When Malware Clones

[ChrisGreaves]

I'm not sure at all what happened.
I decided to install Primo PDF writer on the little Acer Aspire One 533 netbook.
I (Windows Explorer) wandered across my LAN to the Compaq Notebook folder \Appl\Installed\Primo\ and executed the "FreewarePrimoSetup.exe" found there (on the NoteBook):

Primo1.png

On the Netbook MSE sprang up and muttered something about AdWare ... candy.
I didn't think to snapshot/PrtScr the message, just chose "go ahead and get rid of it", and opted for "No, don't reboot at this time".
Then I observed a new file, timestamped Now() in my Netbook folder.

Primo2.png

All very strange ...

[viking33]

Chris,
There are suggestions that this is a Delf Trojan. Others claim it is a false positive and is a legit PDF handler.

http://spywarefiles.prevx.com/RRACJJ447 ... P.EXE.html" onclick="window.open(this.href);return false;

I would run whatever anti virus\malware program you use and see what it picks up.

[ChrisGreaves]

Others claim it is a false positive and is a legit PDF handler.

Bob, Thanks for this bit of research.

I had another "hit" this morning, different situation.
(Around about now most of Eileen's loungers will be backing away from me, veeeery slowly, I know).
Perhaps I have tighter security; perhaps I spend too much time browsing news and tech sites.

Each morning I use Firefox to "Open All In Tabs" a set of about a dozen blogs:

1.png

Been doing it for years. About once every 2 months or so I remove one link and add another. There's a limit to what i can read each morning.
This morning I did my "Open All In Tabs", as I did yesterday morning and the day before, and MSE pops up its little red box:

MSESmall.png

This time I remembered to take a snapshot during removal, instead of after removal, as happened the last time.

I note with interest that the Malware is in the folder "C:\Users\ChrisC\AppData\Local\Temp", and suppose that while MSE appears to be on the ball, it might not hurt my system to delete the contents of that folder periodically, "periodically" being defined as

• At each reboot
• Each time I load MSWord (a common-enough event here)
• Each time I log my time in Notepad with my .LOG application
• Each time I pick up the phone

etc.

Thoughts from anyone?

[HansV]

I don't it's really necessary to empty your Temp folder each time you take a sip of tea, but it's not a bad idea to do it once a day.

[DaveA]

Which link have you added since this has started?
I would get rid of the link that is sending you these bad files.

[ChrisGreaves]

Which link have you added since this has started?
I would get rid of the link that is sending you these bad files.

Hi Dave, good idea.
However I haven't changed my set of links in over a week.
All I can really do (I think) is reboot, and then load each link independently, waiting 60 seconds between each link, to see which is the culprit.
Then, of course, alert the blogger.

The blogs I follow are professional people; but of course, like me, they have well-meaning friends who send tjhem elcronic greeting cards, visit porn sites, or cc them on the Master World Registry of Bot Harborers.

[ChrisGreaves]

I don't it's really necessary to empty your Temp folder each time you take a sip of tea, but it's not a bad idea to do it once a day.

OK. Once a day, at least.
Not as frequently as I sip tea, but more frequently than I .
Got it!

Funny you should mention it.
Right now I'm developing a series of PDF flyers for course outlines, a semi-mechanical process that includes an upload-PDF-and-Fabricate-Index as one of the steps.
My lazy mind has determined that THAT step is enough time to reach out and take a sip of in a leisurely fashion, thereby convincing myself that I'm not really working this morning ...