Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Nvsvc.exe 97% threat in Security Task Manager


  • This topic is locked This topic is locked
2 replies to this topic

#1 rmh1183

rmh1183

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 21 August 2009 - 03:23 PM

Hi, recently I moved to a new apartment and the first day I was on the network I discovered a couple strange .exe files around my computer. I was stupid enough to click on one called "games.exe" that showed up in my shared network places folder, and since then I've had strange problems. For starters, the main symptom is that most non-microsoft .exe files have changed color quality to about 16 colors, and not just on the desktop, but EVERYWHERE on my computer (even the miniature icons in the start menu). What I have discovered is that clicking on any of these programs starts up a process called "Nvsvc32.exe" that causes my regular task manager to close immediately upon opening, and also makes my computer and internet unbearably slow. I can easily end this process using Security Task Manager, which sees this process as a 97% threat, but it starts back up any time any of the infected icons are accessed, either directly or indirectly. I understand that the real "Nvsvc32.exe" is an Nvidia driver file of some sort - this is merely a disguise that some sort of virus or worm is using. I have found the malicious and self-regenerating .exe file in my C:\WINDOWS\system32\drivers folder, whereas the real "nvsvc32.exe" should and does reside in the C:\WINDOWS\system32 folder. I have spent several days searching the internet for these symptoms, but since all I really have to go off of is this fake .exe name which I assume is never the same for two people, I'm having a really hard time destroying this bug. Any and all help is greatly appreciated. Thanks,
Ross

P.S. This is the text contained within the file, which will hopefully help in identifying the type of bug this is. Sorry for the length..

