a bug found,I can't find a solution

[Guest]

[goved]

hi,i have something in my PC that doesn't allow to work properly.Some parts of start menu disappeared,the screen is blue-it has a picture on the desktop,some office documents can't be opened,and there are some office documents that are renamed but not by me.If i try to delete they appear again or even can't delete. I use Windows XP/Pro version 2002,SP3,have two accounts-administrative one and user one.Found a archived file in directory D: which can't delete,it says "it is used by another program".MBAM scanning didn't find anything wrong.Any help?

[wasgij6]

Try following this guide to see if you are infected.

[goved]

i can't star Killswitch program.I 've been used Deffoger.Is it reason KIllswitch to fail to load?

[wasgij6]

are you gtting an error when trying to run it? malware might be preventing it from running

try holding the shift key when you double click killswitch. thaat will run it in agressive mode

[goved]

i done it,there is no unsafe applications.When i ran autorun.exe there are 46 unsafe items

[goved]

also my ClamWin scanner found SymbOS.Spy.Smsanywhere 

[wasgij6]

its hard to say whats going on here.

it sounds like your computer is infected but nothing can be found. the only thing i can think of is to try Kaspersky Rescue Disk

Maybe somone else get give some more insight to the problem

[Chiron]

Did Kaspersky TDSSKiller find any problems?

Also, did you check out the files you found with Comodo Autoruns? If so then please post links to the Valkyrie results.

Thanks.

[goved]

TrueSight         FLS.Unknown   C:\WINDOWS\system32\drivers\TrueSight.sys

00nView   NVIDIA Desktop Explorer, Version 110.49    NVIDIA Corporation   FLS.Unknown   C:\WINDOWS\system32\nvshell.dll

These are files recognized  as unsafe by Autorun analizer.The second one is reported 99.9% normal by Valkyrie and only one detector reports it as malware.First file Valkyrie says that it is active process,unkown final result.
TDSS didn't find anything wrong.I ran a COMODO'S cloud scanner ,it found some problems but still i don't delete them

[goved]

i did scan with Sergiva portable toolkit.It found Trojan DownloaderWin32.Agent.au .This is located in Adobe \reader\ExtendScript.dll

[EricJH]

Run gmer anti rootkit scanner and post a screenshot of it. It is best to download the .exe file. The site will then send you the scanner with a random name.

Also let Hitman Pro, Super Antispyware, Spybot Search and Destroy, McAfee Stinger and Norton Power Eraser scan to see if they come up with something.

[goved]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-20 10:37:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-14 WDC_WD6400AAKS-08A7B0 rev.01.03B01
Running: gmer.exe; Driver: C:\DOCUME~1\User1\LOCALS~1\Temp\pxtdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text  C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                             section is writeable [0xBA040360, 0x2456AE, 0xE8000020]
?      C:\DOCUME~1\User1\LOCALS~1\Temp\mbr.sys                                                              The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtCreateFile + 6               7C90D0B4 4 Bytes  [28, 00, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtCreateFile + B               7C90D0B9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtMapViewOfSection + 6         7C90D524 1 Byte  [28]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtMapViewOfSection + 6         7C90D524 4 Bytes  [28, 03, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtMapViewOfSection + B         7C90D529 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenFile + 6                 7C90D5A4 4 Bytes  [68, 00, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenFile + B                 7C90D5A9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenProcess + 6              7C90D604 4 Bytes  [A8, 01, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenProcess + B              7C90D609 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenProcessToken + 6         7C90D614 4 Bytes  CALL 7B90EC1A
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenProcessToken + B         7C90D619 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenProcessTokenEx + 6       7C90D624 4 Bytes  [A8, 02, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenProcessTokenEx + B       7C90D629 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenThread + 6               7C90D664 4 Bytes  [68, 01, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenThread + B               7C90D669 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenThreadToken + 6          7C90D674 4 Bytes  [68, 02, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenThreadToken + B          7C90D679 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenThreadTokenEx + 6        7C90D684 4 Bytes  CALL 7B90EC8B
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtOpenThreadTokenEx + B        7C90D689 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtQueryAttributesFile + 6      7C90D714 4 Bytes  [A8, 00, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtQueryAttributesFile + B      7C90D719 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtQueryFullAttributesFile + 6  7C90D7B4 4 Bytes  CALL 7B90EDB9
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtQueryFullAttributesFile + B  7C90D7B9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtSetInformationFile + 6       7C90DC64 4 Bytes  [28, 01, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtSetInformationFile + B       7C90DC69 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtSetInformationThread + 6     7C90DCB4 4 Bytes  [28, 02, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtSetInformationThread + B     7C90DCB9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtUnmapViewOfSection + 6       7C90DF14 1 Byte  [68]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtUnmapViewOfSection + 6       7C90DF14 4 Bytes  [68, 03, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3224] ntdll.dll!NtUnmapViewOfSection + B       7C90DF19 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtCreateFile + 6               7C90D0B4 4 Bytes  [28, 00, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtCreateFile + B               7C90D0B9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtMapViewOfSection + 6         7C90D524 1 Byte  [28]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtMapViewOfSection + 6         7C90D524 4 Bytes  [28, 03, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtMapViewOfSection + B         7C90D529 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenFile + 6                 7C90D5A4 4 Bytes  [68, 00, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenFile + B                 7C90D5A9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenProcess + 6              7C90D604 4 Bytes  [A8, 01, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenProcess + B              7C90D609 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenProcessToken + 6         7C90D614 4 Bytes  CALL 7B90EC1A
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenProcessToken + B         7C90D619 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenProcessTokenEx + 6       7C90D624 4 Bytes  [A8, 02, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenProcessTokenEx + B       7C90D629 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenThread + 6               7C90D664 4 Bytes  [68, 01, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenThread + B               7C90D669 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenThreadToken + 6          7C90D674 4 Bytes  [68, 02, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenThreadToken + B          7C90D679 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenThreadTokenEx + 6        7C90D684 4 Bytes  CALL 7B90EC8B
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtOpenThreadTokenEx + B        7C90D689 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtQueryAttributesFile + 6      7C90D714 4 Bytes  [A8, 00, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtQueryAttributesFile + B      7C90D719 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtQueryFullAttributesFile + 6  7C90D7B4 4 Bytes  CALL 7B90EDB9
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtQueryFullAttributesFile + B  7C90D7B9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtSetInformationFile + 6       7C90DC64 4 Bytes  [28, 01, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtSetInformationFile + B       7C90DC69 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtSetInformationThread + 6     7C90DCB4 4 Bytes  [28, 02, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtSetInformationThread + B     7C90DCB9 1 Byte  [E2]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtUnmapViewOfSection + 6       7C90DF14 1 Byte  [68]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtUnmapViewOfSection + 6       7C90DF14 4 Bytes  [68, 03, 16, 00]
.text  C:\Program Files\Google\Chrome\Application\chrome.exe[3324] ntdll.dll!NtUnmapViewOfSection + B       7C90DF19 1 Byte  [E2]

---- EOF - GMER 1.0.15 ----

[EricJH]

Gmer detects only the Chrome. Which is expected as chrome runs its tabs as sandboxed processes.

Did the other scanners bring any solace to your situation?

[goved]

after dr.web scaning i found trojan.MulDrop .Any solutions?

[EricJH]

What file(s) and registry keys make this trojan according to Dr. Web? Can you post a screenshot of the Dr Web results.

[Tags:]