Windows Security Tutorials - Herong's Tutorial Examples

∟PWS (Password Stealer) Trojan Infection Removal

∟PWS-Mmorpg.gen - A Password Stealer Trojan

This section describes the PWS-Mmorpg.gen Trojan targeting online game account information.

After seeing the McAfee VirusScan log file record on PWS-Mmorpg.gen (Trojan), I searched on the Internet and got some descriptions about this type of PWS Trojan.

http://vil.nai.com/vil/content/v_142170.htm:

Aliases: PWS-Mmorpg.gen, TR/PSW.OnLineGames.DR, 
   Trojan-PSW.Win32.OnLineGames.dr, Trojan.OnLineGames-5,
   Trojan.Pws.Onlinegames.DR

Type: Trojan/Generic

Discovery Date: 05/07/2007

Characteristics:
   PWS-Mmorpg is a trojan written in Borland Delphi, that attempts to
   steal passwords information for popular online MMORPG games. It 
   also contains functionality to post this information to a remote 
   website.

   When executed, it drops the following files in all available 
   drives, including removable and floppy drives:
      .\Shell.exe --> copy of the trojan
      .\autorun.inf --> detected as W32/USBAgent!inf
      %WINDIR%\Help\ACDF4F3D0FD.exe --> copy of the trojan
      %WINDIR%\Help\ACDF4F3D0FD.dll --> detected as PWS-Mmorpg.gen
...

http://www.sophos.com/security/analyses/trojonlinegj.html:

Aliases: Troj/OnLineG-J, PWS-Mmorpg.gen, 
   Trojan-PSW.Win32.OnLineGames.acz

Sophos Protection: available since 27 July 2007

Category: Viruses and Spyware

Type: Trojan

Method of Infection: 
   When first run Troj/OnLineG-J copies itself to %System%\dsfids6.exe
   and creates the file %System%\9kxk0.dll.

   The following registry entry is created to run dsfids6.exe on 
   startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   daskaskfsak6 = %System%\dsfids6.exe

Apparently, these 2 Web pages were not talking about the same Trojan. But I use them to compare with what happened on my friends computer.

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

►PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

 JS/Downloader.gen - JavaScript Downloader Malware

►PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

 my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

 Trajon Files Left in the System Folder

 Removing PWS Trojan Files

 Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

 UserInit - Winlogon Registry Key

 js.users.51.la - hosts File Entries

 Image File Execution Options - Registry Key

 regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 Full Version in PDF/ePUB

PWS-Mmorpg.gen - A Password Stealer Trojan - Updated in 2021, by Dr. Herong Yang