PWS.LDPinchIE - What does it take to rid this thing?

**denzilla** · 2007-07-12, 06:48

I have this PC in front of me that has been a breeding ground for malware. This PC has been scanned, cleansed and rescanned till I'm blue in the face and this one stupid POS thing named PWS.LDPinchIE just refuses to lay down and die! Here's what I've done so far:

Ran AVG AV free, Kaspersky AV 7.0 and Windows Malicious removal too - removed ALOT of viruses.

Fired up HTJ 2.02, researched and removed all that was deemed evil. Unhid all hidden files, folder and protected system files. Ran Spybot, adaware SE, Spyware Terminator, and Super Antispyware - Removed a ton of crap. All return 100% clean with the exception of Spybot that shows PWS.LDPinchIE and Wild Tangent (They want to keep WT for games).

I've attached my current HTJ log. At this point, I'm afraid to reconnect it to the internet for fear of re-infestation. When Spybot detects PWS.LDPinchIE, its always a regfile. After deleting, it returns on reboot. Thanks for any help you can provide. I can't find anything useful on the net in regards to this thing. Is it a new form of malware?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:10 AM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\eddie moss II\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 3435 bytes

**Shaba** · 2007-07-13, 11:28

Hi denzilla

Please post spybot report

**denzilla** · 2007-07-13, 14:12

Its quite long and over the size limit so here it is as an attachment. Thanks for your help

**Shaba** · 2007-07-13, 18:00

Hi

That might be false positive.

Please download the Registry Search tool by clicking on the "hard drive" icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for RpcApi and click OK. Post the logfile from the tool here for me.

Also do this:

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Post:

- registry search results
- uninstall list

**denzilla** · 2007-07-13, 23:05

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "RpcApi" 7/13/2007 4:58:59 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcApi]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RpcApi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcApi]

Ad-Aware SE Personal
AVG Anti-Spyware 7.5
BigFix
BOClean
Calendar Creator 7.0
CCleaner (remove only)
Conexant SoftK56 Modem(M)
Diner Dash (remove only)
Does It Belong
FloorPlan 3D v6
HijackThis 2.0.2
Home Improvement 1-2-3
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel(R) Extreme Graphics Driver
Internet Explorer Q822925
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
Learn2 Player (Uninstall Only)
Lexmark Photo Center
Lexmark Z700-P700 Series
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office Standard Edition 2003
Microsoft Works 6.0
MusicNet@AOL
Outlook Express Update Q330994
PowerDVD
QuickTime
QuickTime for Windows (32-bit)
Realtek AC'97 Audio
Sesame Street Elmo's Reading
Spybot - Search & Destroy 1.4
Spyware Terminator
Stuart Little 2 PC
SUPERAntiSpyware Free Edition
The Print Shop Brochures, Newsletters and More!
Transition Math K-1
Typing Quick & Easy
Unlocker 1.8.5
Update for Windows XP (KB898461)
Viewpoint Media Player
Wheel of Fortune 2nd Edition
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB842773

**denzilla** · 2007-07-14, 05:42

Originally Posted by denzilla

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "RpcApi" 7/13/2007 4:58:59 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcApi]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RpcApi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcApi]

Ad-Aware SE Personal
AVG Anti-Spyware 7.5
BigFix
BOClean
Calendar Creator 7.0
CCleaner (remove only)
Conexant SoftK56 Modem(M)
Diner Dash (remove only)
Does It Belong
FloorPlan 3D v6
HijackThis 2.0.2
Home Improvement 1-2-3
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel(R) Extreme Graphics Driver
Internet Explorer Q822925
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
Learn2 Player (Uninstall Only)
Lexmark Photo Center
Lexmark Z700-P700 Series
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office Standard Edition 2003
Microsoft Works 6.0
MusicNet@AOL
Outlook Express Update Q330994
PowerDVD
QuickTime
QuickTime for Windows (32-bit)
Realtek AC'97 Audio
Sesame Street Elmo's Reading
Spybot - Search & Destroy 1.4
Spyware Terminator
Stuart Little 2 PC
SUPERAntiSpyware Free Edition
The Print Shop Brochures, Newsletters and More!
Transition Math K-1
Typing Quick & Easy
Unlocker 1.8.5
Update for Windows XP (KB898461)
Viewpoint Media Player
Wheel of Fortune 2nd Edition
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB842773

** I forgot that I ran AVG Antispy and removed yet more crap. The same regkey continues to appear and is only detected by Spybot as far as I can tell. Here is a fresh HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:23 PM, on 7/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\eddie moss II\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 2716 bytes

**Shaba** · 2007-07-14, 08:34

Hi

Uninstall via add/remove programs:

Viewpoint Media Player

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcApi]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RpcApi]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcApi]

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot.

Do another search for RpcApi and post back results.

**denzilla** · 2007-07-14, 15:50

That got it!

So was this a false positive?

**Shaba** · 2007-07-14, 17:43

Hi

No, I don't think so as combofix detects and removes it, too.

Do you want any further research?

**denzilla** · 2007-07-14, 17:52

No, everything is good. Thanks so much for your help

Thread: PWS.LDPinchIE - What does it take to rid this thing?

Thread Tools

Display

PWS.LDPinchIE - What does it take to rid this thing?

Posting Permissions