Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trouble removing pws.ldpinchie


  • This topic is locked This topic is locked
5 replies to this topic

#1 Seudu

Seudu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 26 April 2009 - 12:56 AM

Earlier today I finally reformatted a desktop I have and was hunting down some missing drivers. I ended up downloading and running an unknown file without thinking because of that. Immediately after I did that, my internet connection on that computer ceased to work (it's a wired desktop, I'm on a wireless laptop right now), so I did some cleaning up with norton and spybot. That got rid of a good number of trojans, but this one "pws.ldpinchie" comes back every time I reboot. And, as of yet, the internet connection on the computer still does not work. The log is as follows:



DDS (Ver_09-03-16.01) - NTFSx86
Run by Bratton at 0:40:15.67 on Sun 04/26/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bratton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1
BHO: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
STS: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bratton\applic~1\mozilla\firefox\profiles\yadrq76u.default\
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-25 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-25 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-25 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090206.001\IDSxpx86.sys [2009-4-25 276344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-25 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090425.020\NAVENG.SYS [2009-4-25 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090425.020\NAVEX15.SYS [2009-4-25 876144]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-25 115560]
S2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-25 115560]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]

=============== Created Last 30 ================

2009-04-25 21:46 0 a------- C:\LOG9.tmp
2009-04-25 21:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 21:24 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-04-25 21:20 0 a------- C:\LOG20.tmp
2009-04-25 20:44 44 a------- c:\windows\system32\p2hhr.bat
2009-04-25 20:44 15,000 a------- c:\windows\system32\kjsdiowq8oikf.dll
2009-04-25 20:40 <DIR> -cd-h--- c:\docume~1\alluse~1.win\applic~1\{CC51AE54-B346-4954-ADDB-30BD4F138CF2}
2009-04-25 20:40 <DIR> --d----- c:\program files\iXi Tools
2009-04-25 20:23 <DIR> --d----- c:\docume~1\bratton\applic~1\JGsoft
2009-04-25 20:11 67,208 a------- c:\windows\UnDeploy.exe
2009-04-25 20:11 <DIR> --d----- c:\program files\JGsoft
2009-04-25 19:38 <DIR> --d----- c:\docume~1\bratton\applic~1\mIRC
2009-04-25 19:38 <DIR> --d----- c:\program files\mIRC
2009-04-25 19:33 0 a------- C:\LOG7E.tmp
2009-04-25 19:29 0 a------- C:\LOG6B.tmp
2009-04-25 19:11 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-04-25 19:11 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-25 19:11 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-25 19:11 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-25 19:11 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-25 19:11 <DIR> --d----- c:\program files\Symantec
2009-04-25 19:11 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-04-25 19:11 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-04-25 19:11 <DIR> --d----- c:\program files\Norton Internet Security
2009-04-25 19:11 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Symantec
2009-04-25 19:11 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Norton
2009-04-25 19:11 <DIR> --d----- c:\program files\NortonInstaller
2009-04-25 19:11 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\NortonInstaller
2009-04-25 19:07 <DIR> --d----- c:\docume~1\bratton\applic~1\GetRightToGo
2009-04-25 19:00 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-04-25 18:58 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-04-25 18:58 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-04-25 18:58 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-04-25 18:58 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-04-25 18:58 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-04-25 18:58 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-04-25 18:57 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-04-25 18:57 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-25 18:57 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-25 18:57 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-25 18:52 <DIR> --d----- c:\windows\system32\scripting
