Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware found, chkdsk problems


  • This topic is locked This topic is locked
5 replies to this topic

#1 jayhawk85

jayhawk85

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 29 September 2009 - 06:59 PM

I'm a newbie to the forums with somewhat limited knowledge, but i have been roaming around trying to figure out how to solve my particular issue...and finally decided to post.

I am sure this question has been asked alot, and I tried searching the forums, but I am having a hard time getting my browser to work properly because of malware.

Here is the issue:
I have a Dell inspiron 9300. Have had it for about 4-5 years. Recently started slowing down quite a bit, so I ran some scans with Avast and Malwarebytes. The Malwarebytes scan came back with quite a few infections (including rootkit and vundo). It asked me to clean the infections, which i opted to do, and it suggested it needs to restart the computer for the malware to be completely removed.

Once it restarted, windows started to load, and it gave me a blue screen that was running CHKDSK. Stage 1 of 3 completed just fine, but in stage 2 when checking indexes, the computer automatically restarts after reaching about 15-17%. So then i decided to restart with the last working configuration, and it boots up, but i am getting popups and the machine is very slow.

Like i mentioned, I am kinda a newbie, so I was not sure exactly what to do and any help will be appreciated.

Thanks

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:14 AM

Posted 29 September 2009 - 09:00 PM

Let's verify the presence of a rootkit...

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download"

    mirror).
  • Open Posted Image on

    your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes:

    Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the

    Posted Image button. Save the log to
    your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your
    next reply, please.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 29 September 2009 - 09:20 PM

Thanks for your response. I ran the rootkit scan, here is the log:

Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B0D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFC5D000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f746b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f74574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f74a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f7414c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f7464e

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f7476e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f7472e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1f748ae

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkykxfonpgl.dll]
Process: svchost.exe (PID: 1276) Address: 0x00800000 Size: 53248

Hidden Services
-------------------
Service Name: gasfkyvrylkutc
Image Path: C:\WINDOWS\system32\drivers\gasfkyxtdhmeyn.sys

==EOF==

Thank you

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:14 AM

Posted 29 September 2009 - 09:34 PM

It's there... We need to move you to the HJT forum for advanced help.

Please follow this guide from step (6). Post a DDS log to the HJT/Malware forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 jayhawk85

jayhawk85
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 29 September 2009 - 10:59 PM

Thank you for your help. I have followed your directions and posted in the other forum

Thanks once again

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:14 AM

Posted 30 September 2009 - 05:30 PM

:thumbsup: You are welcome. Now that you have posted a sucessful log in the HJT forum, please follow only the instructions of the helper that takes your log.

Best wishes...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users