Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected... Ldpinch/zlob/black Door?


  • This topic is locked This topic is locked
15 replies to this topic

#1 tuwhada

tuwhada

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 20 October 2007 - 09:26 AM

Ok I am really at a lost here b/c I think the problem is that I can not figure out what I have.

I am running Windoes XP. Bad download a few days ago from a pirate site I guess and boom I have this going on. The computer always has spysweeper and mcafee running on it.

Came home first day to find about 35 IE's open. With a bubble saying that I was infected (I don't recall the exact message). But when I clicked on the bubble it sent me to a website that was stating I was not protected etc etc and it was neither of my programs so I knew something was fishy.
I also had installed on my desktop 2 programs that I did not install One says Live Safety Center the other says Online Security Guide. If I click on them they basically bring me to the same websites.
I then continued to get various balloons with different information on them. "System is infected with spyware.cyberlog-x" As well as system alerts (with the yellow triangle) that say "system alert, black door trojan" Or "spywin.32mx" "networm" and "system monitor wanring about performance decrease" "spybot" as well as a few others. Sorry I do not have the specifics on them.
When I open IE there is also a strange toolbar.

Now what I have done...
I have disconnected from the interenet b/c I did read this one steals passwords (I am on my laptop).
I am in safe mode
I ran Mcafee (which is full up to date) did not find anything)
I ran Spysweeper... it found a few cookies and it found the LDPINCH trojan. When it cleaned it, it wantedto reboot but b/c the little balloon was throwing so many errors during reboot it locked up and stopped responding. The LDPINCH does show up in the qt list and when the scan was rerun in safemode it did not find it again.
I also downloaded spybot (a friend recommended that). Spybot kept stopping registry edits but I don't know what they were.

I did find on symantecs web page this... and I apologize if this is not allowed...

http://www.symantec.com/security_response/...-99&tabid=2

these error message are exactly what I am getting.
So I went through what they recommend to fix it except I did not download norton. I just ran mcafee. I went to do the regedit recommendations and none of the files it told me to delete were there.

So now I am at a lost b/c I honestly don't know what it is or what I should do about it!

Thank you for your help

Christina

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:33 AM

Posted 20 October 2007 - 11:42 AM

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Please let us know the results of the scan. If you would like to stay offline (good idea) you can download to a CD or other medium and install on the infected computer.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 chapin33

chapin33

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:06:33 AM

Posted 20 October 2007 - 02:48 PM

I am having the same problem. I have XP Pro on my PC and XP Home on my lap top. Both computers have AVG free for virus protection and the following for spyware programs: Spyware Blaster, Spybot, Ad-Aware, a-squared Free, and Spy Sweeper.

I have run all of the programs and like the previous entry, Spy Sweeper is the only one, that id this and it id it on both the PC and lap top. Note AVG is updated with latest definitions and it did not catch anything and I did a thorough sweep. I note the comment above from Buddy but wondered if a second virus scan is ok as I know having more than one virus program is not good. Please advise.

#4 chapin33

chapin33

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:CA
  • Local time:06:33 AM

Posted 20 October 2007 - 02:52 PM

sorry one additional thing I forgot to mention, when running Spy Sweeper, I ran a quick scan on both computers and both times it caught this "ldpinch trojan" . At the completion of the scan, it first advised to quarantine the item, which I did and then it advised at a full sweep was needed so I did the full sweep. At the conclusion of the full sweeps on both the lap top and the PC, there was nothing detected. That seems odd because it (ldpinch trojan) is still there but quarantined so doesn't it get recognized? Please advise.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:33 AM

Posted 20 October 2007 - 03:07 PM

Bad download a few days ago from a pirate site

Some of the worst types of malware infections can be contracted and spread by visiting, pirate, crack and keygen sites. Those who attempt to get software for free can end up with a computer system so badly damaged that it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling Windows.

Not only is that practice a security risk, BC takes it serious enough to include it as a violation of our BC Discussion/Message Boards Rules

No subject matter will be allowed whose purpose is to defeat existing copyright or security measures. If a user persists and/or the activity is obviously illegal the staff reserves the right to remove such content and/or ban the user.