2009-04-25 18:52 <DIR> --d----- c:\windows\system32\en
2009-04-25 18:52 <DIR> --d----- c:\windows\system32\bits
2009-04-25 18:52 <DIR> --d----- c:\windows\l2schemas
2009-04-25 18:51 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-25 16:50 <DIR> --d----- c:\windows\network diagnostic
2009-04-25 16:36 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-04-25 16:36 <DIR> --d----- c:\windows\system32\PreInstall
2009-04-25 16:36 <DIR> --d-h--- c:\windows\$hf_mig$
2009-04-25 16:35 <DIR> --ds---- c:\documents and settings\bratton\UserData
2009-04-25 16:34 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-04-25 15:18 <DIR> --d----- c:\program files\Lavalys
2009-04-25 14:19 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-04-25 14:19 208,896 -------- c:\windows\system32\nvuide.exe
2009-04-25 14:19 1,570 -------- c:\windows\system32\nvide.nvu
2009-04-25 14:18 208,896 a------- c:\windows\system32\nvusmb.exe
2009-04-25 14:18 1,864 a------- c:\windows\system32\nvsmb.nvu
2009-04-25 14:18 208,896 a------- c:\windows\system32\NVUNINST.EXE
2009-04-25 14:18 <DIR> --d----- C:\NVIDIA
2009-04-25 14:05 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-04-25 14:05 <DIR> --d----- c:\program files\Belarc
2009-04-25 13:47 <DIR> --d----- c:\program files\Yahoo!
2009-04-25 10:44 0 a------- C:\LOGF3.tmp
2009-04-25 10:41 0 a------- C:\LOGD5.tmp
2009-04-25 10:27 35,840 a------- c:\windows\system32\drivers\AFS2K.SYS
2009-04-25 10:26 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-04-25 10:25 233,528 a----r-- c:\windows\system32\HPZidr12.dll
2009-04-25 10:25 167,936 a----r-- c:\windows\system32\HPZipr12.dll
2009-04-25 10:25 94,208 a----r-- c:\windows\system32\HPZipt12.dll
2009-04-25 10:25 65,795 a----r-- c:\windows\system32\HPZipm12.exe
2009-04-25 10:25 61,699 a----r-- c:\windows\system32\HPZinw12.exe
2009-04-25 10:25 57,344 a----r-- c:\windows\system32\HPZisn12.dll
2009-04-25 10:25 16,080 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2009-04-25 10:24 51,024 a----r-- c:\windows\system32\drivers\hpzid412.sys
2009-04-25 10:24 20,454 a------- c:\windows\hpoins01.dat
2009-04-25 10:24 16,618 -------- c:\windows\hpomdl01.dat
2009-04-25 10:24 237,568 a----r-- c:\windows\system32\HPZc3212.dll
2009-04-25 10:24 21,456 a----r-- c:\windows\system32\drivers\HPZius12.sys
2009-04-25 10:14 2,422 a------- c:\windows\system32\wpa.bak
2009-04-25 08:15 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-04-25 08:15 32,128 a------- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2009-04-25 20:44 15,872 a------- c:\windows\system32\drivers\beep.sys
2009-04-25 18:54 170,742 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-04-25 18:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-25 19:00 155,995 a------- c:\windows\java\packages\PVXBJLBF.ZIP
2009-03-25 19:00 2,232 a------- c:\windows\java\packages\data\HV7J7BDJ.DAT
2009-03-25 19:00 2,678 a------- c:\windows\java\packages\data\0S5JBDRL.DAT
2009-03-25 19:00 2,678 a------- c:\windows\java\packages\data\Q97X3TBV.DAT
2009-03-25 19:00 2,678 a------- c:\windows\java\packages\data\LR3HZX37.DAT
2009-03-25 19:00 2,678 a------- c:\windows\java\packages\data\KSWT75J3.DAT
2009-03-25 19:00 2,678 a------- c:\windows\java\packages\data\C8WH7LVR.DAT
2009-03-25 18:54 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 01:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 01:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 0:40:31.62 ===============

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:38 AM

Posted 26 April 2009 - 05:52 AM

Hi Seudu,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Seudu

Seudu
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 26 April 2009 - 11:39 AM

I'm here. I may be in an out through the day but I will be watching for replies. Thank you for your assistance.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:38 AM

Posted 29 April 2009 - 03:14 AM

Hi seudu,

There are some issues to deal with but first I need to take a better look at the PC.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:38 AM

Posted 01 May 2009 - 12:48 PM

Hi Seudu,

Are you still looking for help with your PC?
Posted Image
m0le is a proud member of UNITE

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:38 AM

Posted 03 May 2009 - 02:55 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users