Trojan Downloader-CKT

1. What is the Trojan Downloader-CKT

Downloader.CKT is a Trojan, which although seemingly inoffensive, can actually carry out attacks and intrusions: screenlogging, stealing personal data, etc. Once installed on your machine, Trojan Downloader Win32 will connect to high-rate international and 900 numbers without your knowledge or consent. Trojan Downloader Win32 may also display pop-up advertisements regarding its offered service but the price wouldn't be noted. So be aware not to be entrapped by Trojan Downloader Win32. However, most likely Trojan Downloader Win32 will be installed without you being aware of it. Additionally, Trojan Downloader Win32 may hide itself as a low level system process and will continue its bad work. Note, that Trojan Downloader Win32 may appear difficult to remove manually and will take much time to get rid of it.

a. The following files were created in the system:

%UserProfile%\ckuk.exe

%Temp%\13405

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
ckuk.exe	%UserProfile%\ckuk.exe	98,304 bytes

c. Registry Modifications

The following Registry Key was created:
- HKEY_CURRENT_USER\Software\a4a4a4a4a4a4

The newly created Registry Values are:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  - c7cfd1cf8ac1dcc1 = "%UserProfile%\ckuk.exe"
  so that ckuk.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\a4a4a4a4a4a4]
  - idt = "201010150505"
  - Location = "c7cfd1cf8ac1dcc1"
  - pid = "up1"
  - prj = "1"
  - ver = "1.0.0.3"

d. Other details

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
114.108.128.1880	80
180.150.229.205	80

The data identified by the following URL was then requested from the remote web server:
- http://p.winsoft1.com/http://p.winsoft1.com/receive/r_autoidcnt.asp?mer_seq=1&realid=up1&cnt_type=e1&mac=000000000000
- http://p.winsoft1.com/http://p.winsoft1.com/receive/r_autoidcnt.asp?mer_seq=1&realid=up1&mac=000000000000
- http://winsoft1.com/http://winsoft1.com/setup_b.asp?prj=1&pid=up1&mac=000000000000
- http://winsoft1.com/http://winsoft1.com/setup.asp?prj=1&pid=up1&mac=000000000000
- http://down.winsoft1.com/http://down.winsoft1.com/down/2/ckuk.exe

2. How-to's

a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan Downloader-CKT Manually?

Step 1 : Files associated with Trojan Downloader Win32 infection:

ac2_0003.exe
aklsp.dll
msvidc32.dll
tempo-139421.tmp
Sys2621.exe
lphc9m9j0e1a3.exe
lphc110j0e78a.exe
lphc9s1j0evd5.exe
gkglqoue.dll
YUR2A7.exe
lphc323j0en3c.exe
EsnGOg2W.exe
dmintf32.dll
531.tmp
lsass.exe
had73sfdfd.dll
lphce5lj0e33g.exe
kzpkwj.dll
WinAvXX.exe
igzxwrl.dll
nexpegp.dll
dls0523pmw.exe
iesbpl.dll
atzrdada.dll
xpuupdate.exe
svhost.exe
dpksakgm.dll
HPAware.exe
d3acdb.dll
iesplg.dll
czxtyx.dll
isadd.dll
iesplugin.dll
isaddon.dll
ixt0.dll
ajdnjhfo10.exe
senssrv.dll
newname3.exe
ecsiin.stub.exe
aphj.dll
jgdi.dll
bvt.exe
bhomod00.dll
installer.exe
BHOmod.dll
bretiuxh.exe
cjuvwa.dll
wupeng.exe
__c00642B1.dat
svchost.exe
update_check.exe
win32st.exe
xskmoqx.dll
alofkmn.dll
mgmrwmrv.exe
apdqnxp.dll
altvxvm.dll
btrklfr.dll
bokpkov.dll
MSWINSCK.OCX
wmsdkns.exe
vadokmxt.dll
sysrxmfdksp.exe
wdpoefan.dll
WLCtrl32.dll
spools.exe
glock32.exe
mfc42.exe
win32.exe
GMILLOGOF.EXE
userinit.exe
WinNt32.dll
wuauclt.exe
F.tmp
sysmon.exe
TempAA.exe
TimeOutPatch.EXE
sbmdl.dll
lenveqvt.exe
FD.exe
winlogon.exe
IEBHO.dll
ie_updates3r.exe
cmdbcs.exe
perfs.exe
bxsbang.dll
yyk2954.exe
routing.exe
wupdater.exe
oyhucntf.exe
UGA6P_0001_N122M2802NetInstaller.exe
X117.exe
msn.exe
svchost23.exe
WinCtrl32.dll
vbpdtvdp.exe
GoogleDesktop.exe
mrofinu1535.exe
iftuyszv.exe
cftmon.exe
Sys77.exe
msupdte.exe
uoyzsydz.exe
lphcnvtj0eve7.exe
rundll32.exe
SysE4E3.exe
Sys2.exe
Sys4.exe
Sys3.exe
Sys1.exe
zgyhw.dll
lphcgu6j0e9av.exe
euwoeu.dll
lphc942j0e9e7.exe
lphc9dpj0e793.exe
VIE7B09.exe
.ttE.tmp.exe
adqnebaf.exe
smss.exe
kzgdudgj.exe
braviax.exe
qtmjcfsj.exe
chslqbih.exe
wcs.exe
buritos.exe
css.exe
zgxwbank.exe
lyryzgjs.exe
c.exe
6LN0dYGS.exe
a.exe
actxprxy.dll
lphcp4vj0et35.exe
lphcrkkj0erbr.exe
video233.cfg.exe
video232.cfg.exe
video1161.cfg.exe
video1019.cfg.exe
lphclq5j0e14p.exe
g.exe
781.exe
Player.exe
qmafxprs.dll
lphcnfgj0ep7n.exe
brastk.exe
dmbsvwtk.exe
crypts.dll
video1086.cfg.exe
video234.cfg.exe
rkhdl.exe
mipinu.dll
iebtm.exe
iebtmm.exe
Yy5v3068.exe
qnflkotm.dll
vwnskbot.dll
xxx5366.exe
~tmpd.exe
getsn32.dll
h8b3LvB2.exe
vedxga3me2.exe
rs32net.exe
ppcb_32.exe
7Jv5vJhh.exe
hpmon.exe
hpmom.exe
wini10894.exe
qttaskm.exe
qttask.exe
wndutl32.dll
msiconf.exe
setup_241_3777_[2].exe
uesiuqcr.exe
frmwrk32.exe
dmusic32.dll
gtckad.dll
VIE2.exe
yyy12351.exe
yyy2010.exe
~tmpc.exe
yyy15461.exe
yyy9308.exe
~.exe
eventlog32.dll
yyy289.exe
yyy12224.exe
~tmpb.exe
mVM33I6b.exe
yyy9902.exe
BwNVxGhC.exe
yyy2599.exe
explorer32.exe
yyy10930.exe
haozs1.dll
11.tmp
~tmpf.exe
ert56264.exe
haozs0.dll
afmain1.dll
nmdfgds1.dll
inte1b.dll
2XKM2nX1.exe
sysguard.exe
475.tmp.exe
OPLlho18.exe
gpkcsp32.dll
alg.exe
~tmpi.exe
1rlkp3G3.exe
hhsa.dll
pCo7V3H8.exe
~tmpx.exe
kiago32a.dll
~tmp3.exe
~tmpp.exe
ckzty22913935.exe
wpiv.exe
svcho.exe
msj.exe
mschr.exe
b1jl2V0m.exe
4115.exe
comaddin32.dll
Terry Santi.exe
davclnt32.dll
DISPEX32.DLL
msa.exe
__c00592D1.dat
msb.exe
userload.exe
svcnost.exe
cnetcfg32.dll
dompifgn.dll
TpScrex.exe
KAVStart.exe
Torpedo[1].com
reader_s.exe
prnet.tmp
soundmix.exe
Msxrs.exe
syst.exe
licao_de_vida.exe
NeroCheck.exe
leia.exe
xydzyh.exe
__c0076B51.dat
2183.exe
theof.exe
d3dim32.dll
__c00E2D44.dat
5765.exe
18163.exe
bxvkyrly.dll
ntspknlg.dll
byxyvtq.dll
secieaddin.dll
ContraVirusPro.exe
xpupdate.dll
bkhujyxs.exe
csrssc.exe
dsaip32b.dll
wmpdxm.dll
getfn32.dll
hpmun.dll
iebt.dll
qipauzax.dll
ifsndu.dll
msxml71.dll
rmd-.dll
ns28kut1.dll
LSYSTI~1.DLL
gpatbs.dll
supsafe.dll
xrdwbfgn.dll
dgksvbpn.dll
pdoskegl.dll
rqbmvpso.dll
664575600.exe
video.avi[1].exe
drvvoj.dll
_A00F299C205.exe
lphcamlj0ea8a.exe
ntuser.com
qbynahkr.exe
tsxngabr.dll
videoa32.dll
vtqnxfko.dll
jiryrclc.exe
wdarqxox.exe
eqvwamkl.dll
wnslvxtf.dll
Gtool.dll
xokvrpwg.dll
rld6.tmp
SVIQ.EXE
8D1.tmp
F1EF.tmp
maxpaynow.exe
pntqkflv.dll
lahmtcho.exe
229F.tmp
domie.dll
evgratsm.dll
xpupdate.exe
setup73.exe
8764.exe
hpi.dll
qegbdmwf.dll
okmdepgb.dll
gnowmebk.dll
z_view.dll
xvorfwbd.dll
asc94.dll
sigma64.dll
setup.exe
CSSRSS.EXE
wpvmqosg.dll
TXPlatform.exe
vregfwlx.dll
ubodh.exe
pxgdslro.dll
scit.exe
scm.exe
sbmntr.exe
sbsm.exe
ati2evxx.exe
ieupdates.exe
nod32se.exe
tujwbkbm.exe
edwnghyb.exe
nabmlare.exe
Firewall.exe
wserving.exe
winupdate.exe
Dot1XCfg.exe
wprcaw.exe
exp.exe
dsound3dd.dll
servicelayer.exe
amoumain.exe
~f9bd.tmp
ctfmon.exe
nvsvc32.exe
bios.exe
winpad32.exe
r56ujxftyrsdjsxrgf46i5sgheh44.exe
qgipz2469937.exe
winsrc.dll
wmsetup.dll
CbEvtSvc.exe
lwpwer.exe
empa.exe
PnE3bw28.dll
Sakora.exe
kbdpo.exe
xaczweo.dll
autodisc.exe
odbcconf.exe
Windj50.sys
~tmp1174.exe
Winxd37.sys
pornivideo03y45i[1].exe
gEehlDA9.exe
l[1].exe
g[1].exe
nJJG.exe
Winye50.sys
visfdw.exe
digeste.dll
load[1].exe
install[1].exe
winvijhq.exe
tisgvi.exe
windsn.exe
adobe_flash[1].exe
AdobeFlash[1].exe
ert51791.exe
usp10.dll
Omahonafazeq.dll
new23[1].exe
gr[2].exe
adv111[1].exe
Test.exe
loader[1].exe
~tmpa.exe
c-setup[2].exe
nfr.sys
movie434.avi.exe
load1.exe
ipv6sp.dll
ni1mg2b5.exe
ieocx.dll
A4-tmpaoi.exe
ptssvc.exe
Winkq26.sys
zchMiB.exe
psvrr.exe
scvhost.exe
oopuqq1.exe
_A00F220AD.exe
winjmxy.exe
ak1[1].exe
