TEMP1.EXE – Trojan Magania

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Free Download
Fully Functional 30-day Trial. No credit card is required.
Reviews
. EULA. Privacy Policy. Uninstall.

TEMP1.EXE – Trojan Magania removal

FileMD5Virus Alias
TEMP1.EXE b82e75376afdb3e0bb092f4fca53e4b9 Trojan Magania
TEMP1.EXE b82e75376afdb3e0bb092f4fca53e4b9 Trojan SuspiciousFile
TEMP1.EXE b82e75376afdb3e0bb092f4fca53e4b9 Trojan Eldorado
TEMP1.EXE b82e75376afdb3e0bb092f4fca53e4b9 Trojan Downloader
TEMP1.EXE b82e75376afdb3e0bb092f4fca53e4b9 Trojan Siggen
TEMP1.EXE b82e75376afdb3e0bb092f4fca53e4b9 Trojan Agent

TEMP1.EXE size: 137216 bytes
TEMP1.EXE hash: B82E75376AFDB3E0BB092F4FCA53E4B9

Created files:

C:\1851700.dll
C:\windows\system32\dllcache\ws2help.dll
C:\windows\system32\drivers\420a0a1f.sys
C:\windows\system32\drivers\xpV3001.sys
C:\windows\system32\RpcSvc.psd
C:\windows\system32\ws2helpXP.dll
C:\windows\system32\wshtcpip.dll
C:\windows\temp\svohcst.exe
C:\windows\temp\temp1.exe
C:\windows\temp\temp2.exe
C:\windows\temp\temp3.exe

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Download: C:\windows\temp\svohcst.exe
HKLM\System\CurrentControlSet\Services\420a0a1f\Type: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\Start: 02000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\DisplayName: 420a0a1f
HKLM\System\CurrentControlSet\Services\420a0a1f\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C00340032003000610030006100310066002E007300790073000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ProcessID: 50110000
HKLM\System\CurrentControlSet\Services\neverdeath\Type: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\Start: 02000000
HKLM\System\CurrentControlSet\Services\neverdeath\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\DisplayName: neverdeath
HKLM\System\CurrentControlSet\Services\neverdeath\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C0078007000560033003000300031002E007300790073000000
HKLM\System\CurrentControlSet\Services\neverdeath\ProcessID: 50110000
HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip\DLLPath: 43003A005C0031003800350031003700300030002E0064006C006C000000
HKLM\System\CurrentControlSet\Services\RpcSvc\Type: 10010000
HKLM\System\CurrentControlSet\Services\RpcSvc\Start: 02000000
HKLM\System\CurrentControlSet\Services\RpcSvc\DisplayName: Remote Procedure Call (RPC) Service
HKLM\System\CurrentControlSet\Services\RpcSvc\ImagePath: %SystemRoot%\System32\svchost.exe -k imgsvc

Detected by UnHackMe:

TEMP1.EXE
Default location: %TEMP%\TEMP1.EXE

Dropper information:
MD5: ca33e1826f8d03ed2c11fba563ca3bbb
File size: 4207 bytes

Leave a Reply