Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
.exe and .dll Files Installed by the Trojan
This section describes malicious executable programs get installed and executed to install more DLL programs in the system folder.
After the Trojan installer, heb.exe, succeeded in breaking through the McAfee protection, multiple malicious executable programs were installed in the system folder. Those programs were also executed to install more malicious DLL programs in the system folder. See OnAccessScanLog.txt log file records below:
< date< 6:01:18 PM Deleted (Clean failed because the detection isn't cleanable) hyang C:\WINDOWS\system32\heb.exe C:\WINDOWS\system32\rabzpcaxyo.exe New Malware.aq (Trojan) < date< 6:01:19 PM Cleaned hyang C:\WINDOWS\system32\xyoqrxybpq.exe c:\windows\system32\da63e650.dll PWS-OnlineGames.s (Trojan) < date< 6:01:20 PM Not scanned (scan timed out) hyang C:\WINDOWS\system32\xybzqcaxyo.exe C:\WINDOWS\system32\DE02F764.dll < date< 6:01:20 PM Deleted hyang C:\WINDOWS\system32\xybzqcaxyo.exe C:\WINDOWS\SYSTEM32\DE02F764.DLL PWS-OnlineGames.s (Trojan) < date< 6:01:20 PM Deleted hyang C:\WINDOWS\system32\xybzqcaxyo.exe C:\WINDOWS\system32\DE02F764.dll PWS-OnlineGames.s (Trojan) < date< 6:01:27 PM Deleted hyang C:\WINDOWS\system32\xyoqrxybpq.exe C:\WINDOWS\SYSTEM32\DA63E650.DLL PWS-OnlineGames.s (Trojan) < date< 6:01:27 PM Deleted hyang C:\WINDOWS\system32\xyoqrxybpq.exe C:\WINDOWS\system32\DA63E650.dll PWS-OnlineGames.s (Trojan) < date< 6:01:30 PM Cleaned hyang C:\WINDOWS\system32\abyopxaybp.exe c:\windows\system32\08223b03.dll PWS-OnlineGames.s (Trojan) < date< 6:01:36 PM Cleaned hyang C:\WINDOWS\system32\rxayzpqaxb.exe c:\windows\system32\58ff3024.dll PWS-OnlineGames.s (Trojan) < date< 6:01:37 PM Deleted hyang C:\WINDOWS\system32\abyopxaybp.exe C:\WINDOWS\SYSTEM32\08223B03.DLL PWS-OnlineGames.s (Trojan) < date< 6:01:38 PM Deleted hyang C:\WINDOWS\system32\abyopxaybp.exe C:\WINDOWS\system32\08223B03.dll PWS-OnlineGames.s (Trojan) < date< 6:01:48 PM Deleted hyang C:\WINDOWS\system32\rxayzpqaxb.exe C:\WINDOWS\SYSTEM32\58FF3024.DLL PWS-OnlineGames.s (Trojan) < date< 6:01:48 PM Deleted hyang C:\WINDOWS\system32\rxayzpqaxb.exe C:\WINDOWS\system32\58FF3024.dll PWS-OnlineGames.s (Trojan) < date< 6:01:50 PM Cleaned hyang C:\WINDOWS\system32\yqpaborayb.exe c:\windows\system32\3474a8c2.dll PWS-OnlineGames.s (Trojan) < date< 6:01:58 PM Deleted hyang C:\WINDOWS\system32\yqpaborayb.exe C:\WINDOWS\SYSTEM32\3474A8C2.DLL PWS-OnlineGames.s (Trojan) < date< 6:01:58 PM Deleted hyang C:\WINDOWS\system32\yqpaborayb.exe C:\WINDOWS\system32\3474A8C2.dll PWS-OnlineGames.s (Trojan) < date< 6:02:09 PM Cleaned hyang C:\WINDOWS\system32\yoprxybzpc.exe c:\windows\system32\122b901e.dll PWS-OnlineGames.s (Trojan) < date< 6:02:14 PM Deleted hyang C:\WINDOWS\system32\yoprxybzpc.exe C:\WINDOWS\SYSTEM32\122B901E.DLL PWS-OnlineGames.s (Trojan) < date< 6:02:14 PM Deleted hyang C:\WINDOWS\system32\yoprxybzpc.exe C:\WINDOWS\system32\122B901E.dll PWS-OnlineGames.s (Trojan) < date< 6:02:19 PM Cleaned hyang C:\WINDOWS\system32\xabzpcaxyo.exe c:\windows\system32\caba599d.dll PWS-OnlineGames.s (Trojan) < date< 6:02:24 PM Cleaned hyang C:\WINDOWS\system32\boqpxabpqq.exe c:\windows\system32\9ca963ca.dll PWS-OnlineGames.s (Trojan) < date< 6:02:25 PM Deleted hyang C:\WINDOWS\system32\xabzpcaxyo.exe C:\WINDOWS\SYSTEM32\CABA599D.DLL PWS-OnlineGames.s (Trojan) < date< 6:02:25 PM Deleted hyang C:\WINDOWS\system32\xabzpcaxyo.exe C:\WINDOWS\system32\CABA599D.dll PWS-OnlineGames.s (Trojan) < date< 6:02:36 PM Not scanned (scan timed out) hyang C:\WINDOWS\system32\boqpxabpqq.exe C:\WINDOWS\system32\9CA963CA.dll < date< 6:02:36 PM Deleted hyang C:\WINDOWS\system32\boqpxabpqq.exe C:\WINDOWS\SYSTEM32\9CA963CA.DLL PWS-OnlineGames.s (Trojan) < date< 6:02:36 PM Deleted hyang C:\WINDOWS\system32\boqpxabpqq.exe C:\WINDOWS\system32\9CA963CA.dll PWS-OnlineGames.s (Trojan)
The log records show that at least 8 of malicious executable programs were installed in the system folder like, C:\WINDOWS\system32\xybzqcaxyo.exe. I am not sure why McAfee VirusScan failed to detect and delete them.
Those malicious executable programs were launched to install more DLL files to the system folder with random names like, de02f764.dll. The log file showed that McAfee was able to detect and delete 26 DLL files created by the Trojan.
But of course, the log file did not tell us how many DLL files were successfully installed by the Trojan.
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
JS/Downloader.gen - JavaScript Downloader Malware
PWS-Mmorpg.gen - A Password Stealer Trojan
heb.exe - The Trojan Installer Program
►.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key