mtwirl/tbc/spm1316 etc.

Discussion in 'Trojan Defence Suite' started by matricek, Dec 26, 2004.

Thread Status:
Not open for further replies.
  1. matricek

    matricek Registered Member

    Joined:
    Dec 26, 2004
    Posts:
    1
    Hi,

    I'm new here and I'm not sure if I posted my topic in the righ place, but here it goes:

    I'm trying to deal with a backdoor trojan, which causes change my IE's startup site (to www.search-control.com), adds some toolbars etc. I've read some articles on this topic but I can't deal with it.

    I know that following dlls cause the damage:
    mtwirl.dll
    TBC.dll
    spm1316.dll
    eplrr3.dll

    I have NaV running in the background, but the only thing that it detects, is mtwirl.dll, however it says it cannot be deleted - I checked C:\WINNT\system32 and the file was not present there.

    My firewall detects that some executables which are named tmpf00.exe, tmpf01.exe etc. try to connect to internet (which of course I won't allow)

    My Highjackthis log looks as follows:

    Logfile of HijackThis v1.99.0
    Scan saved at 14:20:28, on 2004-12-26
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\PcBoost\PcBoost.exe
    C:\Program Files\MemTurbo\MemTurbo.exe
    C:\Program Files\Gadu-Gadu\gg.exe
    C:\Program Files\eDonkey2000\edonkey2000.exe
    C:\Program Files\totalcmd\TOTALCMD.EXE
    C:\DOCUME~1\ROBERT~1\USTAWI~1\Temp\_tc\HIJACK~1.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-control.com/search.cgi?id=270
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-control.com/search.cgi?id=270
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINNT\system32\TBC.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINNT\system32\spm1316.dll
    O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINNT\system32\TBC.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PcBoost] "C:\Program Files\PcBoost\PcBoost.exe" /start
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Usługa administracyjna Menedżera dysków logicznych - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    I know that items R0, O2 and O3 cause the damage and I ran a fix. Afterwards I ran my Windows in safe mode, and erased all of the above dlls and tmpfs.

    It seemed that it solved the problem - the toolbar dissapeared and the startup site was not changing, but after a while, the mtwirl.dll was detected and the problem returned.

    Any ideas how to deal with the problem?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    We have discontinued the general HijackThis log analysis service here at Wilders. See this announcement for a list of other sites that still perform this function:

    https://www.wilderssecurity.com/showthread.php?t=42148

    You'll need to go to one of those sites to get a log review done.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
Thread Status:
Not open for further replies.