--------
bH nbtedwgispy,u.
TIconImage EA
3UhoAd0d EPj
Symantec AntiVirus
System Safety Monitor
System Repair Engineer
Wrapped gift Killer
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
Symantec Core LC
if exist
Documents and Settings
System Volume Information
Windows NT
Windows Media Player
Outlook Express
Internet Explorer
Common Files
ComPlus Applications
InstallShield Installation Information
Microsoft Frontpage
Movie Maker
MSN Gamin Zone
Documents and Settings
System Volume Information
Windows NT
Windows Media Player
Outlook Express
Internet Explorer
Common Files
ComPlus Applications
InstallShield Installation Information
Microsoft Frontpage
Movie Maker
MSN Gamin Zone
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Documents and Settings\All Users\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
cmd.exe /c net share
cmd.exe /c net share admin /del /yU
Runtime error at 00
MS Sans Serif
Service Pack 2
List count out of bounds
List index out of bounds
Out of memory while expanding memory stream
Stream read error
s.Seek not implemented
Operation not allowed on sorted list
Stream write error
Bitmap image is not valid
Icon image is not valid
Cannot change the size of an icon
Out of system resources
Canvas does not allow drawing Clipboard does not support Icons
Cannot assign a
List does not allow duplicates
String list does not allow duplicates
Cannot create file
Cannot open file
Invalid property value
Abstract Error
Access violation at address
System Error. Code
Variant or safe array is locked
Invalid variant type conversion
Invalid variant operation
Invalid variant operation
s5Could not convert variant of type
Overflow while converting variant of type
Variant overflow
Invalid argument
Invalid variant type
Operation not supported
Unexpected variant error
External exception
Assertion failed
Interface not supported
Exception in safecall method
s, line
Invalid pointer operation
Invalid class typecast0Access violation at address
Access violation
Stack overflow
Privileged instruction
Application Error1Format
No argument for format
Variant method calls not supported
Error creating variant or safe array
Variant or safe array index out of bounds
Out of memory
File not found
Invalid filename
Too many open files
File access denied
Read beyond end of file
Disk full
Invalid numeric input
Division by zero
Range check error
Integer overflow Invalid floating point operation
Floating point division by zero
Floating point overflow
Floating point underflow
ym tec AUik
edc 0ftKS
MzvaPlyr,xOutlok ExprB
hLy GamvOZpSP\
URLMON.Dn oS
----------------
GetProcAddress
LoadLibraryA
JLur
eC2pfP08dKB6H
aeiYn,4aa
edH
ouffTbnda
8 8L8i8s3tcapx
JobC
x0Bush
8rAWNYuvdHyA
Copyw
AibrJyExA
ToMul
TkCu
Yifg
at0ATPABCDEF
Ztic
,mo\qy
nhLckVKaE
smko
cnyod9t
up2q.wv/
hlxu
aEnum3A
daN
OugoM
yxcvDzhtSeLxKX5n
zjXsuhpPA
8MrBdcombo
yHD560Pgo/lfPxpu
lNLasp
Hkeb
pag,M5ov
OTra
VonlO
s uaKdM
Docum
sktop_.irn
YarB
AunH
BubQo
THyo
AcsTcix
al50zdMcAfe
TrojD
RavmR
Upda
Mcshield.x
GRCpawrEng
VirusScanY
0haDbu_gw
COu6btl
viycpwfg2A
adsvpi
ru5hst
MxhSBo1Rg9V
QuAb
YZji
foBkm
,Defau
hsiFaAquaZ
d4Siyr/
clBNak
Xeix
,kuA
Nurm
x0PPTRegGroup
sytojtepA
THand
faydEj
Clasej
msorc
DeciU
Ukow
Doub
Iok/
KuRv
XoaCmpI4FoStk
oTtAqd
ChgeTyKp
oleaut
ied0xE
LGclmvu1Y
1lHadET9D3\
H0pptGal
SpacExA
DiskFr
UobY
\Rle
VJuj
E_mto
MauY
ZAun
FHuic
ItKu
Falks
TMul
VHas
EStack
,Pryle
.laH
lalz
yX8yax
flowt
Range
waxv
EO9utfFjxl\l
ExceptionuO\h
1aosj,
Moul
atTqoh.p0Sns
eCfxlf
ephBeC
uskQCtLt
RSoftwarJeh
fLujytd
GGtLongPahNmA
Jyim
ap1kPRRut,J
FPUMaskVlue
SOFTWRE\BorlandDephiRTL
C/as
X/ax
Jluak
rfac
TObjectdi
Strin4gXn
Write
Read
invalid or incompatible with argument
s in module
Exception
C hit
Control
s of address
into type
into type
A call to an OS function failed
s of address
p in module
December
November
October
September
August
July
June
April
March
February
January
s to a
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
List capacity out of bounds
URLDownloadToFileA
NetScheduleJobAdd
NetRemoteTOD
netapi32.dll
CloseServiceHandle
