sxe6.tmp – trojan Banload

I use UnHackMe for cleaning adware and viruses from my friend's computers, because it is extremely fast and effective.




Is the file sxe6.tmp located on your computer? Then your computer is infected.
We highly recommend you to remove sxe6.tmp from your computer as soon as possible.
sxe6.tmp is Trojan/Backdoor.
Kill the process sxe6.tmp and remove sxe6.tmp from the Windows startup.

Malware Analysis of sxe6.tmp
Executed: FOTOS_DSC03764_JPG.exe
Removed: sxe6.tmp Full path: C:\sxe6.tmp

—————————————————————————————————————————-
Detected by UnHackMe:


Your Vote?
0 0

Item Name: trs.sys
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\DRIVERS\TRS.SYS
Type: Drivers

Item Name: sxe6.tmp
Author: USB_2011
Related File: C:\SXE6.TMP
Type: Registry Run

Item Name: ctfmonn.exe
Author: USB_2011
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\CTFMONN.EXE
Type: Registry Run

Item Name:
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\CTFMONN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmonn.exe
Value:
“C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”

Registry:
HKLM\System\CurrentControlSet\Services\pelodlo\ImagePath
Value:
“system32\drivers\trs.sys”

Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sxe6.tmp
Value:
“c:\sxe6.tmp”

Folders:
Files:
C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe
C:\WINDOWS\system32\drivers\trs.sys
C:\DSC00657.JPG
C:\sxe6.tmp
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.03.23 -
Microsoft 1.6702 2011.03.25 TrojanDownloader:Win32/Delf.ZWQ
NOD32 5985 2011.03.25 probably a variant of Win32/TrojanDownloader.Banload.ORL

—————————————————————————————————————————-

MD5 4c8cf2434cfc6aee9bfbd53cc082edc1

SHA1 b43e6e31c099d59f0227f087e6fbe52f410cacc3

SHA256 228cfa532b5a2dd0a0d12911b782e38b8a90ff386288b78ff28486b92aa45d16

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:6
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000
HKLM\System\CurrentControlSet\Services\pelodlo
HKLM\System\CurrentControlSet\Services\pelodlo\Security
HKCU\ctfmonn
HKCU\EnableLUA

———————————-
Values added:19
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0×00000000
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Service: “pelodlo”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\DeviceDesc: “putit”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\pelodlo\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\ImagePath: “system32\drivers\trs.sys”
HKLM\System\CurrentControlSet\Services\pelodlo\DisplayName: “putit”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sxe6.tmp: “c:\sxe6.tmp”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmonn.exe: “C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”
HKCU\EnableLUA\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System: 0×00000000

———————————-
Files added:4
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe
C:\WINDOWS\system32\drivers\trs.sys
C:\DSC00657.JPG
C:\sxe6.tmp

———————————-
Total changes:29
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning adware and viruses from my friend's computers, because it is extremely fast and effective.

Download it here




1. Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

What to do if you are unable to solve a problem?

UnHackMe Remote Assistant
  1. Open UnHackMe main screen.
  2. Click on a Remote Assistant button.
  3. Follow instructions on a screen.
  4. We will contact you and send a solution of your problem.
  5. Remote assistance is free during trial period.

Enjoy!