Trojan Horse PSW.OnlineGames and other malware

[unhacker57]

Hi

Working on a friend's computer. Dell 2400 XP Home Intel Pentium 4, two optical drives, Dell AIO A920 printer.

This lady had no AV but only went online about once a week so never got in trouble. A house guest from China used the computer to play online games and visit Chinese porn sites and this lead to massive infection.

I've done the fifteen steps. Housecall worked well and did a lot. Panda found no rootkits. Combofix install failed due to corrupt files. I tried three times. Used the Deckard System scanner instead. Two logs attached. Couldn't do the Smitfraud removal in Safemode as I can not open in Safemode. Get an error saying there were problems, maybe a virus, Windows closed to protect itself. Read somewhare that malware may have a way to block Safemode opening. If so, I'd love to fix that. No Vundo, no Virtumundo.

AVG AV found 2061 infections and went into an "auto healing" procedure that hung at 98%. Rebooted and ran again until it finished.

AVG Antispyware found nothing, so no log attached for that.

HJT had to run in normal mode due to Safe mode problem. Log attached.

Thanks for your consideration.

unhacker57

in edit can't seem to get the DSS main text log to attach

 

[evilfantasy]

What about the combofix log?


Go to Start > Run and type in Services.msc then click OK
Click the Extended tab.
Scroll down until you find the service.

msgqueue.exe

Click once on the service to highlight it.
Click Stop

Right-Click on the service.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on 'Disabled'
Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


Open hijackThis and select Do a system scan only then place a check mark next to:

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O20 - AppInit_DLLs: kapjazy.dll
O21 - SSODL: 7bjnvz7 - {A2A2A2A2-3B3B-D5D5-5D5D-E6E6E6E6E6E6} - C:\WINDOWS\system32\CKOWAIM.dll (file missing)
O21 - SSODL: zahsz - {7AD0369C-7AD0-369C-369C-F258BE147AD0} - C:\WINDOWS\system32\DSDSD.dll (file missing)
O23 - Service: Windows Message Queue (msgqueue) - Unknown owner - C:\WINDOWS\system32\msgqueue.exe (file missing)

Close all browser windows and click Fix checked


Attach the combofix log along with a new HijackThis log.

 

[unhacker57]

msgqueue.exe did not appear in the Services.msc list. I checked it to be fixed in HJT but it came back again.

As for Combofix, see my first post. The install failed supposedly due to corrupt files.

in edit I am having trouble with this uploader. Not doing it

 

[unhacker57]

try again to submit logs

uploader not working

 

[evilfantasy]

Run this instead of combofix.

Download Superantispyware (SAS) SUPERAntispyware Free Edition

Install it and double-click the icon on your desktop to run it.
* It will ask if you want to Update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information please do the following:

• After reboot, double-click the SUPERAntiSpyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment along with a new HijackThis log in the next post.

 

[unhacker57]

Please see my first post. I cannot boot in safe mode.

 

[evilfantasy]

Yea, I will wake up in a minute, sorry. Use the SUPERAntiSpyware in normal boot mode instead.

 

[unhacker57]

No problem. I appreciate the help. SAS is running right now but I'm not having much luck with this uploader. I do the steps correctly but the file doesn't get attached.

 

[evilfantasy]

If you have to just copy and paste the logs in the post.

 

[unhacker57]

Ok, SAS log and new HJT log

 

[unhacker57]

ok, I'm stumped. I had the SAS file attached to the last post. The HJT log didn't attach so I pasted it. Neither one appear after I hit Post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:14 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1130356333218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Message Queue (msgqueue
) - Unknown owner - C:\WINDOWS\system32\msgqueue.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6935 bytes

 

[evilfantasy]

Maybe it is too large, try breaking it into two notepads and attaching them like that.

Or copy and paste one half in one post and the other in the next.

 

[unhacker57]

Ok, looks like I got it. Weird.

The previous post has the SAS log attached. Can you see the attachment?

 

[unhacker57]

When I rebooted I got an error message:

rundll32.exe - Bad Image

DLL c:\windows\system32\yprlnwb.dll is not a valid image

Please check against your installation diskette

 

[evilfantasy]

I think one more scan would be wise.

Run this online scan.

Requires Internet Explorer

Use the ESET Nod32 Online Scanner
1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Attach the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply

 

[unhacker57]

ok, here's the Eset log. Doesn't look too good.

 

[evilfantasy]

If you have combofix delete it and try to download it from one of the links here.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

• Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
• When finished, it will produce a log for you.
• Attach that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Also attach a new HijackThis log.

 

[unhacker57]

Combofix installed this time and it has been running. Went through about 28 steps and now there is a window up that syas Deleting Files/folders and there are three items showing and a yellow cursor blinking but it seems to have stalled there. The Windows taskbar disapppeared also.

Is Combo fix likely to get going again and if not what should I do?

PS one of the files it is deleting is C:\WINDOWS\system32\drivers\yprlnwb.sys which looks like it is related to the error message I reported on reboot.

Ps I am posting this on a different computer.

In edit: Closed Combofix and force quit. Still got the error message on reboot. Amazing, Zonealarm AV is now on for the first time since we bought it two months ago. Was always blocked before. Getting updates now and then I will run Combofix again.

 

[evilfantasy]

Give it some time and see if it completes. Shouldn't take more then 15-20 minutes. If it doesn't then manually reboot the computer.

Combofix stores backups of all deletions in C:\qoobox if they are needed. There should be a log in C:\Combofix if the log does not come up on reboot, see if it is in there.

yprlnwb.sys is an infection so hopefully combofix will get rid of it. If not we will move to something else.

 

[unhacker57]

Since ZA AV finally opened I did a defs update and I am running a scan.

ZA found 195 viruses and quarantined them. I think theses trojans are using system restore to come back on reboots.

Running a new Combofix scan.

 

[evilfantasy]

I think theses trojans are using system restore to come back on reboots.

Yes, some trojans/vundo have the ability to recreate themselves before normal removal methods can remove them. Which is why we need to try something else.

If combofix will not complete then run a new Deckards scan and attach the main and extra text.

But first, try to run SDFix. If you have problems getting into safe mode with the F8 method then don't try any other method, just run the Deckards scan and post those logs.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment

Also attach a new HijackThis log

 

[unhacker57]

Combofix is stuck again on DeletingFiles/Folders

There is only one file this time:

C:WINDOWS\system32\drivers\yprlnwb.sys

This was where it stopped last time so maybe this file is causing it a problem. I'll give it ten more minutes and crash stop again.

 

[evilfantasy]

OK, we will have to try other methods of finding the malware.

See if you can get to Safe Mode by the F8 method for SDFix.

If not then do a new Deckards Scan and post both logs and I will see if I can find it the hard way..

 

[unhacker57]

Rebooted and looked for a Combofix log. If it's there, it's well disguised. Looked through C Combofix folder. There's over a hundred files there, but mo log. Lokked through Quobox. No sign of log but in reg backups I saw two files with yprlnwb in their names. One is LEGACY_YPRLNWB.reg.dat and the other is services_yprlnwb.reg.dat. These are in the Quarantine file under Reg backup.

I'm going to try deleting Combofix and reinstalling. I may have had something corrupt fro the first failed install attempts.

 

[unhacker57]

Combofix doesn't show up in the Installed programs list so I don't know how to uninstall it.

The last times I rebooted, I am continuing to get this error message that yprnlnwb.dll is not a valid file.

Any ideas how to proceed?