g13dyr.exe
avast!antivirus.exe
ashevtsvc.exe
sysloc.dll
19.tmp
93679526.exe
13035004.exe
93044996.exe
avp.exe
win2A.tmp.exe
304434.dll
keyboard.exe
mrofinu572.exe
mrofinu1188.exe
gadcom.exe
nidle.exe
99068276.exe
97179996.exe
91724226.exe
11714234.exe
zoply.dll
734914.dll
788309.dll
890166.dll
512686.dll
367770.dll
124909.dll
311496.dll
912525.dll
119987.dll
590075.dll
848700.dll
768890.dll
242112.dll
907465.dll
857060.dll
709598.dll
804031.dll
iSecurity.cpl
931928.dll
788877.dll
814810.dll
892267.dll
xpa.exe
jpssoft[1].exe
238044.dll
altcmd32.dll
MapEDC.exe
guxmhcd.dll
nsduo.dll
vtr357.dll
duocore.dll
vtr441.dll
WinAvX.exe
bgwttyl.dll
gsrnxgh.dll
ms050862618809.exe
egzcqg.dll
sclick.exe
bpvol.dll
msnhlp32.dll
qch29sr.dll
servhist.exe
cfltygd.dll
qxfgcg.dll
9eabcdc8.exe
hp100.tmp
dfndr.exe
adobepnl.dll
tejotilyd.dll
defender24.exe
keyboard24.exe
newname24.exe
defender20.exe
ipue32.exe
/HideUninstall /HideDir /PC=CP.SAV
sqldata1.exe
ctdbrr.exe
updmgr.exe
bubbj.dll
isfmdl.dll
__c009BE76.dat
gfopyhkh.dll
qejdhnvg.exe
sncntr.exe
nvsvca32.exe
nsdlua.exe
conscorr.exe
__c0078B7C.dat
tvtpwp.dll
27.exe
bnbs.dll
rxjddnvj.exe
sysahbecjh.exe
sysavxjgdu.exe
dcggain.dll
sysutrnez.exe
wind32.exe
fkdnrwsv.dll
dwnrpofk.dll
pmsoarbf.dll
csrss.exe
clfmon.exe
qadovnel.dll
bdkpfxqw.dll
sixyahbi.exe
mmmxgzxg.dll
fshqaln.dll
Explorer.EXE
BD805CFA.DLL
antivirusinstallfull_en[1].exe
mmc.exe
omlbpkaw.dll
{b91413db-d88a-a499-2661-f9f9441c9f46}.dll
audiohq.exe
spool.exe
sysi.exe
mpfanvqg.dll
vip_master_orkut.exe
bsyys.exe
msmsgxs.exe
screen.scr
wetkadmr.dll
gbplib.dll
jrevm.exe
gbppdist.dll
winscok.dll
afontext.dll
bsyys.scr
vbksrofa.dll
kutorkt.exe
2FB25269.DLL
ixplorer.exe
Sys5457.exe
Sys5BE6.exe
blbpeoy.dll
perfc000.dat
1000675417.exe
cru629.dat
lphcpevj0elag.exe
jkqvjzl.dll
lphc783j0eveg.exe
lphcr49j0ea81.exe
lphct1hj0ep35.exe
lphcg9bj0e7e9.exe
lphc71lj0e94p.exe
lphc5mlj0ev7c.exe
lphcva1j0epb9.exe
lphca5sj0ee31.exe
lphct1sj0ele5.exe
ouhzw.dll
lphcv4rj0en23.exe
lphcp19j0e3ac.exe
lphcnn0j0e7c5.exe
lphcej5j0ee4e.exe
lphc1tdj0ea77.exe
lphc5vwj0erb3.exe
lphca35j0ee3c.exe
lphcr6aj0e11v.exe
lphclp6j0ev5p.exe
lphcruaj0e355.exe
lphcpghj0ecfl.exe
lphc5rfj0eg89.exe
lphc3erj0elav.exe
lphcv49j0ejdl.exe
lphcp72j0e1dr.exe
lphc1qtj0ege1.exe
lphcj7cj0ea59.exe
lphc3f8j0eaaa.exe
lphcvhoj0e33t.exe
lphc9v2j0ecfj.exe
lylopybc.exe
gtolsbef.exe
33.tmp.exe
mgxfebsq.dll
javclcte.exe
lphc59hj0eab1.exe
Cpl32ver.exe
lphc3q4j0epca.exe
qhqrmbyz.exe
telghgtw.exe
Manager.exe
arubinuj.exe
YUR205F.exe
lphccpaj0ec7g.exe
YUR507A.exe
xrg1.exe
lphcl2sj0ep0c.exe
lphcnjcj0e92j.exe
yvudcbaf.exe
wcm.exe
pikavn.dll
hare32.dll
samh.log
xappit.dll
lphcem0j0e72a.exe
video88.cfg.exe
sysbas~1.dll
video1140.cfg.exe
sdetcs.dll
vszynz.dll
video1055.cfg.exe
d.exe
rgf.dll
lphcguej0eaep.exe
sft_ver1.1454.0.exe
e.exe
gopfa.dll
gcqltg.dll
pas.exe
x1psul5R.exe
qfrmwmq.dll
7F6B.tmp
izwum.exe
sv.exe
svhoster.exe
svzip.exe
runsql.exe
DTProAgent.exe
setup_241_3777_21347_.exe
5rR0NYTX.exe
7.tmp.exe
rtenazot.dll
qUSOWf4S.exe
yyy1022.exe
BC50DF28.exe
yyy3175.exe
EmuleInstaller.exe
yyy10695.exe
yyy4430.exe
891.tmp.exe
~tmpk.exe
ncswaormex.tmp
yyy14869.exe
yyy10084.exe
yyy8022.exe
lphcavej0epd9.exe
torbjne.exe
yyy6517.exe
vamsoft.exe
BN20.tmp
ert52014.exe
~tmpy.exe
ert58253.exe
wini10251.exe
0xf9.exe
~tmpn.exe
hcwxds32.dll
scvhost32.exe
svchostw.exe
a6.exe
loader.exe
Msmsgs.exe
orkutkut.exe
__c006D472.dat
CdbgEvtSvc.exe
G-Buster.exe
sprof.exe
b.exe
KB75.exe
pidle.exe
ssqomll.dll
mxduo.dll
sconf32.dll
vtr351.dll
zkpssqa.dll
vpccw.dll
jfbakvqj.dll
Update.exe
dooep.dll
lapmvzf.dll
igpfced.dll
msCMTSrvc.exe
uimcu.dll
axlet.dll
vwfps.dll
ms031779298.exe
dfndrff_e5.exe
se_spoof.dll
dfndref_7.exe
nsq2B.dll
hp8F01.tmp
elitelsd32.exe
wupdt.exe
rldyt.dll
ivrllc.dll
ljhebby.dll
axdpfl.dll
iinqyl.dll
admggxp.dll
ctfmona.exe
sbwltbxa.exe
tdomgafw.dll
sysawpbkvnq.exe
sysnxcphmgy.exe
dnlsvc.exe
77.exe
winsys3.exe
system.exe
gnmguxh.dll
cxbrk.dll
winsystem.exe
kcekz.dll
sjrggq.dll
dtseqrxk.dll
lphc1gjj0eg45.exe
zafhemm.dll
ivozwzsl.exe
zqfclgjc.exe
bcxjqr.dll
wupda.exe
deskmon32.dll
yyy11314.exe
e1GuF5Id.exe
yyy13219.exe
ert59692.exe
ert516368.exe
ert5244.exe
SpeedRunner.exe
brastia.exe
DLD.exe
maxpaynowti1.exe
Facegame.exe
HPIEAddOn.dll
tsitra11.exe
qwinondt.exe
Apoint.exe
~tmpo.exe
odsaps.dll
promo.exe
Ib2G3XJQ.exe
ahiaw.exe
iqswi.dll
WLXxeq.dll
WuMO.dll
gsdrgfdrrgnd.dll
rah3b8ffdnd.dll
Owner.exe
__c00E2167.dat
svchosb.exe
mslsrv32.exe
k4stl7tuwv80.exe
winxp.exe
xwr38547.dll
cy37722.dll
restorer32_a.exe
restorer64_a.exe
wncoaxmsre.tmp
sorry.exe
ocprg23017248.exe
wmcenraoxs.exe
wpv831257179558.exe
Z4k3bSNu.dll
winupdate86.exe
pburpatufdoc .exe
6e3511.exe
66e41.exe
777.exe
393340.dll
675.exe
120237.dll
propa.exe
mwoxsrance.exe
~TM8E.tmp
sysl123.exe
setup_225_509_[1].exe
setup_241_3777_1054_[1].exe
_ex-08.exe
qdpack.exe
smss32.exe
~TM11.tmp
winsmss.exe
iehost.dll
services.exe
winntR1.exe
ubpr01.exe
mserdv32.exe
mrofinu1423.exe
mrofinu72.exe
EliBaglA[1].exe
mrofinu1000106.exe
qmuoe.dll
aaaaaaaa§.exe

Step 2 : Trojan Downloader Win32 DLL's to remove:

aklsp.dll
msvidc32.dll
gkglqoue.dll
dmintf32.dll
had73sfdfd.dll
kzpkwj.dll
igzxwrl.dll
nexpegp.dll
iesbpl.dll
atzrdada.dll
dpksakgm.dll
d3acdb.dll
iesplg.dll
czxtyx.dll
isadd.dll
iesplugin.dll
isaddon.dll
ixt0.dll
senssrv.dll
aphj.dll
jgdi.dll
bhomod00.dll
BHOmod.dll
cjuvwa.dll
xskmoqx.dll
alofkmn.dll
apdqnxp.dll
altvxvm.dll
btrklfr.dll
bokpkov.dll
vadokmxt.dll
wdpoefan.dll
WLCtrl32.dll
WinNt32.dll
sbmdl.dll
IEBHO.dll
bxsbang.dll
WinCtrl32.dll
zgyhw.dll
euwoeu.dll
actxprxy.dll
qmafxprs.dll
crypts.dll
mipinu.dll
qnflkotm.dll
vwnskbot.dll
getsn32.dll
wndutl32.dll
dmusic32.dll
gtckad.dll
eventlog32.dll
haozs1.dll
haozs0.dll
afmain1.dll
nmdfgds1.dll
inte1b.dll
gpkcsp32.dll
hhsa.dll
kiago32a.dll
comaddin32.dll
davclnt32.dll
cnetcfg32.dll
dompifgn.dll
d3dim32.dll
bxvkyrly.dll
ntspknlg.dll
byxyvtq.dll
secieaddin.dll
xpupdate.dll
dsaip32b.dll
wmpdxm.dll
getfn32.dll
hpmun.dll
iebt.dll
qipauzax.dll
ifsndu.dll
msxml71.dll
rmd-.dll
ns28kut1.dll
gpatbs.dll
supsafe.dll
xrdwbfgn.dll
dgksvbpn.dll
pdoskegl.dll
rqbmvpso.dll
drvvoj.dll
tsxngabr.dll
videoa32.dll
vtqnxfko.dll
eqvwamkl.dll
wnslvxtf.dll
Gtool.dll
xokvrpwg.dll
pntqkflv.dll
domie.dll
evgratsm.dll
hpi.dll
qegbdmwf.dll
okmdepgb.dll
gnowmebk.dll
z_view.dll
xvorfwbd.dll
asc94.dll
sigma64.dll
wpvmqosg.dll
vregfwlx.dll
pxgdslro.dll
dsound3dd.dll
winsrc.dll
wmsetup.dll
PnE3bw28.dll
xaczweo.dll
digeste.dll
usp10.dll
Omahonafazeq.dll
ipv6sp.dll
ieocx.dll
sysloc.dll
304434.dll
zoply.dll
734914.dll
788309.dll
890166.dll
512686.dll
367770.dll
124909.dll
311496.dll
912525.dll
119987.dll
590075.dll
848700.dll
768890.dll
242112.dll
907465.dll
857060.dll
709598.dll
804031.dll
931928.dll
788877.dll
814810.dll
892267.dll
238044.dll
altcmd32.dll
guxmhcd.dll
nsduo.dll
vtr357.dll
duocore.dll
vtr441.dll
bgwttyl.dll
gsrnxgh.dll
egzcqg.dll
bpvol.dll
msnhlp32.dll
qch29sr.dll
cfltygd.dll
qxfgcg.dll
adobepnl.dll
tejotilyd.dll
bubbj.dll
isfmdl.dll
gfopyhkh.dll
tvtpwp.dll
bnbs.dll
dcggain.dll
fkdnrwsv.dll
dwnrpofk.dll
pmsoarbf.dll
qadovnel.dll
bdkpfxqw.dll
mmmxgzxg.dll
fshqaln.dll
omlbpkaw.dll
{b91413db-d88a-a499-2661-f9f9441c9f46}.dll
mpfanvqg.dll
wetkadmr.dll
gbplib.dll
gbppdist.dll
winscok.dll
afontext.dll
vbksrofa.dll
blbpeoy.dll
jkqvjzl.dll
ouhzw.dll
mgxfebsq.dll
pikavn.dll
hare32.dll
xappit.dll
sysbas~1.dll
sdetcs.dll
vszynz.dll
rgf.dll
gopfa.dll
gcqltg.dll
qfrmwmq.dll
rtenazot.dll
hcwxds32.dll
ssqomll.dll
mxduo.dll
sconf32.dll
vtr351.dll
zkpssqa.dll
vpccw.dll
jfbakvqj.dll
dooep.dll
lapmvzf.dll
igpfced.dll
uimcu.dll
axlet.dll
vwfps.dll
se_spoof.dll
nsq2B.dll
rldyt.dll
ivrllc.dll
ljhebby.dll
axdpfl.dll
iinqyl.dll
admggxp.dll
tdomgafw.dll
gnmguxh.dll
cxbrk.dll
kcekz.dll
sjrggq.dll
dtseqrxk.dll
zafhemm.dll
bcxjqr.dll
deskmon32.dll
HPIEAddOn.dll
odsaps.dll
iqswi.dll
WLXxeq.dll
WuMO.dll
gsdrgfdrrgnd.dll
rah3b8ffdnd.dll
xwr38547.dll
cy37722.dll
Z4k3bSNu.dll
393340.dll
120237.dll
iehost.dll
qmuoe.dll