ControlService
DeleteService
OpenSCManagerA
OpenServiceA
advapi32.dll
VariantInit
VariantClear
VariantCopy
VariantChangeType
SafeArrayCreate
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayPtrOfIndex
oleaut32.dll
Sleep
kernel32.dll
ExtractIconA
shell32.dll
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetGetConnectedState
wininet.dll
closesocket
connect
htons
inet_addr
inet_ntoa
socket
gethostbyname
gethostname
WSAStartup
WSACleanup
wsock32.dll
CharToOemA
CharUpperBuffA
CharNextA
CreateIcon
DestroyIcon
DispatchMessageA
DrawIconEx
FindWindowExA
GetDesktopWindow
GetIconInfo
GetMessageA
GetSysColor
GetSystemMetrics
GetWindowTextA
KillTimer
LoadIconA
LoadStringA
MessageBoxA
PostMessageA
ReleaseDC
SetTimer
CreateBitmap
CreateBrushIndirect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBitmap
CreateFontIndirectA
CreatePalette
CreatePenIndirect
DeleteDC
DeleteObject
GetBitmapBits
GetCurrentPositionEx
GetDIBits
GetDeviceCaps
GetObjectA
GetStockObject
GetSystemPaletteEntries
GetTextMetricsA
MoveToEx
RealizePalette
SelectObject
SelectPalette
SetBkColor
SetBkMode
SetTextColor
StretchBlt
UnrealizeObject
WNetAddConnection2A
WNetCancelConnectionA
CloseHandle
CompareStringA
CopyFileA
CreateEventA
CreateFileA
CreateThread
DeleteCriticalSection
DeleteFileA
EnterCriticalSection
EnumCalendarInfoA
ExitProcess
FileTimeToDosDateTime
FileTimeToLocalFileTime
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
FreeLibrary
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceA
GetDriveTypeA
GetFileAttributesA
GetFullPathNameA
GetLastError
GetLocalTime
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStdHandle
GetStringTypeExA
GetSystemDirectoryA
GetTempPathA
GetThreadLocale
GetVersionExA
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalHandle
GlobalReAlloc
GlobalUnlock
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
MulDiv
OpenProcess
ReadFile
ResetEvent
SetEndOfFile
SetEvent
SetFileAttributesA
SetFilePointer
Sleep
TerminateProcess
VirtualQuery
WaitForSingleObject
WinExec
WriteFile
kernel32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegOpenKeyExA
RegSetValueExA
advapi32.dll
GetModuleHandleA
LocalAlloc
TlsGetValue
TlsSetValue
kernel32.dll
SysAllocStringLen
SysReAllocStringLen
SysFreeString
oleaut32.dll
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
advapi32.dll
CharNextA
MessageBoxA
LoadStringA
GetKeyboardType
CloseHandle
CreateFileA
GetFileType
GetFileSize
GetStdHandle
RaiseException
ReadFile
RtlUnwind
SetEndOfFile
SetFilePointer
UnhandledExceptionFilter
WriteFile
CreateThread
ExitProcess
FindClose
FindFirstFileA
FreeLibrary
GetCommandLineA
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetThreadLocale
LoadLibraryExA
lstrlenA
MultiByteToWideChar
WideCharToMultiByte
VirtualQuery
InterlockedIncrement
InterlockedDecrement
GetCurrentThreadId
GetVersion
QueryPerformanceCounter
GetTickCount
LocalAlloc
LocalFree
VirtualAlloc
VirtualFree
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
kernel32.dll
wlwonwr
wwxwwaowowaow
Error
,mopery,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Run
nvscv32.exe
drivers\
uup2..wv/wcnyodttqdiud/nsmko/tpu
xboy
shell\Auto\commandsetup.exe
shellexecutesetup.exe
OPENsetup.exe
AutoRun
\autorun.inf
\setup.exe
NetApiBufferFree
NetShareEnum
netapi32.dll
Root
admin
Guest
Administrator
mypass
love
Login
login
owner
home
qwer
asdf
temp
test
bleep
bleepyou
root
administrator
patrick
alpha
enable
godblessyou
ihavenopass
super
computer
server
sybase
abcd
database
passwd
pass
admin
letmein
baseball
qwerty
fish
shadow
mustang
pussy
golf
harley
password
admin
nvscv32.exe
drivers\
Games.exe
aspx
setup.exe
\Desktop_.ini
Messenger
NetMeeting
WindowsUpdate
Recycled
\Desktop_.ini
Messenger
NetMeeting
WindowsUpdate
Recycled
nvscv32.exe
drivers\
Desktop_.ini
.exe
WhBoy
.Ico
WhBoy
BIu3UhsAd0d
nvscv32.exeU
drivers\
goto try2
.exe
goto try1
.bat
5jgueda
kqllivn
hsqo
nbendwgispy,.ps
Search
TSearchRecX
TFileNamepA
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
FireSvc
MskService
ccSetMgr
ccProxy
navapsvc
