough, there was an Adobe PDF printer that had several print jobs stuck. I deleted the print jobs except for the one trying to print at the time which would not delete. I cycled the print spooler and the spoolsv.exe, the stuck print job finally went away.

No more "save PDF as" window popping up.

Here I have been on a witch hunt. I know better, or so I thought...

Maybe you should move this thread to the "Not Paying Attention" forum.

Problem solved :clapping: , thanks for the help!

Edited by roberth5, 07 March 2011 - 12:24 PM.


#12 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:59 PM

Posted 07 March 2011 - 05:01 PM

ok good, solved, and no malware either which is a rare event in this forum. You can remove combofix like this;
start>run and type in:
combofix /uninstall
click ok or enter Note the space after the x and before the /

And no one gets away with out this:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.


No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A slideshow on how to secure Internet Explorer Here. How to harden FireFox for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. A file can be named anything, be nothing but malware or have malware bundled in it. Can you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users