Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

REALLY URGENT - Rootkit/malware infection on my (only) computer that I've doing my homework... PLEASE HELP


  • This topic is locked This topic is locked
2 replies to this topic

#1 darkred

darkred

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 April 2010 - 09:29 PM

I;m really sorry for this but I'm facing a HUGE problem this time:
my computer got infected a few hours ago by some kind of rootkit/malware
and the problem is that I can't do my homework for the university that I'm attending lessons (and it's deadline is on Sunday)
and I don't have any other pc to work with..... sad.gif sad.gif
So, for the love of God PLEASE HELP ME.....


I've got XP SP3 fully updated.
I've experiencing random/continous hanging on almost all programs ,
rightclicking on any file takes about 10 sec to show
or sometimes there's even an empty menu...
and when starting programs (even. a command prompt or notepad), it takes 3-5 sec to start...

I tried to run dds.scr but it goes on showing :::::: but never ending...
I also tried Combofix (downloading and saving it as comfix.exe)
and it finds these three files
in C:\DOCUME~1\user\LOCALS~1\temp
(dir from a command prompt)

14/04/2010 04:25 200.704 bytes 78296E40.nbp
14/04/2010 04:25 337.408 bytes 78296E41.nbp
14/04/2010 04:25 160.768 bytes 78296E42.nbp
tries to delete them,
but stays forever in 'Don't start any program until combofix log is created' stage
so the log is never created.

If I rightclick on each of these files I get these descriptions on the Version tab:

1st file 78296E40.nbp (196 kb): Editor de código HTML para Windows 32bits
2nd file 78296E41.nbp (330 kb): Editor de código HTML para Windows 32bits
3rd file 78296E432.nbp (157 KB): rlFunctions Plug-In for NeoBook for Windows

??????
I can't delete these files even with Unlocker.
I can howver delete them when in safe mode
BUT when I reboot again normally these 3 files get recreated with some similar naming/numbering and always having the .nbp extension////
It's obvious that I've got malware


I alslo tried to run gmer but it hangs showing just a white empty window without even title...

What I can only show is a log from Hijackthis 2.03 beta
and an Autoruns log.
(I've also ran Unhackme, Malwarebytes Anti-Malware, Superantispyware & scanning with Kaspersky internet security 2010 but they find notthing.... )



Please help me - I'm desperate.....



PS. I've tried running OTC to cleanup Combofix, rebooting and running it again up to 5 times already,
but it always only finds these 3 files above, and can't really delete them...

Attached Files


Edited by darkred, 14 April 2010 - 02:06 AM.


BC AdBot (Login to Remove)

 


#2 darkred

darkred
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 14 April 2010 - 04:06 AM

Luckily I tried countless things and I managed to remove whatever was doing this,
but can't be precise of what exactlly was.

Oh, and I noticed with the search function of Process Explorer
that these 3 files above where created upon each load of this file NumCapsScroll Indicator 7.0
so I can't explain it - maybe these files had nothing to do with my problem...


Anyway, case closed thumbup.gif

Edited by darkred, 14 April 2010 - 04:13 AM.


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:24 AM

Posted 16 April 2010 - 10:59 AM

Thanks for letting us know. smile.gif

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users