Step 3 : Trojan Downloader Win32 processes to kill:

ac2_0003.exe
Sys2621.exe
lphc9m9j0e1a3.exe
lphc110j0e78a.exe
lphc9s1j0evd5.exe
YUR2A7.exe
lphc323j0en3c.exe
EsnGOg2W.exe
lsass.exe
lphce5lj0e33g.exe
WinAvXX.exe
dls0523pmw.exe
xpuupdate.exe
svhost.exe
HPAware.exe
ajdnjhfo10.exe
newname3.exe
ecsiin.stub.exe
bvt.exe
installer.exe
bretiuxh.exe
wupeng.exe
svchost.exe
update_check.exe
win32st.exe
mgmrwmrv.exe
wmsdkns.exe
sysrxmfdksp.exe
spools.exe
glock32.exe
mfc42.exe
win32.exe
userinit.exe
wuauclt.exe
sysmon.exe
TempAA.exe
gmillogof.exe
lenveqvt.exe
FD.exe
winlogon.exe
ie_updates3r.exe
cmdbcs.exe
perfs.exe
yyk2954.exe
routing.exe
wupdater.exe
oyhucntf.exe
UGA6P_0001_N122M2802NetInstaller.exe
X117.exe
msn.exe
svchost23.exe
vbpdtvdp.exe
GoogleDesktop.exe
mrofinu1535.exe
iftuyszv.exe
cftmon.exe
Sys77.exe
msupdte.exe
uoyzsydz.exe
lphcnvtj0eve7.exe
rundll32.exe
SysE4E3.exe
Sys2.exe
Sys4.exe
Sys3.exe
Sys1.exe
lphcgu6j0e9av.exe
lphc942j0e9e7.exe
lphc9dpj0e793.exe
VIE7B09.exe
.ttE.tmp.exe
adqnebaf.exe
smss.exe
kzgdudgj.exe
braviax.exe
qtmjcfsj.exe
chslqbih.exe
wcs.exe
buritos.exe
css.exe
zgxwbank.exe
lyryzgjs.exe
c.exe
6LN0dYGS.exe
a.exe
lphcp4vj0et35.exe
lphcrkkj0erbr.exe
video233.cfg.exe
video232.cfg.exe
video1161.cfg.exe
video1019.cfg.exe
lphclq5j0e14p.exe
g.exe
781.exe
Player.exe
lphcnfgj0ep7n.exe
brastk.exe
dmbsvwtk.exe
video1086.cfg.exe
video234.cfg.exe
rkhdl.exe
iebtm.exe
iebtmm.exe
Yy5v3068.exe
xxx5366.exe
~tmpd.exe
h8b3LvB2.exe
vedxga3me2.exe
rs32net.exe
ppcb_32.exe
7Jv5vJhh.exe
hpmon.exe
hpmom.exe
wini10894.exe
qttaskm.exe
qttask.exe
msiconf.exe
setup_241_3777_[2].exe
uesiuqcr.exe
frmwrk32.exe
VIE2.exe
yyy12351.exe
yyy2010.exe
~tmpc.exe
yyy15461.exe
yyy9308.exe
~.exe
yyy289.exe
yyy12224.exe
~tmpb.exe
mVM33I6b.exe
yyy9902.exe
BwNVxGhC.exe
yyy2599.exe
explorer32.exe
yyy10930.exe
~tmpf.exe
ert56264.exe
2XKM2nX1.exe
sysguard.exe
475.tmp.exe
OPLlho18.exe
alg.exe
~tmpi.exe
1rlkp3G3.exe
pCo7V3H8.exe
~tmpx.exe
~tmp3.exe
~tmpp.exe
ckzty22913935.exe
wpiv.exe
svcho.exe
msj.exe
mschr.exe
b1jl2V0m.exe
4115.exe
Terry Santi.exe
msa.exe
msb.exe
userload.exe
svcnost.exe
TpScrex.exe
KAVStart.exe
reader_s.exe
soundmix.exe
Msxrs.exe
syst.exe
licao_de_vida.exe
NeroCheck.exe
leia.exe
xydzyh.exe
2183.exe
theof.exe
5765.exe
18163.exe
ContraVirusPro.exe
bkhujyxs.exe
csrssc.exe
664575600.exe
video.avi[1].exe
_A00F299C205.exe
lphcamlj0ea8a.exe
qbynahkr.exe
jiryrclc.exe
wdarqxox.exe
maxpaynow.exe
lahmtcho.exe
xpupdate.exe
setup73.exe
8764.exe
setup.exe
TXPlatform.exe
ubodh.exe
scit.exe
scm.exe
sbmntr.exe
sbsm.exe
ati2evxx.exe
ieupdates.exe
nod32se.exe
tujwbkbm.exe
edwnghyb.exe
nabmlare.exe
Firewall.exe
wserving.exe
winupdate.exe
Dot1XCfg.exe
wprcaw.exe
exp.exe
servicelayer.exe
amoumain.exe
ctfmon.exe
nvsvc32.exe
bios.exe
winpad32.exe
r56ujxftyrsdjsxrgf46i5sgheh44.exe
qgipz2469937.exe
CbEvtSvc.exe
lwpwer.exe
empa.exe
Sakora.exe
kbdpo.exe
autodisc.exe
odbcconf.exe
~tmp1174.exe
pornivideo03y45i[1].exe
gEehlDA9.exe
l[1].exe
g[1].exe
nJJG.exe
visfdw.exe
load[1].exe
install[1].exe
winvijhq.exe
tisgvi.exe
windsn.exe
adobe_flash[1].exe
AdobeFlash[1].exe
ert51791.exe
new23[1].exe
gr[2].exe
adv111[1].exe
Test.exe
loader[1].exe
~tmpa.exe
c-setup[2].exe
movie434.avi.exe
load1.exe
ni1mg2b5.exe
A4-tmpaoi.exe
ptssvc.exe
zchMiB.exe
psvrr.exe
scvhost.exe
oopuqq1.exe
_A00F220AD.exe
winjmxy.exe
ak1[1].exe
g13dyr.exe
avast!antivirus.exe
ashevtsvc.exe
93679526.exe
13035004.exe
93044996.exe
avp.exe
win2A.tmp.exe
keyboard.exe
mrofinu572.exe
mrofinu1188.exe
gadcom.exe
nidle.exe
99068276.exe
97179996.exe
91724226.exe
11714234.exe
xpa.exe
jpssoft[1].exe
MapEDC.exe
WinAvX.exe
ms050862618809.exe
sclick.exe
servhist.exe
9eabcdc8.exe
dfndr.exe
defender24.exe
keyboard24.exe
newname24.exe
defender20.exe
ipue32.exe
sqldata1.exe
ctdbrr.exe
updmgr.exe
qejdhnvg.exe
sncntr.exe
nvsvca32.exe
nsdlua.exe
conscorr.exe
27.exe
rxjddnvj.exe
sysahbecjh.exe
sysavxjgdu.exe
sysutrnez.exe
wind32.exe
csrss.exe
clfmon.exe
sixyahbi.exe
antivirusinstallfull_en[1].exe
mmc.exe
audiohq.exe
spool.exe
sysi.exe
vip_master_orkut.exe
bsyys.exe
msmsgxs.exe
jrevm.exe
kutorkt.exe
ixplorer.exe
Sys5457.exe
Sys5BE6.exe
1000675417.exe
lphcpevj0elag.exe
lphc783j0eveg.exe
lphcr49j0ea81.exe
lphct1hj0ep35.exe
lphcg9bj0e7e9.exe
lphc71lj0e94p.exe
lphc5mlj0ev7c.exe
lphcva1j0epb9.exe
lphca5sj0ee31.exe
lphct1sj0ele5.exe
lphcv4rj0en23.exe
lphcp19j0e3ac.exe
lphcnn0j0e7c5.exe
lphcej5j0ee4e.exe
lphc1tdj0ea77.exe
lphc5vwj0erb3.exe
lphca35j0ee3c.exe
lphcr6aj0e11v.exe
lphclp6j0ev5p.exe
lphcruaj0e355.exe
lphcpghj0ecfl.exe
lphc5rfj0eg89.exe
lphc3erj0elav.exe
lphcv49j0ejdl.exe
lphcp72j0e1dr.exe
lphc1qtj0ege1.exe
lphcj7cj0ea59.exe
lphc3f8j0eaaa.exe
lphcvhoj0e33t.exe
lphc9v2j0ecfj.exe
lylopybc.exe
gtolsbef.exe
33.tmp.exe
javclcte.exe
lphc59hj0eab1.exe
Cpl32ver.exe
lphc3q4j0epca.exe
qhqrmbyz.exe
telghgtw.exe
Manager.exe
arubinuj.exe
YUR205F.exe
lphccpaj0ec7g.exe
YUR507A.exe
xrg1.exe
lphcl2sj0ep0c.exe
lphcnjcj0e92j.exe
yvudcbaf.exe
wcm.exe
lphcem0j0e72a.exe
video88.cfg.exe
video1140.cfg.exe
video1055.cfg.exe
d.exe
lphcguej0eaep.exe
sft_ver1.1454.0.exe
e.exe
pas.exe
x1psul5R.exe
izwum.exe
sv.exe
svhoster.exe
svzip.exe
runsql.exe
DTProAgent.exe
setup_241_3777_21347_.exe
5rR0NYTX.exe
7.tmp.exe
qUSOWf4S.exe
yyy1022.exe
BC50DF28.exe
yyy3175.exe
EmuleInstaller.exe
yyy10695.exe
yyy4430.exe
891.tmp.exe
~tmpk.exe
yyy14869.exe
yyy10084.exe
yyy8022.exe
lphcavej0epd9.exe
torbjne.exe
yyy6517.exe
vamsoft.exe
ert52014.exe
~tmpy.exe
ert58253.exe
wini10251.exe
0xf9.exe
~tmpn.exe
scvhost32.exe
svchostw.exe
a6.exe
loader.exe
Msmsgs.exe
orkutkut.exe
CdbgEvtSvc.exe
G-Buster.exe
sprof.exe
b.exe
KB75.exe
pidle.exe
Update.exe
msCMTSrvc.exe
ms031779298.exe
dfndrff_e5.exe
dfndref_7.exe
elitelsd32.exe
wupdt.exe
ctfmona.exe
sbwltbxa.exe
sysawpbkvnq.exe
sysnxcphmgy.exe
dnlsvc.exe
77.exe
winsys3.exe
system.exe
winsystem.exe
lphc1gjj0eg45.exe
ivozwzsl.exe
zqfclgjc.exe
wupda.exe
yyy11314.exe
e1GuF5Id.exe
yyy13219.exe
ert59692.exe
ert516368.exe
ert5244.exe
SpeedRunner.exe
brastia.exe
DLD.exe
maxpaynowti1.exe
Facegame.exe
tsitra11.exe
qwinondt.exe
Apoint.exe
~tmpo.exe
promo.exe
Ib2G3XJQ.exe
ahiaw.exe
Owner.exe
svchosb.exe
mslsrv32.exe
k4stl7tuwv80.exe
winxp.exe
restorer32_a.exe
restorer64_a.exe
sorry.exe
ocprg23017248.exe
wmcenraoxs.exe
wpv831257179558.exe
winupdate86.exe
pburpatufdoc .exe
6e3511.exe
66e41.exe
777.exe
675.exe
propa.exe
mwoxsrance.exe
sysl123.exe
setup_225_509_[1].exe
setup_241_3777_1054_[1].exe
_ex-08.exe
qdpack.exe
smss32.exe
winsmss.exe
services.exe
winntR1.exe
ubpr01.exe
mserdv32.exe
mrofinu1423.exe
mrofinu72.exe
EliBaglA[1].exe
mrofinu1000106.exe
aaaaaaaa§.exe

Step4 : Remove Trojan Downloader Win32 registry entries:

RUNNING PROGRAM\tempo-139421.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{54629298-47B2-4F79-BC62-7B3648D70020}
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WINSOCK2\PARAMETERS\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catal
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Sys2621.exe
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ lphc9m9j0e1a3
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ lphc110j0e78a
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ lphc9s1j0evd5
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\NOTIFY\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\gkglqoue
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ \YUR2A7.exe
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ lphc323j0en3c
RUNNING PROGRAM\EsnGOg2W.exe
HKEY_LOCAL_MACHINE\SOF

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm