Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
AccessProtectionLog.txt Log File Records
This section provides detailed information on malicious files left by two Trojan attacks. Somehow McAfee failed to detect and delete them.
I also reviewed the other McAfee log file, AccessProtectionLog.txt and saw many records related to this PWS Trojan:
<date> 5:58:59 PM Would be blocked by Access Protection rule (rule is currently not enforced) hyang C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\hyang\Local Settings\Temp\mmc.exe Common Standard Protection:Prevent common programs from running files from the Temp folder Action blocked: Execute And many other similar records: <date> 5:58:59 PM hyang C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\hyang.Local Settings\Temp\mmc.exe <date> 6:00:52 PM hyang C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\Temp\mmhtml.dll <date> 6:15:23 PM hyang C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\Temp\mmhtml.dll <date> 6:20:46 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\HBASKTAO.dll <date> 6:20:55 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\HBASKTAO.dll <date> 6:21:02 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\xboqpxabzp.exe <date> 6:21:05 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\HBASKTAO.dll <date> 6:21:19 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\xboqpxabzp.exe <date> 6:21:44 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\System.exe <date> 6:21:51 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\heb.exe <date> 6:21:55 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\qcabyoprxy.exe <date> 6:21:56 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\HBZHUXIAN.dll <date> 6:21:59 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\heb.exe <date> 6:22:01 PM hyang C:\WINDOWS\explorer.exe C:\temp\windows\system32\HBZHUXIAN.dll <date> 6:22:44 PM hyang C:\Program Files\Internet Explorer \IEXPLORE.EXE C:\WINDOWS\Downloaded Program Files\Manager.exe <date> 6:28:45 PM hyang C:\WINDOWS\Explorer.EXE C:\temp\wuauclt.exe <date> 6:29:30 PM hyang C:\WINDOWS\Explorer.EXE C:\temp\wuauclt.exe <date> 6:29:35 PM hyang C:\WINDOWS\Explorer.EXE C:\temp\windows \wuauclt.exe common programs <date> 6:29:44 PM hyang C:\WINDOWS\Explorer.EXE C:\temp\windows \wuauclt.exe common programs <date> 6:34:05 PM hyang C:\Program Files\Mozilla Firefox \firefox.exe C:\WINDOWS\Temp\mmhtml.dll <date> 7:21:09 PM hyang C:\Program Files\Internet Explorer \iexplore.exe C:\WINDOWS\Temp\mmhtml.dll <date> 7:36:25 PM hyang C:\Program Files\Internet Explorer \iexplore.exe C:\WINDOWS\Temp\mmhtml.dll <date> 10:06:28 PM hyang C:\WINDOWS\Explorer.EXE C:\WINDOWS\Temp\mmhtml.dll common programs <date> 10:32:11 PM hyang C:\Program Files\Mozilla Firefox \firefox.exe C:\WINDOWS\Temp\mmhtml.dll <date> 10:33:31 PM hyang C:\WINDOWS\Explorer.EXE C:\WINDOWS\Temp\mmhtml.dll common programs <date> 10:37:58 PM hyang C:\WINDOWS\Explorer.EXE C:\WINDOWS\Temp\mmhtml.dll common programs <date> 10:39:08 PM hyang C:\Program Files\Mozilla Firefox \firefox.exe C:\WINDOWS\Temp\mmhtml.dll <date> 10:51:15 PM hyang C:\WINDOWS\Explorer.EXE C:\WINDOWS\Temp\mmhtml.dll common programs
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
JS/Downloader.gen - JavaScript Downloader Malware
PWS-Mmorpg.gen - A Password Stealer Trojan
heb.exe - The Trojan Installer Program
.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
►AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key