Trojan Horse PSW.OnlineGames and other malware

We are making some progress now.

Try the Combofix again, hopefully it will go to the end this time.

Post a new HijackThis log with it.

Ok, meanwhile here is the Deckard Main log. The extra one escaped.

Combofix again gets to Deleting files/folders and there is one file there:

C:\windows\systems32\drivers\yprlnwb.sys

I let it sit there like this for an hour earlier. Should I wait longer?

No, I want to do some cleanup and start new on the scans. There is too much junk on the computer. This tool will remove all of the special tools and their related files/folders we have been using.

After it is complete try combofix, if it hangs, forget it for now.

Then try to boot to safe mode and try SDFix, which will hopefully run.

Remember to turn off ZA, each time you restart the computer it turns back on.


Please download OTMoveIt by OldTimer OTMoveIt.exe and place it on your desktop.

1. Double click OTMoveIt.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. You will be prompted to allow the clean up procedure, click Yes
5. When finished exit out of OTMoveIt



Download a new combofix.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

• Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
• When finished, it will produce a log for you.
• Attach that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall




New SDFix.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment


I will be looking through the Deckard log. Let me know............

OK, found something more in the log. The virus has disabled Safe Mode.

Download and run AVZ from this link Repair SafeBoot

• Unzip it to a folder on your desktop
• Double click on AVZ.exe (Must be unzipped or the options will not appear)
• