Jump to content
The Education Forum

Trojan Horse Virus


Recommended Posts

My site has been infected with a trojan virus

Trojan Horse Virus PSW.Ldpinch HZI

For the safety of Visitors to my sight, i have closed the webpage down, i am so angry right now, that i have Cancelled my PREMIUM subscription with Geocities.com

If you use my normal webpage URL you may now access my photo archives directly, no thumbnail pics just links.

http://www.geocities.com/quaneeri2/

The site has reverted back to the free service which means LIMITED downloads once more.

Sorry guys. :(

Link to comment
Share on other sites

My site has been infected with a trojan virus

Trojan Horse Virus PSW.Ldpinch HZI

For the safety of Visitors to my sight, i have closed the webpage down, i am so angry right now, that i have Cancelled my PREMIUM subscription with Geocities.com

If you use my normal webpage URL you may now access my photo archives directly, no thumbnail pics just links.

http://www.geocities.com/quaneeri2/

The site has reverted back to the free service which means LIMITED downloads once more.

Sorry guys. :(

Interesting that this would happen as there is a rising awareness of the value of the site.

The virus is a password stealer.

http://www.symantec.com/security_response/...-99&tabid=3

Discovered: November 3, 2003

Updated: February 13, 2007 12:53:52 PM

Also Known As: Trojan.PSW.Ldpinch.s [Kaspersk, PWSteal.Ldpinch

Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Infostealer.Ldpinch is executed, it does the following:

Copies itself to %Windir%.

--------------------------------------------------------------------------------

Note: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

--------------------------------------------------------------------------------

Adds the value: - "putil"=%Windir%\<filename>" to the registry key: - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - so that the Trojan runs when you start Windows.

- Records the following information to a log file and then sends the information to the hacker at a hardcoded email address:

User keystrokes

System information

User email accounts

Passwords from the following programs:

ICQ99b-2003a/Lite/ICQ2003Pro

Miranda-icq

Trillian ICQ&AIM

&RQ

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).

Update the virus definitions.

Run a full system scan and delete all the files detected as Infostealer.Ldpinch.

Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

"How to disable or enable Windows Me System Restore"

"How to turn off or turn on Windows XP System Restore"

--------------------------------------------------------------------------------

Note: When you are completely finished with the removal procedure, and you are satisfied that the threat has been removed, you should reenable System Restore by following the instructions in the aforementioned documents.

--------------------------------------------------------------------------------

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definition. (this applies to all anti virus programs)

Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).

Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files

Start your Symantec antivirus program and make sure that it is configured to scan all the files.

For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."

For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."

Run a full system scan. If any files are detected as infected with Infostealer.Ldpinch, click Delete.

4. Deleting the value from the registry.

--------------------------------------------------------------------------------

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

--------------------------------------------------------------------------------

Click Start, and then click Run. (The Run dialog box appears.) - Type regedit , Then click OK. (The Registry Editor opens.)

Navigate to the key: - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value: - "putil"="%WinDir%\<filename>"

Exit the Registry Editor.

Edited by John Dolva
Link to comment
Share on other sites

My site has been infected with a trojan virus

Trojan Horse Virus PSW.Ldpinch HZI

For the safety of Visitors to my sight, i have closed the webpage down, i am so angry right now, that i have Cancelled my PREMIUM subscription with Geocities.com

If you use my normal webpage URL you may now access my photo archives directly, no thumbnail pics just links.

http://www.geocities.com/quaneeri2/

The site has reverted back to the free service which means LIMITED downloads once more.

Sorry guys. :(

Uh oh...

So sorry Robin.

Not to be self absorbed (much) but how contagious is it?

Hope you can get your site back to normal without too much work.

Link to comment
Share on other sites

My site has been infected with a trojan virus

Trojan Horse Virus PSW.Ldpinch HZI

For the safety of Visitors to my sight, i have closed the webpage down, i am so angry right now, that i have Cancelled my PREMIUM subscription with Geocities.com

If you use my normal webpage URL you may now access my photo archives directly, no thumbnail pics just links.

http://www.geocities.com/quaneeri2/

The site has reverted back to the free service which means LIMITED downloads once more.

Sorry guys. :(

Uh oh...

So sorry Robin.

Not to be self absorbed (much) but how contagious is it?

Hope you can get your site back to normal without too much work.

Hi Myra.

I don't think the site will be back in it's original form for some time yet ,if ever.

Thanks John.

Exellent.

I'm going to have a good read of that information.

I have emailed my web host to see what, if anything, they can do about it. ?

Link to comment
Share on other sites

My site has been infected with a trojan virus

Trojan Horse Virus PSW.Ldpinch HZI

For the safety of Visitors to my sight, i have closed the webpage down, i am so angry right now, that i have Cancelled my PREMIUM subscription with Geocities.com

If you use my normal webpage URL you may now access my photo archives directly, no thumbnail pics just links.

http://www.geocities.com/quaneeri2/

The site has reverted back to the free service which means LIMITED downloads once more.

Sorry guys. :(

Uh oh...

So sorry Robin.

Not to be self absorbed (much) but how contagious is it?

Hope you can get your site back to normal without too much work.

Hi Myra.

I don't think the site will be back in it's original form for some time yet ,if ever.

Thanks John.

Exellent.

I'm going to have a good read of that information.

I have emailed my web host to see what, if anything, they can do about it. ?

**************

Oh, Robin after all your time ,effort and hard work, and it is....and so very expensive...

Hang in there, pulling for you, this is the one thing, that really gets all people riled...

I also went through a Trojan, a few years back, and no xxxxe it ate, as they put it and

totally destroyed the hard drive.....they said in TO it was melded, whatever that meant..

My youngest is a Techie, and could not believe what he found, so he took it to the company.

he worked for, they neither had seen such before...?? but all was lost..

and that was just my own pc, files and such.......not a site....

so I can well imagine, your disappointed and greater frustration...

So I am feeling extremely bad for you....but do hope, your host in some way will be able to help..

The creatures that invent these programs of ruin, should be locked up with each other..in one

room, with one computer, wonder how many would come out alive after 30 days...

....as they appear to be a driven sick lot..and world wide...

Best..B..

P.S.You shall be back, bigger and better..... :(

Edited by Bernice Moore
Link to comment
Share on other sites

My site has been infected with a trojan virus

Trojan Horse Virus PSW.Ldpinch HZI

For the safety of Visitors to my sight, i have closed the webpage down, i am so angry right now, that i have Cancelled my PREMIUM subscription with Geocities.com

If you use my normal webpage URL you may now access my photo archives directly, no thumbnail pics just links.

http://www.geocities.com/quaneeri2/

The site has reverted back to the free service which means LIMITED downloads once more.

Sorry guys. :(

Uh oh...

So sorry Robin.

Not to be self absorbed (much) but how contagious is it?

Hope you can get your site back to normal without too much work.

Hi Myra.

I don't think the site will be back in it's original form for some time yet ,if ever.

Thanks John.

Exellent.

I'm going to have a good read of that information.

I have emailed my web host to see what, if anything, they can do about it. ?

Robin I'm sorry!

Does this mean you lost a lot of the photos?

Can we help?

I'm sure between us all we have lots of photos.

Link to comment
Share on other sites

My site has been infected with a trojan virus

Trojan Horse Virus PSW.Ldpinch HZI

For the safety of Visitors to my sight, i have closed the webpage down, i am so angry right now, that i have Cancelled my PREMIUM subscription with Geocities.com

If you use my normal webpage URL you may now access my photo archives directly, no thumbnail pics just links.

http://www.geocities.com/quaneeri2/

The site has reverted back to the free service which means LIMITED downloads once more.

Sorry guys. :(

Uh oh...

So sorry Robin.

Not to be self absorbed (much) but how contagious is it?

Hope you can get your site back to normal without too much work.

Hi Myra.

I don't think the site will be back in it's original form for some time yet ,if ever.

Thanks John.

Exellent.

I'm going to have a good read of that information.

I have emailed my web host to see what, if anything, they can do about it. ?

Robin I'm sorry!

Does this mean you lost a lot of the photos?

Can we help?

I'm sure between us all we have lots of photos.

Thanks Very Much Bernice / Myra

Myra all my files are still intact, i just can't display it in a website formatt any longer.

My page should still show a list if all my photo's, but now you will have to sort through my archives to find the photo you are looking for, instead of seeing it as a thumbnail photo preview.

I was lucky my virus software picked it up in time before it did any serious harm to my computer.

But for the safety of visitors to my site who may not have antivirus software, i had no choice but to close down my webpage.

Bernice.

I am sorry to hear about you hard drive that crashed, in my opinion the guy's who did this to my site are nothing but gutless BAS**ad's, and i have nothing but contempt for them.

Edited by Robin Unger
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...