Results 1 to 2 of 2

Thread: PWS.LDpinchIE keeps popping up on Spybot after "fix" and Syst Restore still disabled

  1. #1
    Junior Member
    Join Date
    Jul 2010
    Posts
    1

    Default PWS.LDpinchIE keeps popping up on Spybot after "fix" and Syst Restore still disabled

    Well the title says it all. I was bombarded yesterday, and had a myriad of trojans, worms, malware, and spyware/adware on my pc. I was able to get into safe mode after having to use ***** first to clean up initial infection. now in safe mode I was able to run spybot again and clean some more up. but there still remains two entries that keep popping up regardless of the "fix"

    they are:

    Microsoft.Windows.disableSystemRestore: [SBI $6296EC95] Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

    PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-299502267-1532298954-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf


    Here is the DDS log:


    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by Syke at 12:02:32.89 on Wed 07/07/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2744 [GMT -7:00]

    AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Syke\Application Data\U3\026582189C80138C\LaunchPad.exe
    L:\Documents\Downloads\dds.com

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
    BHO: c:\windows\system32\dbbqmqcwlw.dll: {c3ba40a2-75f1-52bd-f413-04b15a2c8953} - c:\windows\system32\dbbqmqcwlw.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Octoshape Streaming Services] "c:\documents and settings\syke\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
    uRun: [sdr8gdrgdrgke49orkgsjkjfjhsd] c:\docume~1\syke\locals~1\temp\services.exe
    uRunOnce: [SpybotDeletingB4635] command.com /c del "c:\documents and settings\syke\local settings\temp\services.exe_old"
    uRunOnce: [SpybotDeletingD7560] cmd.exe /c del "c:\documents and settings\syke\local settings\temp\services.exe_old"
    uRunOnce: [SpybotDeletingB8378] command.com /c del "c:\documents and settings\syke\local settings\temp\cmd.exe_old"
    uRunOnce: [SpybotDeletingD8360] cmd.exe /c del "c:\documents and settings\syke\local settings\temp\cmd.exe_old"
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRunOnce: [SpybotSnD] "c:\docume~1\syke\locals~1\temp\spybotsd\SpybotSD.exe" /autocheck
    mRunOnce: [SpybotDeletingA5432] command.com /c del "c:\documents and settings\syke\local settings\temp\services.exe_old"
    mRunOnce: [SpybotDeletingC8482] cmd.exe /c del "c:\documents and settings\syke\local settings\temp\services.exe_old"
    mRunOnce: [SpybotDeletingA3682] command.com /c del "c:\documents and settings\syke\local settings\temp\cmd.exe_old"
    mRunOnce: [SpybotDeletingC8330] cmd.exe /c del "c:\documents and settings\syke\local settings\temp\cmd.exe_old"
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 208.67.220.220,208.67.222.222
    TCP: {56CEEF00-71D0-4C65-A7D7-C2C7A5E006EC} = 208.67.220.220,208.67.222.222
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    STS: c:\windows\system32\dbbqmqcwlw.dll: {c3ba40a2-75f1-52bd-f413-04b15a2c8953} - c:\windows\system32\dbbqmqcwlw.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\syke\applic~1\mozilla\firefox\profiles\79f43t5c.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/ | http://www.google.com/ig?hl=en&source=iglk
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\syke\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\syke\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\syke\application data\mozilla\plugins\npoctoshape.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\vizzed\vizzed retro game room\NpVizzedRgr.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-7-6 20480]
    S0 htaoyypw;htaoyypw; [x]
    S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\norton 360\engine\3.5.0.15\ccsvchst.exe" /h cccommon --> c:\program files\norton 360\engine\3.5.0.15\ccSvcHst.exe [?]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-7-6 179856]
    S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    S2 srenum;srenum;c:\windows\system32\drivers\srenum.sys [2010-7-6 46976]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-7-6 15504]

    =============== Created Last 30 ================

    2010-07-07 17:50:10 210 ----a-w- c:\windows\wininit.ini
    2010-07-07 17:11:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-07-07 05:21:15 452 --sha-r- c:\documents and settings\syke\ntuser.pol
    2010-07-07 00:46:24 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-07 00:46:22 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-07 00:46:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-06 23:27:27 2723 ----a-w- c:\windows\evoyirogo.dll
    2010-07-06 22:34:30 2723 ----a-w- c:\windows\agezafit.dll
    2010-07-06 22:32:29 46976 ----a-w- c:\windows\system32\drivers\srenum.sys
    2010-07-06 22:32:29 4128 ----a-w- c:\windows\system32\msrun.exe
    2010-07-06 22:32:20 823808 ----a-w- c:\windows\system32\drivers\scbkl.sys
    2010-07-06 22:32:12 173568 ----a-w- c:\windows\Ytyqoa.exe
    2010-07-06 22:32:02 50688 ----a-w- c:\windows\system32\ernel32.dll
    2010-07-06 22:32:01 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
    2010-07-06 22:31:59 50688 ----a-w- c:\docume~1\syke\applic~1\0c729403.exe
    2010-07-06 22:31:56 30000 ----a-w- c:\windows\system32\dbbqmqcwlw.dll
    2010-07-05 20:19:22 0 d-----w- c:\program files\Vizzed
    2010-07-04 01:12:29 0 d-----w- c:\program files\NCH Swift Sound

    ==================== Find3M ====================

    2010-06-07 07:59:39 57016 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-05-18 23:24:09 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2010-05-18 23:24:00 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-05-18 20:07:29 34284 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-05-18 07:04:28 33443 ----a-w- c:\windows\fire-un.exe
    2010-05-18 07:00:28 81920 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-05-18 07:00:28 233472 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-05-14 22:21:18 139152 ----a-w- c:\docume~1\syke\applic~1\PnkBstrK.sys
    2010-05-14 22:20:53 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-05-14 22:20:52 794408 ----a-w- c:\windows\system32\pbsvc.exe
    2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

    ============= FINISH: 12:03:14.57 ===============



    Any Help would be appreciated. Thank you
    Last edited by tashi; 2010-07-07 at 23:26. Reason: Removed name of tool

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please do the following if you still need help with this.

    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab, uncheck files option and then click scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Post also fresh dds logs contents (both dds.txt & attach.txt).
    Last edited by tashi; 2010-07-21 at 06:48. Reason: Date of archive
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •