sxe6.tmp – trojan Banload

Dmitry Sokolov recommends his nice removal tool: UnHackMe


UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

: Solved!
5 Stars (5 / 5)


Is the file sxe6.tmp located on your computer? Then your computer is infected.
We highly recommend you to remove sxe6.tmp from your computer as soon as possible.
sxe6.tmp is Trojan/Backdoor.
Kill the process sxe6.tmp and remove sxe6.tmp from the Windows startup.

Malware Analysis of sxe6.tmp
Executed: FOTOS_DSC03764_JPG.exe
Removed: sxe6.tmp Full path: C:\sxe6.tmp

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: trs.sys
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\DRIVERS\TRS.SYS
Type: Drivers

Item Name: sxe6.tmp
Author: USB_2011
Related File: C:\SXE6.TMP
Type: Registry Run

Item Name: ctfmonn.exe
Author: USB_2011
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\CTFMONN.EXE
Type: Registry Run

Item Name:
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\CTFMONN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmonn.exe
Value:
“C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”

Registry:
HKLM\System\CurrentControlSet\Services\pelodlo\ImagePath
Value:
“system32\drivers\trs.sys”

Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sxe6.tmp
Value:
“c:\sxe6.tmp”

Folders:
Files:
C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe
C:\WINDOWS\system32\drivers\trs.sys
C:\DSC00657.JPG
C:\sxe6.tmp
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.03.23 -
Microsoft 1.6702 2011.03.25 TrojanDownloader:Win32/Delf.ZWQ
NOD32 5985 2011.03.25 probably a variant of Win32/TrojanDownloader.Banload.ORL

—————————————————————————————————————————-

MD5 4c8cf2434cfc6aee9bfbd53cc082edc1

SHA1 b43e6e31c099d59f0227f087e6fbe52f410cacc3

SHA256 228cfa532b5a2dd0a0d12911b782e38b8a90ff386288b78ff28486b92aa45d16

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:6
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000
HKLM\System\CurrentControlSet\Services\pelodlo
HKLM\System\CurrentControlSet\Services\pelodlo\Security
HKCU\ctfmonn
HKCU\EnableLUA

———————————-
Values added:19
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0×00000000
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Service: “pelodlo”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\DeviceDesc: “putit”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\pelodlo\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\ImagePath: “system32\drivers\trs.sys”
HKLM\System\CurrentControlSet\Services\pelodlo\DisplayName: “putit”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sxe6.tmp: “c:\sxe6.tmp”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmonn.exe: “C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”
HKCU\EnableLUA\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System: 0×00000000

———————————-
Files added:4
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe
C:\WINDOWS\system32\drivers\trs.sys
C:\DSC00657.JPG
C:\sxe6.tmp

———————————-
Total changes:29
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

UnHackMe removes malware invisible for your antivirus!

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1. UnHackMe uses minimum of computer resources.

Testimonials:

Simon:
UnHackMe is a success where others have failed. We have used the software for sometime. Thank you for a great product, which actually works and we believe in the developers.

Bob:
The UnHackMe is a real program, no spyware or phish and works great and is easy to use. Enjoy!

Leave a Reply