cancel
Showing results for 
Search instead for 
Did you mean: 
davj
Level 7
Report Inappropriate Content
Message 1 of 9

postal label trojan

Hi,

     hope i'm doing this right, i'm a clueless noob and i'm not that used to windows as i normally use a mac

a couple of days ago my sister got an email saying she had a parcel that could not be delivered and she had to click on a link to print out a label for it. Being even more clueless than me, she clicked on it.

I'm not 100% sure what happened as she panicked, but she says a window opened asking if she really wanted to download and run it. She smelt a rat and clicked cancel. I ran a virus scan and it showed two files,

f_000c80 and post_label_us.zip, which it says are both downloader-crd trojans and have been quarantined. I have not had chance to do anything about this since as i have been working, i am now running another scan to see what that detects. Does the presence of these files mean she has run the trojan, or are they just downloaded ready to run? how do i find out, and more importantly, how do i tell if they have been fully removed? sorry this is all a bit vague, hope somebody can give me some pointers, thanks

8 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: postal label trojan

If they have been quarantined then they are safely out of the way. 

Open the quarantine folder to check by double-clicking the taskbar icon to open SecurityCenter.

Click Navigation (top right)

Click Quarantined and Trusted Items from the list below.

Those items should be in one of those 3 sections - click to expand.

They can then be deleted from there.   Sometimes that may stick as there are too many items to display, if that happens I will post more instructions.

I think the fact that she clicked cancel did the trick and stopped anything from running in this case.

Good job she did that.  Who ever heard of you having to print a label for something that isn't even in your possession?

These scammers work in many devious ways.

davj
Level 7
Report Inappropriate Content
Message 3 of 9

Re: postal label trojan

Thanks, I did that, they were in the quarantined items folder:

F-000C80 file path C:\DOCUMENTS AND SETTINGS\PAUL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE  Status: Detected

POST_LABEL_US.ZIP file path C:\DOCUMENTS AND SETTINGS\PAUL\MY DOCUMENTS\DOWNLOADS Status: Detected

There are no entries under Quarantined Potentially Unwanted Programs.

The scan I did today shows no problems. Do you think she has got away with it? A quick googling suggests this trojan is a keylogger and targets bank details, also that some virus scanners dont detect it. I suppose I am worrried it has somehow installed itself and hidden away. She does use the computer for internet banking. She has had a lecture on not opening attachments without thinking first! Though I suppose thats my fault for not impressing it on her strongly enough in the first place!

Is there anything else I can/should do, or should I just delete them from the quarantine folder and forget about them?

Thanks so much for your help, it restores my faith in human nature

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: postal label trojan

Just delete them from that Quarantine folder and that should be all that's needed.

If you want in independent opinion, download and install, then update (important) the FREE version of THIS software.

Only the free version as the Pro one may interact adversely with your virus protection.

It's a useful addition to anyone's anti-malware defense but remember to update it each time before running.

A little known fact about it is that it can also be downloaded, installed, updated and run all in 'Safe Mode with Networking' (reached by tapping F8 repeatedly while booting up - 2nd item on the ensuing menu) which can be very useful if an infection disables your desktop.

davj
Level 7
Report Inappropriate Content
Message 5 of 9

Re: postal label trojan

Thank You, I'm doing it as we speak

Thanks again

David

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: postal label trojan

Good luck 😉

davj
Level 7
Report Inappropriate Content
Message 7 of 9

Re: postal label trojan

Hi, sorry to bother you again, the malwarebytes scan came up:

memory processes infected 0

memory modules infected 0

registry keys infected 0

registry values infected 0

registry data items infected 2

folders infected 0

files infected 0

the registry data items were:

HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityCenter\AnitivirusDisableNotify (PUM.Disabled.SecurityCenter) >bad(1) Good(0) quarantined and deleted succesfully

HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityCenter\FirewallDisableNotify (PUM.Disabled.SecurityCenter) >bad(1) Good(0) quarantined and deleted succesfully

a quick google suggested this might be microsoft security settings that Mcafee Internet Security had changed for its own reasons. Does that sound right? I had to type in my router password to get her computer back online, so now i'm gripped with paranoia that a keylogger could capture it and get into my router and blah blah blah! do you think I have anything to worry about?

Thanks yet again,

David

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: postal label trojan

That's exactly what those are and they could have been ignored.  Other than that it looks like everything is fine.

davj
Level 7
Report Inappropriate Content
Message 9 of 9

Re: postal label trojan

Great, thanks again for your patience 🙂