Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32.trojanPWS.mapper troublw with rootrepeal


  • This topic is locked This topic is locked
7 replies to this topic

#1 h0micide

h0micide

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 26 August 2009 - 10:41 AM

First off my name is Matt and I wanted to thank you ahead of time for your time.

My computer has been acting up for the past week or so ad-aware detects a win32.trojanPWS.mapper. I have not been able to run super spyware or malwarebytes anti-malware, the processes seem to be terminated b4 they even start running. The rootrepeal log isn't here because it freeze's my comp every time i try to run it. Furthermore my dvdrom/cdrom drives wont autoplay any cd i put in... i just want to reformat my hd but i cant do that until i get my drives working again.


DDS (Ver_09-07-30.01) - NTFSx86
Run by matt at 11:10:47.03 on Wed 08/26/2009
Internet Explorer: 6.0.2600.0000

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uCustomizeSearch =
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\wdanyw~1.lnk - c:\docume~1\matt\applic~1\microsoft\installer\{b9a81070-616d-4e93-be02-cee651343204}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
Trusted Zone: kingsofchaos.com\www
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {5334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/8/D/08D91A3B-CFF6-45DE-95DF-64415075E344/mpg4sdmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: WRNotifier - WRLogonNTF.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll
LSA: Notification Packages = scecli c:\windows\system32\peyulufu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\zvjad95b.default user\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAbacheck.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-2-11 16640]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-24 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-10-23 4224]
R1 Avg7RsXP;AVG7 Rezident Driver;c:\windows\system32\drivers\avg7rsxp.sys [2006-3-16 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-1 10760]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-3-1 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-3-1 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-3-1 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2005-10-23 4960]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;c:\windows\system32\drivers\Awrtpd.sys [2008-4-29 12960]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;c:\windows\system32\drivers\Awrtrd.sys [2008-4-29 15648]
S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\matt\locals~1\temp\fadpu16e.sys --> c:\docume~1\matt\locals~1\temp\Fadpu16E.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-11 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-11 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-11 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-11 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-11 1079176]

=============== Created Last 30 ================

2009-08-25 17:52 440,883 a------- C:\txtsetup.sif
2009-08-25 17:52 260,288 a------- C:\$LDR$
2009-08-25 17:50 <DIR> --d----- C:\$WIN_NT$.~LS
2009-08-25 17:50 <DIR> --d----- C:\$WIN_NT$.~BT
2009-08-25 15:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Memeo
2009-08-25 14:19 <DIR> --d----- c:\program files\Trend Micro
2009-08-24 22:24 <DIR> --d----- c:\program files\common files\eSellerate
2009-08-24 22:24 <DIR> --d----- c:\program files\WD
2009-08-24 22:24 <DIR> --ds---- c:\docume~1\alluse~1\applic~1\WD
2009-08-24 22:23 <DIR> --d----- c:\program files\Western Digital Technologies
2009-08-24 22:23 <DIR> --d----- c:\program files\Western Digital
2009-08-24 22:05 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 22:05 18,456 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 22:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 20:44 85,239 a------- C:\MGlogs.zip
2009-08-24 20:44 <DIR> --d----- C:\MGtools
2009-08-23 21:08 47,104 a------- c:\windows\system32\mcenspc.dll
2009-08-23 21:08 12,288 a------- c:\docume~1\matt\applic~1\ptssvc.exe
2009-08-21 21:57 2,560 a------- c:\windows\syssvc.exe
2009-08-21 21:37 12,032 a------- c:\windows\system32\iehelper.dll
2009-08-21 21:27 266,496 a------- C:\ccu.exe
2009-08-21 21:17 36,864 a------- c:\windows\system32\net.net
2009-08-21 21:07 784,567 a------- c:\windows\system32\xa.tmp
2009-08-02 01:54 54,156 a---h--- c:\windows\QTFont.qfn
2009-08-02 01:54 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-01-04 13:05 22,328 a------- c:\docume~1\matt\applic~1\PnkBstrK.sys
2005-12-24 11:52 524,300 a------- c:\docume~1\matt\applic~1\position.bin
2005-11-20 21:45 8 ---sh--- c:\docume~1\matt\applic~1\GameShock.dat
2005-02-25 22:00 573,440 a------- c:\docume~1\matt\applic~1\arasan.exe
2005-02-25 21:21 1,179,648 a------- c:\docume~1\matt\applic~1\book.bin
2005-02-25 21:14 1,118,208 a------- c:\docume~1\matt\applic~1\arasanx.exe
2001-11-23 15:08 712,704 a----r-- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 11:11:06.20 ===============

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:45 AM

Posted 26 August 2009 - 11:57 AM

Hi, h0micide :thumbup2:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    File::c:\windows\syssvc.exec:\windows\system32\iehelper.dllC:\ccu.exec:\windows\system32\net.netc:\windows\system32\xa.tmpc:\windows\system32\peyulufu.dllc:\docume~1\matt\locals~1\temp\fadpu16e.sysDriver::Fadpu16ERegistry::[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

    Posted Image

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 h0micide

h0micide
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 26 August 2009 - 12:34 PM

I have done what you told me to do. When I pull the CFScript.txt and drop on the comboFix.exe it tries to start but the seems like the process is terminated b4 it starts... I checked three times to make sure i did everything correctly too. thanks

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:45 AM

Posted 26 August 2009 - 02:30 PM

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3
  • Double click Posted Image to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Posted Image button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, click the Posted Image button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 h0micide

h0micide
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 26 August 2009 - 04:00 PM

Im sorry but did you not read my first post? I said "every time I try to run rootrepeal my comp locks up and I am forced to hold the power button in until it shuts down..." What else can I do? Thanks.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:45 AM

Posted 26 August 2009 - 06:21 PM

Have you tried running RootRepeal in Safe Mode? We need to see what we are against it.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:Files to delete:c:\windows\syssvc.exec:\windows\system32\iehelper.dllC:\ccu.exec:\windows\system32\net.netc:\windows\system32\xa.tmpc:\windows\system32\peyulufu.dllc:\docume~1\matt\locals~1\temp\fadpu16e.sysDriver to delete:Fadpu16E

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Edited by JSntgRvr, 26 August 2009 - 06:22 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 h0micide

h0micide
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 27 August 2009 - 05:29 PM

im all set guys thanks for your time.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:45 AM

Posted 27 August 2009 - 07:20 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users