11 replies to this topic

[LarkBea]

This is the popup that appears

 windowsalertfake.JPG   41.41K   42 downloads

I can't give you the name it's using as I don't want the person to click to install.

No malicious files visible using Combofix. Deckard's System Scanner won't download with this message:

"Deckard's System Scanner interacts with a specific rootkit (tdssserv) in a way that may make your system unusable (altering the svchost netsvcs registry entry). This download link has been removed until a fix is released by Deckard. For your own protection, please do not attempt to download this tool from other sites."

In the past TDSSSERV has always been clearly visible on Combofix.

Thanks.

[Cecilia]

I have a victim with this pest, in the HijackThis-logg I see this line:
O4 - HKLM\..\Run: [Personal Defender 2009] "C:\Program\Personal Defender 2009\pdefendr.exe"
http://eforum.idg.se...triesId=1094145

I do not find much when I google for "Personal Defender 2009".

[LarkBea]

That line doesn't appear in her HijackThis log. I think maybe because she hasn't actually installed it?

[Cecilia]

I found one more bad line:
O4 - HKCU\..\Run: [asus32] "C:\Documents and Settings\Användaren\Application Data\Google\mupd1_2_1711951.exe"

Do you mean that she is only getting the popup when she is watching a certain webpage or is it generated in the computer?

[Jaxryley]

Found a Personal Defender 2009 site.The download link is dead atm?
hxxp://pcfsupport.com/#

[LarkBea]

She is getting that popup on her computer after she logs on and sporadically during the day. It disappeared briefly after running SmitFraudFix (suggested after MBAM and Combofix didn't reveal the presence of any malicious files).

Cecilia, the line you indicated in post 4 does appear in her HijackThis log. I'll have her remove it and see what happens. Thank you.

[Jaxryley]

OK got a download link to Personal Defender 2009.
hxxp://download.www.defender2009.com/personaldefender2009.exe

Quote

File personaldefender2009.exe received on 10.30.2008 14:45:13 (CET)
Current status: finished
Result: 5/36 (13.89%)

[Cecilia]

I have uploaded C:\Documents and Settings\Användaren\Application Data\Google\mupd1_2_1711951.exe on http://uploads.malwarebytes.org/

Detection at virustotal:
F-Secure 8.0.14332.0 2008.10.30 Suspicious:W32/UltimateRAT.21!Gemini
Microsoft 1.4005 2008.10.30 Trojan:Win32/Startpage.AK
Panda 9.0.0.4 2008.10.29 Suspicious file
Prevx1 V2 2008.10.30 Fraudulent Security Program

http://www.virustotal.com/analisis/857d653...2fa08eee27a0775

[nosirrah]

its a new one and will be assimilated soon

[Earth-Monarch]

I was hit by this Trojan yesterday (I run Vista 32-bit) and it was hiding under the name wsrdw.exe in AppData - Low - Temp - Low - Google. Malwarebytes managed to kill something else but missed it (seeing as it shot up that fake Windows Firewall window right after I removed the thing Malwarebytes found). I only managed to find this frigger program using Task Manager (I use TM allot so managed to spot it because I didn't recognise it + the fact it was running from my Temp folder...). Manually deleted it and everything else in my Temp folder and the message hasn't been back since.

[Jalida]

Earth-Monarch, on Nov 1 2008, 04:39 PM, said:

I was hit by this Trojan yesterday (I run Vista 32-bit) and it was hiding under the name wsrdw.exe in AppData - Low - Temp - Low - Google. Malwarebytes managed to kill something else but missed it (seeing as it shot up that fake Windows Firewall window right after I removed the thing Malwarebytes found). I only managed to find this frigger program using Task Manager (I use TM allot so managed to spot it because I didn't recognise it + the fact it was running from my Temp folder...). Manually deleted it and everything else in my Temp folder and the message hasn't been back since.

Just wanted to say thanks. Doing a search in windows vista didn't find the wsrdw.exe file, however, like you I noticed it in task manager when the popup was on my screen and didnt recognize it as a usual exe that I run, so I had my suspicisons that it was the cause, and killed the process to find that the popup disappeared from my screen.

Thanks to your post, I managed to find the file in the C:\Users\[username]\AppData\Local\Temp directory as well as a .dll file (dfxkpl.dll) and I deleted both of them and then deleted everything in my Temp folder just for safety measure. So far the popup hasn't reoccured. It was getting quite annoying popping up about every 30 minutes or even sooner.

I continue to hope that it is permanantly removed now.

Thanks for posting your findings, it was very very few results searching google for that file name, but apparently this one did the trick (fingers crossed).

[prplrx7]

Earth-Monarch, on Nov 2 2008, 11:39 AM, said:

I was hit by this Trojan yesterday (I run Vista 32-bit) and it was hiding under the name wsrdw.exe in AppData - Low - Temp - Low - Google. Malwarebytes managed to kill something else but missed it (seeing as it shot up that fake Windows Firewall window right after I removed the thing Malwarebytes found). I only managed to find this frigger program using Task Manager (I use TM allot so managed to spot it because I didn't recognise it + the fact it was running from my Temp folder...). Manually deleted it and everything else in my Temp folder and the message hasn't been back since.

i got this two days ago , looked in task manager whilst the popup appeared and used the goto process command to find it was using wsrdw.exe didnt recognise the file so deleted it and the dfxkpl.dll that i found in the same directory all clean since then.