Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly Infected (computer runs suuuuuper slow and locks up often)


  • This topic is locked This topic is locked
3 replies to this topic

#1 emohan

emohan

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 AM

Posted 04 January 2010 - 04:02 PM

Please help, i have a dell laptop that likes to lock up and when it isnt locked up it runs slow. I appreciate any help!

Here is my rootrepeal report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/31 10:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xB0B92000 Size: 851968 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB48D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\jhaas\local settings\temp\~dfdf14.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\jhaas\local settings\temp\~dff34f.tmp
Status: Allocation size mismatch (API: 40960, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_695.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_698.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8afe5238

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x8b002a08

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8b03d0d8

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8b03a0b0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8b03d2a8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8b002990

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8b035238

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8af0b270

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b03c2c0

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8affc2c8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8affb1a0

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8afd1a90

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8b01f3c8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8afd4768

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8b039270

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8b021c48

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8b02f198

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8b0301b8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8affd558

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b03c338

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x8a3520d0 Size: 3889

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a375768 Size: 302

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8a36c400 Size: 682

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8a2994b8 Size: 832

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8a323358 Size: 227

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4d5b68 Size: 1177

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a474520 Size: 1029

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a302e38 Size: 195

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8a3320d0 Size: 3662

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89f90b88 Size: 480

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a32c1a8 Size: 542

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8af358f0 Size: 1809

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8af37f20 Size: 224

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a55de70 Size: 400

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a557700 Size: 2305

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8af3afa8 Size: 89

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a33d2e0 Size: 3159

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a361630 Size: 802

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8a360310 Size: 3313

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a360608 Size: 2553

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a2ac498 Size: 2730

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a2a21f8 Size: 3593

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a2b91a8 Size: 3673

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a27d498 Size: 315

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a3cc7a8 Size: 704

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a2b96c0 Size: 2369

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a35f0d8 Size: 1793

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89f960d8 Size: 2180

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x85db0b80

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x85dee5c8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x85e9f798

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x85e9f720

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86024200

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x85d882f8

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85db0bf8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8a2c0470

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8a2ddc00

==EOF==

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:49 AM

Posted 04 January 2010 - 09:54 PM

Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 emohan

emohan
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 AM

Posted 05 January 2010 - 10:54 AM

garmanma,

thanks for the reply...i will go ahead and post the info on the site you have listed.

Have a good day! :thumbsup:

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:49 AM

Posted 05 January 2010 - 07:17 PM

Good luck and please be patient waiting for a response
Topic is closed
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users