I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:
Free DownloadFully Functional 30-day Trial. No credit card is required.
Reviews. EULA. Privacy Policy. Uninstall.
XPV3001.SYS – Trojan Agent removal
File | MD5 | Virus Alias |
---|---|---|
XPV3001.SYS | 81d5da189e2db7cc857cd5b05ce1ea67 | Trojan Agent |
XPV3001.SYS | 81d5da189e2db7cc857cd5b05ce1ea67 | Trojan SuspiciousFile |
XPV3001.SYS | 81d5da189e2db7cc857cd5b05ce1ea67 | Trojan Generic |
XPV3001.SYS | 81d5da189e2db7cc857cd5b05ce1ea67 | Trojan CI |
XPV3001.SYS | 81d5da189e2db7cc857cd5b05ce1ea67 | Trojan OnLineGames |
XPV3001.SYS | 81d5da189e2db7cc857cd5b05ce1ea67 | Trojan AVKill |
XPV3001.SYS size: 7680 bytes
XPV3001.SYS hash: 81D5DA189E2DB7CC857CD5B05CE1EA67
Created files:
C:\2777100.dll
C:\windows\system32\dllcache\ws2help.dll
C:\windows\system32\drivers\420a0a1f.sys
C:\windows\system32\drivers\xpV3001.sys
C:\windows\system32\ws2helpXP.dll
C:\windows\system32\wshtcpip.dll
C:\windows\Tasks\TespayServer.exe
C:\windows\temp\svohcst.exe
C:\windows\temp\temp1.exe
C:\windows\temp\temp2.exe
C:\windows\temp\temp3.exe
C:\windows\temp\temp4.exe
Autostart registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Download: C:\windows\temp\svohcst.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %WinDir%\System32\userinit.exe,%WinDir%\Tasks\TespayServer.exe|X- |2?`??|??
HKLM\System\CurrentControlSet\Services\420a0a1f\Type: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\Start: 02000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\DisplayName: 420a0a1f
HKLM\System\CurrentControlSet\Services\420a0a1f\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C00340032003000610030006100310066002E007300790073000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ProcessID: 7C160000
HKLM\System\CurrentControlSet\Services\BITS\My_Host_URL: http://67.198.201.29:600/1.txt
HKLM\System\CurrentControlSet\Services\neverdeath\Type: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\Start: 02000000
HKLM\System\CurrentControlSet\Services\neverdeath\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\DisplayName: neverdeath
HKLM\System\CurrentControlSet\Services\neverdeath\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C0078007000560033003000300031002E007300790073000000
HKLM\System\CurrentControlSet\Services\neverdeath\ProcessID: 7C160000
HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip\DLLPath: 43003A005C0032003700370037003100300030002E0064006C006C000000
HKLM\System\CurrentControlSet\Services\RpcSvc\Type: 10010000
HKLM\System\CurrentControlSet\Services\RpcSvc\Start: 02000000
HKLM\System\CurrentControlSet\Services\RpcSvc\DisplayName: Remote Procedure Call (RPC) Service
HKLM\System\CurrentControlSet\Services\RpcSvc\ImagePath: %SystemRoot%\System32\svchost.exe -k imgsvc
Detected by UnHackMe:
XPV3001.SYS
Default location: %SYSDIR%\DRIVERS\XPV3001.SYS
Dropper information:
MD5: 288a5cc1a2c387f8f28969df45fc0d30
File size: 456720 bytes