One or more of the identified infections is a keylogger or Infostealing Trojan. Keyloggers and Infostealer Trojans are very dangerous. Infostealing Trojan horses steal sensitive information from the infected computer and send it back to the author of the Trojan. Keyloggers sit stealthy on your system and monitor all the keys you press including all your logins, passwords and private correspondence.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Although this type of malware can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the keylogger or Infostealer Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

While we are always willing to assist with malware removal there is no guarantee of success. For XP users, the easiest thing is to do a System Restore and choose a restore point with a creation date before the date of infection. However, should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 tuwhada

tuwhada
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 20 October 2007 - 03:38 PM

SOrry that I broke the TOS I only mentinoed where I believed I had received it b/c I thought it would help. I was unaware that it was a pirate site I was downloading a program I believed to have been legite not in search of anything illegal like stated above I don't even know what some of those are.
I am totally willing to take advice if people are willing to give it. Not everyone out there is trying to do illegal things I have just been scammed by my own misknowlege.

So just to clarify, should I run this additional spyware? B/c now everytime I run my current spyware all that comes up is this virutmonde.generic. I no longer seem to be receiving those bubbles?

I did read that passwords could be comprimised and I do plan to change all of them I have changed most of them already b/c I did read that but will my ulitmate solution be to reformat? I am hoping that to be an absolute LAST resort!

Will a system restore back to prior to that point work? I have not tried that yet.I did do a system restore but I don't think I went prior to that day. Should I try that first????

THank you again,
Christina

#7 buddy215

buddy215

  • Moderator
  • 13,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:33 AM

Posted 20 October 2007 - 03:47 PM

Super Antispyware removes Vundo infections as well as many others.
There is also another tool that you could use, too. Use both.

http://vundofix.atribune.org/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:33 AM

Posted 20 October 2007 - 03:50 PM

As I said, using System Restore would be the easiest thing to do so try that first. You are dealing with multiple infections. In addition to the Infostealer Trojan, it appears you have a smitfraud infection and now are finding vundo.

If you continue to have problems afterwards or cannot do a restore, then post back.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 tuwhada

tuwhada
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 20 October 2007 - 04:03 PM

Thank you so much... I will try that and report back. I am seriously ready to smash my head into this computer I am so upset about it.

Christina

#10 tuwhada

tuwhada
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 20 October 2007 - 04:15 PM

Ok well since I turned off system restore b/c that is what symantec said to do when I go into system restore there are no restore points! So I guess that idea won't work?

So should I try this different spyware? Or what else could I try?

Thanks,
Christina

#11 buddy215

buddy215

  • Moderator
  • 13,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:33 AM

Posted 20 October 2007 - 04:41 PM

Yes, run the programs. Vundofix and SAS

You can also post a Hijack This Log in the Hijack This Forum and let the EXPERTS advise you.
DO NOT post the HJT log in this forum. Directions for posting are in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:33 AM

Posted 20 October 2007 - 10:48 PM

Go ahead and delete your quarantined files.

Download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.)
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions

While in safe mode search for and delete the following file(s)/folder(s) if they are present. You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to locate them.

parser.dpr
parser.exe
pinch.asm
pinch.dpr
pinch.tbp
pinchbuilder.cfg
pinchbuilder.dof
pinchbuilder.dpr
pinchbuilder.exe
pinchbuilder.res
trojan.psw.ldpinch.p.exe.

To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file.

Reboot normally and then perform this online Virus scan: F-Secure Online Scanner <- Be sure to follow the directions on the F-Secure page for proper Installation. (also checks for rootkits).
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 tuwhada

tuwhada
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 21 October 2007 - 09:08 AM

quietman I did not get your advice until this morning but I will go ahead and try that.

I did run the vundo scan and that found nothing. The Super antispyware found Adware.tracking cookie and Trojan.winfixer.
Should I have run those 2 scans in safe mode as well? B/c I did not I can rerun them in safe mode though.

I will do the other stuff as well and report back!

Thank you again,
Christina

#14 tuwhada

tuwhada
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 21 October 2007 - 09:57 AM

none of those files were on there.
I am running the avg antiy spyware now.

So far nothing seems to be going on except those 2 programs keep reinstalling themslves. I don't know what those are!

#15 tuwhada

tuwhada
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 21 October 2007 - 10:32 AM

Ok Avg only found some tracking cookies. I did not do the online virus scan b/c I am still afraid to go online but as soon as I do Iwill do that one.

I also used Combofix? A friend who is a computer person told me to try that. It did save a log would I post the log here or in the hijack this area thing. I did download that program and I do plan to post over there with the log is that correct???

Oh the combofix got rid of those 2 programs that kept coming back so is it possible that I am good? Is that what the hijack log thing does is allow you guys to check it out to see if I am still infected.

Also I did change ALL of my passwords. But in one of my readings I read that the internal firewall is not sufficient. I only have Mcafee which I think has a firewall and I have Spysweeper (typically) running ont he machine, do I need to get an additional program for firewall protection or are those sufficient.

Thank you,
Christina

Edited by tuwhada, 21 October 2007 - 10:33 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users