my.exe - A Second PWS Trojan Infection

This section describes a second possible PWS Trojan infection that executed my.exe from C:\WINDOWS\Temp and another .exe file from C:\WINDOWS\system32. Both of them tried to install .sys files.

3 hours later on the same day, more Trojan activities were detected by McAfee VirusScan. See OnAccessScanLog.txt log file records below:

<date> 9:34:40 PM Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\Temp\my.exe
   c:\windows\system32\drivers\beep.sys PWS-Mmorpg.gen (Trojan)

<date> 9:34:41 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\Temp\my.exe
   C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS PWS-Mmorpg.gen (Trojan)

<date> 9:34:42 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\Temp\my.exe
   C:\WINDOWS\system32\drivers\beep.sys PWS-Mmorpg.gen (Trojan)

<date> 9:35:00 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM 
   C:\WINDOWS\system32\yvspqn.exe C:WINDOWS\system32\drivers\opxyz.sys

<date> 9:35:00 PM Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\system32
   \yvspqn.exe c:\windows\system32\drivers\opxyz.sys 
   PWS-Mmorpg.gen (Trojan)

<date> 9:35:00 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32
   \yvspqn.exe C:\WINDOWS\SYSTEM32\DRIVERS\OPXYZ.SYS 
   PWS-Mmorpg.gen (Trojan)

<date> 9:35:01 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32
   \yvspqn.exe C:\WINDOWS\system32\drivers\opxyz.sys 
   PWS-Mmorpg.gen (Trojan)

<date> 9:36:05 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32
   \yvspqn.exe C:WINDOWS\SYSTEM32\PCXYQR.EXE PWS-Mmorpg.gen (Trojan)

<date> 9:36:05 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32
   \yvspqn.exe C:\WINDOWS\system32\pcxyqr.exe\pcxyqr.exe\0000d500.EXE 
   PWS-Mmorpg.gen (Trojan)

<date> 9:36:06 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32
   \yvspqn.exe C:\WINDOWS\SYSTEM32\BPCXYQ.EXE PWS-Mmorpg.gen (Trojan)

<date> 9:36:06 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32
   \yvspqn.exe C:\WINDOWS\system32\bpcxyq.exe\bpcxyq.exe\0000d500.EXE 
   PWS-Mmorpg.gen (Trojan)

As you can see that 2 more malicious executable programs, my.exe and yvspqn.exe, got installed and executed, similar to xyoqrxybpq.exe mentioned in the previous section.

But there were some things new here in these records:

Because of these differences, I may actually have 2 different Trojan infections, one at 6:01pm and one at 9:34pm.

Last update: 2006.

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

 JS/Downloader.gen - JavaScript Downloader Malware

 PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

 Trajon Files Left in the System Folder

 Removing PWS Trojan Files

 Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

 UserInit - Winlogon Registry Key

 js.users.51.la - hosts File Entries

 Image File Execution Options - Registry Key

 regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 PDF Printing Version