Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
Trajon Files Left in the System Folder
This section provides detailed information on malicious files left by two Trojan attacks. Somehow McAfee failed to detect and delete them.
After finish review the McAfee VirusScan log file, OnAccessScanLog.txt, I started to look at the system folders to see files left by the Trojan.
In c:\windows, I saw the following new files:
\system32 10/26/2008 5:59 PM 6,540 heb.exe 10/26/2008 5:59 PM 6,540 wuauclt.exe 10/26/2008 5:59 PM 6,540 ctfmon.exe 10/26/2008 5:59 PM 6,540 conime.exe 10/26/2008 6:00 PM 1,582 yoprybzpax.ini 10/26/2008 6:00 PM 2,752 abzpqaxboq.exe 10/26/2008 6:01 PM 16,433 xboqpxabzp.exe 10/26/2008 6:01 PM 5,504 5102a80.sys 10/26/2008 6:03 PM 24,576 BHBO.dll 10/26/2008 6:05 PM 79,048 xyoqrxabzp.exe 10/26/2008 6:11 PM 52,712 qcabyoprxy.exe 10/26/2008 9:34 PM 6,540 yvspqn.exe 10/26/2008 9:35 PM 6,540 alg.exe 10/26/2008 9:35 PM 1,582 abopxy.ini 10/26/2008 9:36 PM 33,193 sovhst.exe 10/26/2008 9:36 PM 5,504 9fd8db.sys 10/26/2008 9:36 PM 28,672 HBWOW.dll 10/26/2008 9:36 PM 7,680 System.exe 10/26/2008 9:36 PM 20,480 conmie.exe 10/26/2008 9:36 PM 24,576 HBASKTAO.dll 10/26/2008 9:36 PM 26 discard.ini 10/26/2008 9:36 PM 1,148 sufost.ini 10/26/2008 9:37 PM 24,576 HBZHUXIAN.dll 10/26/2008 9:37 PM 24,576 BHYY.dll 10/26/2008 9:37 PM 18,587 pcxyqr.exe \system32\drivers 10/26/2008 5:59 PM 8,192 pcidump.sys 10/26/2008 9:37 PM 16,343 HBKernel32.sys \temp 10/26/2008 5:59 PM 36,864 mmhtml.dll
This confirmed that:
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
JS/Downloader.gen - JavaScript Downloader Malware
PWS-Mmorpg.gen - A Password Stealer Trojan
heb.exe - The Trojan Installer Program
.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
►Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key