TechSpot

Trojan Horse PSW.OnlineGames and other malware

By unhacker57
Dec 17, 2007
Topic Status:
Not open for further replies.
  1. Hi

    Working on a friend's computer. Dell 2400 XP Home Intel Pentium 4, two optical drives, Dell AIO A920 printer.

    This lady had no AV but only went online about once a week so never got in trouble. A house guest from China used the computer to play online games and visit Chinese porn sites and this lead to massive infection.

    I've done the fifteen steps. Housecall worked well and did a lot. Panda found no rootkits. Combofix install failed due to corrupt files. I tried three times. Used the Deckard System scanner instead. Two logs attached. Couldn't do the Smitfraud removal in Safemode as I can not open in Safemode. Get an error saying there were problems, maybe a virus, Windows closed to protect itself. Read somewhare that malware may have a way to block Safemode opening. If so, I'd love to fix that. No Vundo, no Virtumundo.

    AVG AV found 2061 infections and went into an "auto healing" procedure that hung at 98%. Rebooted and ran again until it finished.

    AVG Antispyware found nothing, so no log attached for that.

    HJT had to run in normal mode due to Safe mode problem. Log attached.

    Thanks for your consideration.

    unhacker57

    in edit can't seem to get the DSS main text log to attach
  2. evilfantasy

    evilfantasy Banned Posts: 428

    What about the combofix log?


    Go to Start > Run and type in Services.msc then click OK
    Click the Extended tab.
    Scroll down until you find the service.
    Click once on the service to highlight it.
    Click Stop

    Right-Click on the service.
    Click on 'Properties'
    Select the 'General' tab
    Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
    From the drop-down menu, click on 'Disabled'
    Click the 'Apply' tab, then click 'OK'
    The service is now stopped and disabled.


    Open hijackThis and select Do a system scan only then place a check mark next to:

    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O20 - AppInit_DLLs: kapjazy.dll
    O21 - SSODL: 7bjnvz7 - {A2A2A2A2-3B3B-D5D5-5D5D-E6E6E6E6E6E6} - C:\WINDOWS\system32\CKOWAIM.dll (file missing)
    O21 - SSODL: zahsz - {7AD0369C-7AD0-369C-369C-F258BE147AD0} - C:\WINDOWS\system32\DSDSD.dll (file missing)
    O23 - Service: Windows Message Queue (msgqueue) - Unknown owner - C:\WINDOWS\system32\msgqueue.exe (file missing)

    Close all browser windows and click Fix checked


    Attach the combofix log along with a new HijackThis log.
  3. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    msgqueue.exe did not appear in the Services.msc list. I checked it to be fixed in HJT but it came back again.

    As for Combofix, see my first post. The install failed supposedly due to corrupt files.

    in edit I am having trouble with this uploader. Not doing it
  4. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    try again to submit logs

    uploader not working
  5. evilfantasy

    evilfantasy Banned Posts: 428

    Run this instead of combofix.

    Download Superantispyware (SAS) SUPERAntispyware Free Edition

    Install it and double-click the icon on your desktop to run it.
    * It will ask if you want to Update the program definitions, click Yes.
    * Under Configuration and Preferences, click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
    * On the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK.
    * Make sure everything in the white box has a check next to it, then click Next.
    * It will quarantine what it found and if it asks if you want to reboot, click Yes.
    * To retrieve the removal information please do the following:
    • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    * Please add the log as an attachment along with a new HijackThis log in the next post.
  6. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Please see my first post. I cannot boot in safe mode.
  7. evilfantasy

    evilfantasy Banned Posts: 428

    Yea, I will wake up in a minute, sorry. Use the SUPERAntiSpyware in normal boot mode instead.
  8. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    No problem. I appreciate the help. SAS is running right now but I'm not having much luck with this uploader. I do the steps correctly but the file doesn't get attached.
  9. evilfantasy

    evilfantasy Banned Posts: 428

    If you have to just copy and paste the logs in the post.
  10. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Ok, SAS log and new HJT log
  11. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    ok, I'm stumped. I had the SAS file attached to the last post. The HJT log didn't attach so I pasted it. Neither one appear after I hit Post.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:13:14 PM, on 12/17/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1130356333218
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Windows Message Queue (msgqueue
    ) - Unknown owner - C:\WINDOWS\system32\msgqueue.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

    --
    End of file - 6935 bytes
     
  12. evilfantasy

    evilfantasy Banned Posts: 428

    Maybe it is too large, try breaking it into two notepads and attaching them like that.

