Trajon Files Left in the System Folder

This section provides detailed information on malicious files left by two Trojan attacks. Somehow McAfee failed to detect and delete them.

After finish review the McAfee VirusScan log file, OnAccessScanLog.txt, I started to look at the system folders to see files left by the Trojan.

In c:\windows, I saw the following new files:

\system32
10/26/2008 5:59 PM    6,540   heb.exe
10/26/2008 5:59 PM    6,540   wuauclt.exe
10/26/2008 5:59 PM    6,540   ctfmon.exe
10/26/2008 5:59 PM    6,540   conime.exe
10/26/2008 6:00 PM    1,582   yoprybzpax.ini
10/26/2008 6:00 PM    2,752   abzpqaxboq.exe
10/26/2008 6:01 PM   16,433   xboqpxabzp.exe
10/26/2008 6:01 PM    5,504   5102a80.sys
10/26/2008 6:03 PM   24,576   BHBO.dll
10/26/2008 6:05 PM   79,048   xyoqrxabzp.exe
10/26/2008 6:11 PM   52,712   qcabyoprxy.exe
10/26/2008 9:34 PM    6,540   yvspqn.exe
10/26/2008 9:35 PM    6,540   alg.exe
10/26/2008 9:35 PM    1,582   abopxy.ini
10/26/2008 9:36 PM   33,193   sovhst.exe
10/26/2008 9:36 PM    5,504   9fd8db.sys
10/26/2008 9:36 PM   28,672   HBWOW.dll
10/26/2008 9:36 PM    7,680   System.exe
10/26/2008 9:36 PM   20,480   conmie.exe
10/26/2008 9:36 PM   24,576   HBASKTAO.dll
10/26/2008 9:36 PM       26   discard.ini
10/26/2008 9:36 PM    1,148   sufost.ini
10/26/2008 9:37 PM   24,576   HBZHUXIAN.dll
10/26/2008 9:37 PM   24,576   BHYY.dll
10/26/2008 9:37 PM   18,587   pcxyqr.exe

\system32\drivers
10/26/2008 5:59 PM    8,192   pcidump.sys
10/26/2008 9:37 PM   16,343   HBKernel32.sys

\temp
10/26/2008 5:59 PM   36,864   mmhtml.dll

This confirmed that:

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

 JS/Downloader.gen - JavaScript Downloader Malware

 PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

 my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

Trajon Files Left in the System Folder

 Removing PWS Trojan Files

 Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

 UserInit - Winlogon Registry Key

 js.users.51.la - hosts File Entries

 Image File Execution Options - Registry Key

 regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 Full Version in PDF/ePUB