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
McTaskManager
McShield
McAfeeFramework
McTaskManager
McShield
McAfeeFramework
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
kavsvc
kavsvc
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
RsRavMon
RsCCenter
RsRavMon
RsCCenter
sharedaccess
Schedule
regedit.exe
msconfig.exe
taskmgr.exe
Rundl132.exe
Logo_1.exe
Logo1_.exe
FrogAgent.exe
TrojDie.kxp
UIHost.exe
KRegEx.exe
KVSrvXP.exe
KVCenter.kxp
KvMonXP.kxp
RavStub.exe
RavmonD.exe
Ravmon.exe
Rav.exe
RavTask.exe
CCenter.exe
Ravmond.exe
TBMon.exe
UpdaterUI.exe
naPrdMgr.exe
VsTskMgr.exe
Mcshield.exe
VirusScan
SeDebugPrivilege
ChangeServiceConfig2W
ChangeServiceConfig2A
QueryServiceConfig2W
QueryServiceConfig2A
advapi32.dll
3Uh_oAd0d 3
TPatternManagerSV
E3UhiAd0d E
Data
Default
clWindowText
clWindowFrame
clWindow
cl3DLight
cl3DDkShadow
clScrollBar
clNone
clMenuText
clMenuHighlight
clMenuBar
clMenu
clInfoText
clInfoBk
clInactiveCaptionText
clInactiveCaption
clInactiveBorder
clHotLight
clHighlightText
clHighlight
clGrayText
clGradientInactiveCaption
clGradientActiveCaption
clDefault
clCaptionText
clBtnText
clBtnShadow
clBtnHighlight
clBtnFace
clBackground
clAppWorkSpace
clActiveCaption
clActiveBorder
clMedGray
clCream
clSkyBlue
clMoneyGreen
clWhite
clAqua
clFuchsia
clBlue
clYellow
clLime
clSilver
clGray
clTeal
clPurple
clNavy
clOlive
clGreen
clMaroon
clBlack
TResourceManager
Graphics
TIcon
TSharedImage
Graphics
TGraphicCA
TGraphic
TFontCharset
EInvalidGraphicOperation
EInvalidGraphicBA
TColor
,t,u
,t,u
3Uha4Ad0d f
Strings
EZ8WCNu3ZYYd
TIntConst
TRegGroupsU
TRegGroup
TIdentMapEntry
TMemoryStream
TCustomMemoryStream
TFileStreamTA
THandleStream
TStreamhA
Classes
TStringList
TStringList
TStringItem
Classes
TStrings
TStringsPA
Classes
IStringsAdapter
Classes
TInterfacedPersistent
TInterfacedPersistent
Classes
TPersistent
TPersistent
TThreadList
TList
EInvalidOperation
EOutOfResources
EStringListError
EListError
EWriteError
EReadErrorLA
EFilerError
EFOpenError
EFCreateError
EFileStreamError
EStreamError
True
False
Variants
Array
String
LongWord
Word
Byte
ShortInt
Decimal
Unknown
Variant
Boolean
Error
Dispatch
OleStr
Date
Currency
Double
Single
Integer
Smallint
Null
EVariantDispatchError
EVariantUnexpectedError,
EVariantOutOfMemoryError
EVariantNotImplError
EVariantArrayCreateError
EVariantArrayLockedError
EVariantBadIndexError
EVariantBadVarTypeError
EVariantInvalidArgErrord
EVariantOverflowError
EVariantTypeCastError
EVariantInvalidOpError8
Variants
TCustomVariantType
TCustomVariantType\
VarBstrFromBoolU
VarBstrFromDate
VarBstrFromCy
VarBoolFromStr
VarCyFromStr
VarDateFromStr
VarR8FromStr
VarR4FromStr
VarI4FromStr
VarCmp
VarXor
VarOr
VarAnd
VarMod
VarIdiv
VarDiv
VarMul
VarSub
VarAdd
VarNot
VarNeg
VariantChangeTypeEx
oleaut32.dll
GetDiskFreeSpaceExA
kernel32.dll
TExceptRec
TErrorRec
JujV
ufEfEfEfE
ufMfEmf
EuFm
ItKu
False
True
TMultiReadExclusiveWriteSynchronizer
TThreadLocalCounter
SysUtils
SysUtils
ESafecallException
EIntfCastError
EAbstractError0
EAssertionFailed
EVariantError
EControlC
EStackOverflow
EPrivileged
EAccessViolation
EConvertError
EInvalidCast
EInvalidPointerz
EUnderflow
EOverflow
EZeroDividey
EInvalidOp
EMathError8y
EIntOverflow
ERangeErrorx
EDivByZero,x
EIntError
EExternalException
EExternal
EInOutErrorv
EOutOfMemory
EHeapException
Exceptionu
Module32NextW
Module32FirstW
Module32Next
Module32First
Thread32Next
Thread32First
Process32NextW
Process32FirstW
Process32Next
Process32First
Toolhelp32ReadProcessMemory
Heap32First
Heap32ListNext
Heap32ListFirst
CreateToolhelp32Snapshot
kernel32.dll
Software\Borland\Delphi\Locales
Software\Borland\Locales
GetLongPathNameA
kernel32.dll
FPUMaskValue
SOFTWARE\Borland\Delphi\RTL
TInterfacedObject
FSystem
IInterface
System
TObjectX
TObjectd
StringX

Edited by rmh1183, 21 August 2009 - 03:30 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:13 AM

Posted 01 September 2009 - 11:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:08:13 PM

Posted 12 September 2009 - 05:57 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users