mtwirl/tbc/spm1316 etc.

Discussion in 'Trojan Defence Suite' started by matricek, Dec 26, 2004.

Thread Status:
Not open for further replies.
  1. matricek

    matricek Registered Member

    Joined:
    Dec 26, 2004
    Posts:
    1
    Hi,

    I'm new here and I'm not sure if I posted my topic in the righ place, but here it goes:

    I'm trying to deal with a backdoor trojan, which causes change my IE's startup site (to www.search-control.com), adds some toolbars etc. I've read some articles on this topic but I can't deal with it.

    I know that following dlls cause the damage:
    mtwirl.dll
    TBC.dll
    spm1316.dll
    eplrr3.dll

    I have NaV running in the background, but the only thing that it detects, is mtwirl.dll, however it says it cannot be deleted - I checked C:\WINNT\system32 and the file was not present there.

    My firewall detects that some executables which are named tmpf00.exe, tmpf01.exe etc. try to connect to internet (which of course I won't allow)

    My Highjackthis log looks as follows:

    Logfile of HijackThis v1.99.0
    Scan saved at 14:20:28, on 2004-12-26
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\PcBoost\PcBoost.exe
    C:\Program Files\MemTurbo\MemTurbo.exe
    C:\Program Files\Gadu-Gadu\gg.exe
    C:\Program Files\eDonkey2000\edonkey2000.exe
    C:\Program Files\totalcmd\TOTALCMD.EXE
    C:\DOCUME~1\ROBERT~1\USTAWI~1\Temp\_tc\HIJACK~1.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-control.com/search.cgi?id=270
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-control.com/search.cgi?id=270
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINNT\system32\TBC.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINNT\system32\spm1316.dll
    O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINNT\system32\TBC.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PcBoost] "C:\Program Files\PcBoost\PcBoost.exe" /start
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Usługa administracyjna Menedżera dysków logicznych - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    I know that items R0, O2 and O3 cause the damage and I ran a fix. Afterwards I ran my Windows in safe mode, and erased all of the above dlls and tmpfs.

    It seemed that it solved the problem - the toolbar dissapeared and the startup site was not changing, but after a while, the mtwirl.dll was detected and the problem returned.

    Any ideas how to deal with the problem?
     
    matricek, Dec 26, 2004
    #1
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    164,145
    Location:
    Texas
    We have discontinued the general HijackThis log analysis service here at Wilders. See this announcement for a list of other sites that still perform this function:

    https://www.wilderssecurity.com/showthread.php?t=42148

    You'll need to go to one of those sites to get a log review done.
     
    ronjor, Dec 26, 2004
    #2
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Pilli, Dec 26, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...