Postal Service "Package Waiting" Scam.... Trojan Dropper Virus.

legacy7955 · 05 Jun 2013

My Dad told me that he click on an e mail that was supposedly from the USPS and indicated that he had a package waiting for him that was delayed due to an address confirmation issue. The e mail indicated that he download a address label bring it to the USPS for confirmation. Well luckily my Dad realized at the last minute that the e mail was a scam.....he did NOT click to download the label. My question is could his PC still get infected even though he did NOT click on the download, he simply deleted it.

He informed me that he did a full scan twice with a currently updated MSE scan and said it found nothing...

What are your opinions on this?

I would think you must open the download in order to be infected.

Also when I go over to his house what things should I look for in task manager or other areas to check for evidence of the virus?

legacy7955 · 06 Jun 2013

Although I couldn't get to my Dad's home yet, he indicated that MSE detected and removed
Trojan Dropper Win32 Kuluoz.A.

He informed me that after his suspicions he did a full scan with MSE and also I told him to scan with the MRT tool for May 2013, after those two scans no evidence was found of the trojan...

He now says that he did click on the download button and it did download the zipped file, however he says that after it downloaded he did NOT open the zipped file and deleted it.

He is using Google Chrome as well.

He also stated that he didn't see any evidence of the fake address label that would have appeared if he had in fact opened the zip.

Can MSE detect this trojan if the zip is UNopened?

Thanks for any help you can give me. I'm trying to help him from a distance because I can't get to his home at the moment...

cottonball · 06 Jun 2013

legacy7955,

Please have him use the following program to identify processes or Registry keys that may have been created by Trojan Dropper Win32 Kuluoz.A:

Download RogueKiller (Official website)
Select the x86 (32-bit) version or the x64 (64-bit) version for your 64-bit system.
Click the applicable button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

Follow with Malwarebytes' Anti-Malware:
http://www.malwarebytes.org/mbam-download-exe.php
Save to the Desktop.

MBAM may make changes to the Registry as part of its disinfection routine.
If using other security programs that detect Registry changes, they may interfere or alert you.
Temporarily disable such programs as shown, or permit them to allow the changes:
http://www.bleepingcomputer.com/forums/topic114351.html

Right-click the MBAM file, and select: Run as Administrator
When the installation begins, follow the prompts.

At the last prompt of the Setup routine, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

However, uncheck: Enable free trial of Malwarebytes Anti-Malware PRO
Click: Finish

MBAM automatically starts and you are asked to update the program.
If an update is found, the program automatically updates itself.
Press the OK button to close the box and continue.

On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected.
Click on the Start Scan button.

The scan may take some time to complete, so please be patient.

When the scan is finished, a message box shows The scan completed successfully. Click 'Show Results' to display all objects found
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware found.

Make sure everything is checked, and click: Remove Selected

When removal is completed, a report opens in Notepad.

The log is automatically saved and can be viewed by clicking the Logs tab.

Please copy/paste the entire contents of the MBAM report in your reply.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

Once the reports are provided we can determine if any additional actions are necessary.

legacy7955 · 10 Jun 2013

@cottonball:

I'm sorry I didn't get back to you sooner.

My Dad said he was too worried about the possibility of the malware not being completely eliminated unless I did a complete wipe of the HDD and fresh install of Windows 7 SP1. He doesn't have anything on there of any importance and he felt it was a certainly that with the wipe and new install that he was completely secured with MSE installed and Malwarebytes scanner as well.

He asked me to ask you as an expert are you 100% certain that this wipe and new install has eliminated the possibility of any malware remnant remaining?

Jacee · 10 Jun 2013

If he did a 'wipe' and 'clean' install then the virus should be gone! When he checks his e-mail, if the message is still in it (Yahoo, or GMail) .... delete it and empty the trash.

He should also change his passwords as an extra precaution.

legacy7955 · 10 Jun 2013

Jacee:

Thanks for your rapid reply.

I was the one that did a destructive wipe of the HDD and re-installed Windows 7 SP1.

Installed MSE v4 and the free version of MBAM scanner only.

I definitely told him to NEVER open spam mail, and if he thinks UPS or USPS has something for him that is incorrectly addressed he should CALL them and inquire.

Luckily he has nothing important on the PC so it was a pretty easy decision to wipe and re install the OS.