    Or copy and paste one half in one post and the other in the next.
  13. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Ok, looks like I got it. Weird.

    The previous post has the SAS log attached. Can you see the attachment?
  14. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    When I rebooted I got an error message:

    rundll32.exe - Bad Image

    DLL c:\windows\system32\yprlnwb.dll is not a valid image

    Please check against your installation diskette
  15. evilfantasy

    evilfantasy Banned Posts: 428

    I think one more scan would be wise.

    Run this online scan.

    Requires Internet Explorer

    Use the ESET Nod32 Online Scanner
    1. Check the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the activex control to install
    4. Click Start
    5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
    6. Click Scan
    7. Wait for the scan to finish
    8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    9. Attach the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply
  16. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    ok, here's the Eset log. Doesn't look too good.
  17. evilfantasy

    evilfantasy Banned Posts: 428

    If you have combofix delete it and try to download it from one of the links here.

    Please download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    • Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    • When finished, it will produce a log for you.
    • Attach that log in your next reply.

    Do not mouseclick combofix's window while it's running. That may cause your computer to stall

    Also attach a new HijackThis log.
  18. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Combofix installed this time and it has been running. Went through about 28 steps and now there is a window up that syas Deleting Files/folders and there are three items showing and a yellow cursor blinking but it seems to have stalled there. The Windows taskbar disapppeared also.

    Is Combo fix likely to get going again and if not what should I do?

    PS one of the files it is deleting is C:\WINDOWS\system32\drivers\yprlnwb.sys which looks like it is related to the error message I reported on reboot.

    Ps I am posting this on a different computer.

    In edit: Closed Combofix and force quit. Still got the error message on reboot. Amazing, Zonealarm AV is now on for the first time since we bought it two months ago. Was always blocked before. Getting updates now and then I will run Combofix again.
  19. evilfantasy

    evilfantasy Banned Posts: 428

    Give it some time and see if it completes. Shouldn't take more then 15-20 minutes. If it doesn't then manually reboot the computer.

    Combofix stores backups of all deletions in C:\qoobox if they are needed. There should be a log in C:\Combofix if the log does not come up on reboot, see if it is in there.

    yprlnwb.sys is an infection so hopefully combofix will get rid of it. If not we will move to something else.
  20. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Since ZA AV finally opened I did a defs update and I am running a scan.

    ZA found 195 viruses and quarantined them. I think theses trojans are using system restore to come back on reboots.

    Running a new Combofix scan.
  21. evilfantasy

    evilfantasy Banned Posts: 428

    Yes, some trojans/vundo have the ability to recreate themselves before normal removal methods can remove them. Which is why we need to try something else.

    If combofix will not complete then run a new Deckards scan and attach the main and extra text.

    But first, try to run SDFix. If you have problems getting into safe mode with the F8 method then don't try any other method, just run the Deckards scan and post those logs.

    Download SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following:
    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, the Advanced Options Menu should appear;
    * Select the first option, to run Windows in Safe Mode, then press Enter.
    * Choose your usual account.
    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    *] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
    * Finally add the contents of the Report.txt in your next post as an Attachment

    Also attach a new HijackThis log
  22. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Combofix is stuck again on DeletingFiles/Folders

    There is only one file this time:

    C:WINDOWS\system32\drivers\yprlnwb.sys

    This was where it stopped last time so maybe this file is causing it a problem. I'll give it ten more minutes and crash stop again.
  23. evilfantasy

    evilfantasy Banned Posts: 428

    OK, we will have to try other methods of finding the malware.

    See if you can get to Safe Mode by the F8 method for SDFix.

    If not then do a new Deckards Scan and post both logs and I will see if I can find it the hard way..
  24. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Rebooted and looked for a Combofix log. If it's there, it's well disguised. Looked through C Combofix folder. There's over a hundred files there, but mo log. Lokked through Quobox. No sign of log but in reg backups I saw two files with yprlnwb in their names. One is LEGACY_YPRLNWB.reg.dat and the other is services_yprlnwb.reg.dat. These are in the Quarantine file under Reg backup.

    I'm going to try deleting Combofix and reinstalling. I may have had something corrupt fro the first failed install attempts.
  25. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Combofix doesn't show up in the Installed programs list so I don't know how to uninstall it.

    The last times I rebooted, I am continuing to get this error message that yprnlnwb.dll is not a valid file.

    Any ideas how to proceed?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.