Author Topic: Win32:Ldpinch-EU [TRJ] Infection.  (Read 6543 times)

0 Members and 1 Guest are viewing this topic.

Z. Daniel Phoenix

  • Guest
Win32:Ldpinch-EU [TRJ] Infection.
« on: July 10, 2007, 11:48:14 AM »
I found this while doing a night time scan of my machine.

I'm using XP SP2 and the most recent update of Avast! Antivirus.

Here's my log viewer export.

7/10/2007 3:09:13 AM   Z. Daniel Phoenix   27024   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe\%PARTNERDIR%\NNWDAC638.EXE\[Embedded#08138]\[Embedded#25aa8]" file. 
7/10/2007 3:54:15 AM   Z. Daniel Phoenix   27024   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe\%PARTNERDIR%\NNWDAC638.EXE\[Embedded#08138]" file. 
7/10/2007 3:54:18 AM   Z. Daniel Phoenix   27024   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe\%PARTNERDIR%\NNWDAC638.EXE" file. 
7/10/2007 3:54:20 AM   Z. Daniel Phoenix   27024   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe\%PARTNERDIR%\VVSNInst.exe\VVSN.exe" file. 
7/10/2007 3:54:23 AM   Z. Daniel Phoenix   27024   Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\System Volume Information\_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe\%PARTNERDIR%\VVSNInst.exe" file. 
7/10/2007 3:54:23 AM   Z. Daniel Phoenix   27024   Sign of "Win32:Ldpinch-EU [Trj]" has been found in "C:\System Volume Information\_restore{7E0CA077-6400-4291-94B0-8101E656FF94}\RP168\A0043309.exe\%SYS%\rkinstaller.exe" file. 


From what I read about variants of the ldpinch virus... this trojan is a PSW trj, and will reinfect the computer upon restart.

I chose to move all infected files to chest, but the only one that's there is the actual infected a0043309.exe . The other files that I hit move to chest gave an error that said error in moving "cannot find specified file".

I disabled System Restore, and I'm running a spyware search using Ad-Aware SE right now.

What should I do now?

Will Avast! kill off this nasty PSW stealer?

Should I scan using Avast! again?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4871
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #1 on: July 10, 2007, 12:09:09 PM »
Hi Z. Daniel Phoenix,

All the detections are in System Restore, which is Window's backup of system files.

If you have rebooted after disabling System Restore, that will have deleted all the old, infected files.

You should turn System Restore back on after a reboot.

A better way to clean system restore for the future is to create a new, clean System Restore point, and then deleted all older, infected System Restore points:

http://www.bleepingcomputer.com/tutorials/tutorial56.html#manual
http://www.bleepingcomputer.com/tutorials/tutorial56.html#delete

This always leaves you with a usable restore point in the event of a disaster.

(This obviously assumes you have dealt with any existing infection.)

Run a fresh scan with avast! and you should be clean.

As a double check, run scans with the following:

AVG Anti-Spyware Free
Spybot Search & Destroy
SUPERAntiSpyware Free

I can only assume something has removed the original infection without touching the System Restore files in a previous scan.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Z. Daniel Phoenix

  • Guest
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #2 on: July 10, 2007, 12:17:57 PM »
Hi Frank, I haven't rebooted yet. All I did was disable system restore. I was running a-squared Free 3.0 to scan after posting this message.

Would you recommend a reboot now?

Also, I've heard you can run a scan at reboot with Avast? Would that be recommended as well?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4871
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #3 on: July 10, 2007, 12:23:42 PM »
Quote
Would you recommend a reboot now?

I would re-enable system restore, create a clean restore point and then delete all older points, as described above.

Quote
Also, I've heard you can run a scan at reboot with Avast? Would that be recommended as well?

Yes, that's called the boot time scan. It certainly is a good idea to run one when an infection has been detected.

If you right-click the avast! scanner screen, you will get an option to schedule a boot time scan. Just be careful if you have a cordless keyboard because it may not work during the scan.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Z. Daniel Phoenix

  • Guest
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #4 on: July 10, 2007, 12:27:36 PM »
I'm also getting desktop config files in my startup folders.

I just noticed it when going to my system tools folder.

This is what's popping up in the config file via notepad.

[LocalizedFileNames]
Windows Explorer.lnk=@%SystemRoot%\system32\shell32.dll,-22067
Command Prompt.lnk=@%SystemRoot%\system32\shell32.dll,-22022
Notepad.lnk=@%SystemRoot%\system32\shell32.dll,-22051
Synchronize.lnk=@%SystemRoot%\system32\shell32.dll,-22062
Tour Windows XP.lnk=@%SystemRoot%\system32\tourstart.exe,-1
Program Compatibility Wizard.lnk=@%SystemRoot%\system32\compatUI.dll,-115
Address Book.lnk=@%SystemRoot%\system32\shell32.dll,-22017
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21761


I'll get right on the restore points.

Z. Daniel Phoenix

  • Guest
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #5 on: July 10, 2007, 01:26:35 PM »
Quote
Would you recommend a reboot now?

I would re-enable system restore, create a clean restore point and then delete all older points, as described above.

Quote
Also, I've heard you can run a scan at reboot with Avast? Would that be recommended as well?

Yes, that's called the boot time scan. It certainly is a good idea to run one when an infection has been detected.

If you right-click the avast! scanner screen, you will get an option to schedule a boot time scan. Just be careful if you have a cordless keyboard because it may not work during the scan.


Well, I've ran into a problem.

I selected a boot scan and allowed Avast! to restart my computer, now it's stuck in a weird loo. I'll try to explain in all  my non-techy ness.

System shut down just fine, and rebooted. My asus P5N-E logo kicks on, and after that I get 2 quick flashes of my bios, then... (when the windows logo would normally start (or when Aavst would start a boot scan) the screen goes blank, and I get: No Signal Input Check Video Cable.

After 2 or 3 seconds of that message it restarts and does it over again.

Trying to hit F8 at just the right time to get into Safe Mode was challenging, but I did get it twice.

Trying to start in Safe Mode and Last Config's that worked gave me the exact same problem.

I'm updating from my friends laptop right now.

Any suggestions on what I can do?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4871
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #6 on: July 10, 2007, 02:11:43 PM »
I would post a new topic about this problem- it's obviously an exceptional event, and one that the somebody from the avast! team should really look at, as they are the ones who really understand what the boot time scan does and why it might be causing this problem, and I'm sure it's something they'll want to look into.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Z. Daniel Phoenix

  • Guest
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #7 on: July 10, 2007, 05:49:12 PM »
I would post a new topic about this problem- it's obviously an exceptional event, and one that the somebody from the avast! team should really look at, as they are the ones who really understand what the boot time scan does and why it might be causing this problem, and I'm sure it's something they'll want to look into.

I made a post in the Avast topic at the top of the category pages. I hope that'll get some answers.

Thanks for your time Frank.

By the way... If I can not  solve this problem... would wiping my discs and reinstalling XP solve all issues?

I know that's a big move, but I'd rather start over, then be PC-Less for a week.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4871
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Ldpinch-EU [TRJ] Infection.
« Reply #8 on: July 10, 2007, 06:47:00 PM »
Quote
By the way... If I can not  solve this problem... would wiping my discs and reinstalling XP solve all issues?

That depends. This sort of problem could be caused by hardware faults as well as software problems.

Hopefully somebody with more experience in this area will give you some help.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog