Windows Security Tutorials - Herong's Tutorial Examples - Version 3.00, by Dr. Herong Yang

Removing PWS Trojan Files

This section provides a tutorial example on how to remove malicious files left by the PWS Trojan infection with the help of McAfee On-Demand Scan function.

In order to validate if McAfee can detect or not those malicious files left in my system folder, I did a "On-Demand Scan". The following files were detected and deleted:

c:\Documents and Settings\NetworkService\Local Settings\Temporary 
   Internet Files\Content.IE5\YTBUII29
20[1].EXE       PWS-Mmorpg.gen(Trojan)
20[1].exe\20[1].exe\000060b0.EXE PWS-Mmorpg.gen(Trojan)

5102a80.sys     PWS-Mmorpg.gen (Trojan)
9fd8db.sys      PWS-Mmorpg.gen (Trojan)
abzpqaxboq.exe  Generic Downloader.x (Trojan)
conmie.exe      Generic.dx (Trojan)
hbasktao.dll (Trojan)
hbbo.dll (Trojan)
hbwow.dll (Trojan)
hbyy.dll (Trojan)
hbzhuxian.dll (Trojan)
pcxyqr.exe      PWS-Mmorpg.gen (Trojan)
qcabyoprxy.exe  Generic.dx (Trojan)
sovhst.exe      Generic.dx (Trojan)
sovhst.exe\sovhst.exe\0000b200.EXE Generic.dx (Trojan)
System.exe      PWS-Mmorpg.gen (Trojan)
xboqpxabzp.exe  PWS-Mmorpg.gen (Trojan)
xboqpxabzp.exe\xboqpxabzp.exe\00008090.EXE PWS-Mmorpg.gen (Trojan)
xyoqrxabzp.exe  PWS-Mmorpg.gen (Trojan)

This tells me that:

  • Many malicious programs could be automatically detected and deleted by McAfee On-Access module so that they would not get stored on my computer. But the On-Access Scan module failed to do the job to stop those files getting installed on my system.
  • Some malicious files like, heb.exe, are still left in my system folder. I have to delete them manually.
  • It seems to be that sovhst.exe and xboqpxabzp.exe were self-extracting ZIP files. This is why there are 2 records for each of them.
  • This PWS Trojan had installed malicious program, 20[1].EXE, in the temporary folder of a hidden user, NetworkService.

After running the On-Demand Scan, I deleted all remaining malicious files manually system folders. I hoped that this PWS Trojan infection was fully removed now.

Last update: 2006.

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

 JS/Downloader.gen - JavaScript Downloader Malware

 PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

 my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

 Trajon Files Left in the System Folder

Removing PWS Trojan Files

 Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

 UserInit - Winlogon Registry Key - hosts File Entries

 Image File Execution Options - Registry Key

 regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO


 PDF Printing Version

Removing PWS Trojan Files - Updated in 2013, by Dr. Herong Yang