XPV3001.SYS – Trojan Agent

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Free Download
Fully Functional 30-day Trial. No credit card is required.
Reviews
. EULA. Privacy Policy. Uninstall.

XPV3001.SYS – Trojan Agent removal

FileMD5Virus Alias
XPV3001.SYS 81d5da189e2db7cc857cd5b05ce1ea67 Trojan Agent
XPV3001.SYS 81d5da189e2db7cc857cd5b05ce1ea67 Trojan SuspiciousFile
XPV3001.SYS 81d5da189e2db7cc857cd5b05ce1ea67 Trojan Generic
XPV3001.SYS 81d5da189e2db7cc857cd5b05ce1ea67 Trojan CI
XPV3001.SYS 81d5da189e2db7cc857cd5b05ce1ea67 Trojan OnLineGames
XPV3001.SYS 81d5da189e2db7cc857cd5b05ce1ea67 Trojan AVKill

XPV3001.SYS size: 7680 bytes
XPV3001.SYS hash: 81D5DA189E2DB7CC857CD5B05CE1EA67

Created files:

C:\1851700.dll
C:\windows\system32\dllcache\ws2help.dll
C:\windows\system32\drivers\420a0a1f.sys
C:\windows\system32\drivers\xpV3001.sys
C:\windows\system32\RpcSvc.psd
C:\windows\system32\ws2helpXP.dll
C:\windows\system32\wshtcpip.dll
C:\windows\temp\svohcst.exe
C:\windows\temp\temp1.exe
C:\windows\temp\temp2.exe
C:\windows\temp\temp3.exe

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Download: C:\windows\temp\svohcst.exe
HKLM\System\CurrentControlSet\Services\420a0a1f\Type: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\Start: 02000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\DisplayName: 420a0a1f
HKLM\System\CurrentControlSet\Services\420a0a1f\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C00340032003000610030006100310066002E007300790073000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ProcessID: 50110000
HKLM\System\CurrentControlSet\Services\neverdeath\Type: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\Start: 02000000
HKLM\System\CurrentControlSet\Services\neverdeath\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\DisplayName: neverdeath
HKLM\System\CurrentControlSet\Services\neverdeath\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C0078007000560033003000300031002E007300790073000000
HKLM\System\CurrentControlSet\Services\neverdeath\ProcessID: 50110000
HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip\DLLPath: 43003A005C0031003800350031003700300030002E0064006C006C000000
HKLM\System\CurrentControlSet\Services\RpcSvc\Type: 10010000
HKLM\System\CurrentControlSet\Services\RpcSvc\Start: 02000000
HKLM\System\CurrentControlSet\Services\RpcSvc\DisplayName: Remote Procedure Call (RPC) Service
HKLM\System\CurrentControlSet\Services\RpcSvc\ImagePath: %SystemRoot%\System32\svchost.exe -k imgsvc

Detected by UnHackMe:

XPV3001.SYS
Default location: %SYSDIR%\DRIVERS\XPV3001.SYS

Dropper information:
MD5: e38a119271ba37174bd3f6fba74af4dc
File size: 440332 bytes

Leave a Reply