Please help with a PWS.LDPinchIE infection

**seseeley** · 2009-07-09, 07:42

Hi Shaba,

looks like some infections were found. Here is the log files for KASPERSKY and HJT.

Thanks again,
Steve

KASPERSKY log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 09, 2009 04:22:08
Records in database: 2446161
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 72265
Threat name: 11
Infected objects: 20
Suspicious objects: 0
Duration of the scan: 02:27:51

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\gswrij.exe.vir Infected: Trojan-Downloader.Win32.Small.jyk 1
C:\Qoobox\Quarantine\C\WINDOWS\ld12.exe.vir Infected: Trojan-Downloader.Win32.Injecter.dbz 1
C:\Qoobox\Quarantine\C\WINDOWS\sysguard.exe.vir Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.xd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gsf83iujid.dll.vir Infected: Trojan-Downloader.Win32.BHO.nby 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir Infected: Trojan.Win32.BHO.vkp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Trojan.Win32.Inject.afhr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\___c007D775_.dat.zip Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-07_20.42.47.zip Infected: P2P-Worm.Win32.Palevo.hfo 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-07_20.42.47.zip Infected: Backdoor.Win32.NewRest.an 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-07_20.42.47.zip Infected: Trojan-Downloader.Win32.Small.jyk 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-07_20.42.47.zip Infected: Trojan.Win32.FraudPack.pda 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-07_20.42.47.zip Infected: Trojan.Win32.Inject.aesq 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-07_20.42.47.zip Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\System Volume Information\_restore{3C118ED2-0C68-4725-BC43-5B09A6FC1328}\RP1\A0000025.exe Infected: Trojan-Downloader.Win32.Injecter.dbz 1
C:\System Volume Information\_restore{3C118ED2-0C68-4725-BC43-5B09A6FC1328}\RP1\A0000028.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.xd 1
C:\System Volume Information\_restore{3C118ED2-0C68-4725-BC43-5B09A6FC1328}\RP1\A0000029.dll Infected: Trojan-Downloader.Win32.BHO.nby 1
C:\System Volume Information\_restore{3C118ED2-0C68-4725-BC43-5B09A6FC1328}\RP1\A0000030.dll Infected: Trojan.Win32.BHO.vkp 1
C:\System Volume Information\_restore{3C118ED2-0C68-4725-BC43-5B09A6FC1328}\RP1\A0000031.exe Infected: Trojan.Win32.Inject.afhr 1
C:\System Volume Information\_restore{3C118ED2-0C68-4725-BC43-5B09A6FC1328}\RP2\A0000142.exe Infected: P2P-Worm.Win32.Palevo.hfo 1
C:\System Volume Information\_restore{3C118ED2-0C68-4725-BC43-5B09A6FC1328}\RP2\A0000144.exe Infected: Trojan-Downloader.Win32.Small.jyk 1

The selected area was scanned.

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:22 PM, on 7/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wiaacmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Nora\Local Settings\Temp\jkos-Nora\binaries\ScanningProcess.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/q/cq?d=v1&s=lltc+intc+avnr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - .DEFAULT User Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192885861250
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.digitalcameradevel...loadClient.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component 0: (no name) - http://www.syfabrics.com/ProductPhotos/Medium/b138[1].jpg

--
End of file - 7945 bytes

**Shaba** · 2009-07-09, 10:37

Yes but they are in combofix quarantine and in system restore.

Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

**seseeley** · 2009-07-10, 07:36

Hi Shaba,

The symtoms of IE going off and surffing on its own and SpyBotSD dialogs popping up indicating that something is trying to install or change the registry is no longer evident. I tested this by going to microsoft and intel dot com. I think the worst is behind us now.

I need to turn on virus and firewall protection.

I'm trying to decide between buying McAfee family because it has automatic updating that my wife and son need (lack of desipline) or is there a freeware solution that is as good and a no brainer?

On the firewall topic I also have a question. We've been using MS FW which I know is not good enough on its own. But I also have a FW in my LinkSys router. But maybe the LS router is not setup correctly by default. I don't have a warm fuzzy because I've never had to open a port on the router for my son who plays WoW and 2nd Life?

Thanks for your help and any recommendation you may have,
Steve Seeley

**Shaba** · 2009-07-10, 18:17

I think that McAfee should be fine.

Using hardware FW and MS FW should be ok.

Are you ready for final instructions?

**seseeley** · 2009-07-11, 01:14

We are ready to get this PC back on the network ...

**Shaba** · 2009-07-11, 11:11

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide

Malwarebytes' Anti-Malware Scanning Guide
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

**seseeley** · 2009-07-11, 19:24

Hi Shaba,

I couldn't download OTCleanIt.exe on the system we've been working on. So I downloaded it on another PC and copied over to the system. However I couldn't run it. Just a DOS looking window pops up for a second and disapears. No processes in the Task Manager window for OTCleanIt.exe either.

I was able to get into XP safe mode but got the same results. I also tried renaming OTCleanIt.exe to testit2.exe but this didn't help either.

Have any ideas on what I should try next.

Thanks,
Steve

**Shaba** · 2009-07-12, 10:57

If you were able to run combofix /u, you can ignore that step

**seseeley** · 2009-07-12, 18:42

Can I skip OTCleanup? Sorry my responses are slow but we must be on far differnent time schedules.

Once again thanks for helping,
Steve Seeley
Shingle Springs, CA (between Sacramento and Tahoe on Hiway 50)

**Shaba** · 2009-07-12, 19:02

Yes you can if you ran combofix /u

Thread: Please help with a PWS.LDPinchIE infection

Thread Tools

Display

KASPERSKY virus scan found infections

Things seem fine!

Ready for final instructions

Counldn't run OTCleanIt.exe

Actually it was OTCleanup I counldn't run

Posting Permissions