Guest LilBambi Posted January 27, 2013 Posted January 27, 2013 A lady's hubby received an email with a PDF attachment that was a very good fake of FedX email - came close to that time frame noted in the FedX alert too. Within days. He was on his way out of town and forwarded it to his wife to handle while he was away. The email claimed it was from someone at richmond.com. She never questioned it since her hubby forwarded it to her. She dutifully opened the receipt to print it, and got the infection. Thankfully she called me right away I told her to shut it down and not use it till we got together. This one seemed to be a combination rogue anti-malware. It had elements similar to both PC Defender but not all, and some similar to System Security. It looked closer to PC Defender with a modified System Security name like Windows System Security or something like that. It had a Trojan element, shell executable modifications, lnk modifications. It loaded if you tried to use regedit even in safe mode. It prevented the task manager from coming up. Turned out she just put the computer to hibernate instead of shutting it down. So, before rebooting to safe mode, I used Process Explorer by right clicking and choosing to Run As Administrator to identify the .exe that loaded when you tried to open regedit.exe, executables as her normal account (where it would normally pop up the box to continue to let it run, etc. NOTE: She was an Administrator but still had to manually right click and choose to Run As Administrator. I was able to see where the file was located as noted two paragraphs down. I then booted into Safe Mode with Networking, right clicked on the Recycle Bin and was able to Run CCleaner - which wouldn't work in normal mode. During first time trying to open regedit.exe to go and look for the areas where that {randomletter}.exe file was located, the darn rogue antimalware came up again ... in safe mode. So ran Process Explorer with Run As Administrator. The file was a {randomletter}.exe in C:\ProgramData\pcdfdata\ along with some other files. I wrote down the name of the file. Looked like it was hooked into the Explorer Shell Open command. I deleted it and the others files/folders under \pcdfdata\ . I then copied items from the CD I brought (various rkill files, various .reg shell scripts to fix open, executables and lnks. I merged the .reg files to fix Open executables and lnk issues by right clicking and choosing Merge. I updated Malwarebytes Anti-Malware (chose to Run As Administrator) in Safe Mode and did a full scan. There were some PUPs, and a Trojan found. I can't remember what the name of the Trojan was off the top of my head though. Removed all and rebooted as requested and went into normal mode. Ran rkill with the .com extension again with Run As Administrator. I did that since it didn't want to run .exe files earlier and wouldn't run it with the .scr either. rkill only found the Process Explorer and Windows Explorer which was also open and then ran CCleaner. I returned to normal mode, ran the open and lnk registry merge files one more time for good measure, but nothing bad popped up when I booted in normal mode. The task manager worked, regedit didn't complain. Was able to run Malwarebytes Antimalware with no problems and removed the remnants of the infection. Did an antivirus scan that was clean. Went to get a second antivirus opinion from ESET's Online Scanner and all was good there too. Ran Malwarebytes Anti-malware again and it was clean. Downloaded Spybot S&D and ran that and removed the items it found (found a few that Malwarebytes Antimalware didn't), and rescanned twice till all it had was browser cache stuff. Ran CCleaner. Rebooted and all appears to be well. All working as it should. I will be doing a followup phone call so will see if I can do a quick remote to look for logs and see if she still has the email so I can see where the payload comes from. But with AOL mail, it's hard to tell that. Not sure she will even still have it though. I only saw it because she printed it out. Quote
therock247uk Posted January 27, 2013 Posted January 27, 2013 ugh pc defender rouge the scary thing is they make them look like legit apps. Quote
Webb Posted January 28, 2013 Posted January 28, 2013 OMG. I got one of these last week. Since I wasn't expecting anything from Fedex I checked the tracking number. It was a fake. Also, If I'm not home Fedex just leaves the package at the front door (in a huge apartment complex). UPS and USPS leave a sticky note on the door. Then I deleted the email without opening the attachment. Quote
goretsky Posted January 28, 2013 Posted January 28, 2013 Hello, This is a very common and prolific scam, with DHL, UPS, USPS and Canadian Post often showing up (amongst others). Regards, Aryeh Goretsky Quote
Guest LilBambi Posted January 28, 2013 Posted January 28, 2013 Yep. That is why I posted it. I have received many of them as well over time. And like Webb deleted them. I knew that these companies may give you a link and a tracking number, but they never send a PDF file receipt or invoice etc. Quote
Guest LilBambi Posted January 28, 2013 Posted January 28, 2013 They have been going around for a long time. Some say invoice, some say receipt or item status, some say delivery failure. Some from UPS, some from FedX, some from DHL, etc. as Aryeh noted. All infected with some sort of trojan or other malware. Just one example from 2010: Outbreak: Fake Fedex Tracking Number emails carry malware - Naked Security - Sophos Quote
Guest LilBambi Posted January 28, 2013 Posted January 28, 2013 And one from 2008: UPS Virus Warning (UPS/Fed Ex Delivery Failure) - Urban Legends Which also has a list of them: • UPS: Protect Yourself Against Fraud - UPS website • FedEx: Virus Alert - FedEx Website • DHL Fraud Alert - DHL Website • Warning About the UPS/FedEx Virus - WTOC-TV News • UPS Spam Is Trojan-Spy.Zbot.YETH - About.com: Antivirus Software • Email Allegedly from UPS Delivers a Computer Virus - Minneapolis Star Tribune UPS and DHL warnings above are now missing in action...FedEx one is still there. Nice to see that FedEx realized the need to keep a link to it available. Quote
Guest LilBambi Posted January 28, 2013 Posted January 28, 2013 More items all over the web about this; some good sites, some not so good sites, some bad sites. So be careful if you try to look up info about it. Quote
zlim Posted January 28, 2013 Posted January 28, 2013 I got a UPS and an Amazon sometime in November or December. I set the email up to show full headers and forwarded the email to the appropriate scam/phish dept. I hesitated ordering over the holidays because people were following delivery trucks and stealing packages. On Thursday of last week, two guys were arrested for stealing packages in our area. Quote
Guest LilBambi Posted January 28, 2013 Posted January 28, 2013 Excellent Liz! That's what I do too! Quote
therock247uk Posted January 28, 2013 Posted January 28, 2013 stealing other peoples packages?! thats sad... Quote
zlim Posted January 29, 2013 Posted January 29, 2013 Around the holidays, there were people driving around following delivery trucks so they could steal packages a few minutes after they were dropped off. What worries me is that at one point in time we had to mail order our prescriptions and at another point in time, my mom's insurance required her to mail order her prescriptions. What happens when some criminal steals your meds? Quote
therock247uk Posted January 29, 2013 Posted January 29, 2013 What worries me is that at one point in time we had to mail order our prescriptions and at another point in time, my mom's insurance required her to mail order her prescriptions. What happens when some criminal steals your meds? very scary Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.