TEMP3.EXE – Trojan OnLineGames

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Free Download
Fully Functional 30-day Trial. No credit card is required.
Reviews
. EULA. Privacy Policy. Uninstall.

TEMP3.EXE – Trojan OnLineGames removal

FileMD5Virus Alias
TEMP3.EXE 4e1138933ffc44b130e9685cc86c3117 Trojan OnLineGames
TEMP3.EXE 4e1138933ffc44b130e9685cc86c3117 Trojan SuspiciousFile
TEMP3.EXE 4e1138933ffc44b130e9685cc86c3117 Trojan Artemis
TEMP3.EXE 4e1138933ffc44b130e9685cc86c3117 Trojan Eldorado
TEMP3.EXE 4e1138933ffc44b130e9685cc86c3117 Virus Part
TEMP3.EXE 4e1138933ffc44b130e9685cc86c3117 Trojan Agent

TEMP3.EXE size: 270336 bytes
TEMP3.EXE hash: 4E1138933FFC44B130E9685CC86C3117

Created files:

C:\1851700.dll
C:\windows\system32\dllcache\ws2help.dll
C:\windows\system32\drivers\420a0a1f.sys
C:\windows\system32\drivers\xpV3001.sys
C:\windows\system32\RpcSvc.psd
C:\windows\system32\ws2helpXP.dll
C:\windows\system32\wshtcpip.dll
C:\windows\temp\svohcst.exe
C:\windows\temp\temp1.exe
C:\windows\temp\temp2.exe
C:\windows\temp\temp3.exe

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Download: C:\windows\temp\svohcst.exe
HKLM\System\CurrentControlSet\Services\420a0a1f\Type: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\Start: 02000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\DisplayName: 420a0a1f
HKLM\System\CurrentControlSet\Services\420a0a1f\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C00340032003000610030006100310066002E007300790073000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ProcessID: 50110000
HKLM\System\CurrentControlSet\Services\neverdeath\Type: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\Start: 02000000
HKLM\System\CurrentControlSet\Services\neverdeath\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\DisplayName: neverdeath
HKLM\System\CurrentControlSet\Services\neverdeath\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C0078007000560033003000300031002E007300790073000000
HKLM\System\CurrentControlSet\Services\neverdeath\ProcessID: 50110000
HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip\DLLPath: 43003A005C0031003800350031003700300030002E0064006C006C000000
HKLM\System\CurrentControlSet\Services\RpcSvc\Type: 10010000
HKLM\System\CurrentControlSet\Services\RpcSvc\Start: 02000000
HKLM\System\CurrentControlSet\Services\RpcSvc\DisplayName: Remote Procedure Call (RPC) Service
HKLM\System\CurrentControlSet\Services\RpcSvc\ImagePath: %SystemRoot%\System32\svchost.exe -k imgsvc

Detected by UnHackMe:

TEMP3.EXE
Default location: %TEMP%\TEMP3.EXE

Dropper information:
MD5: ca33e1826f8d03ed2c11fba563ca3bbb
File size: 4207 bytes

Leave a Reply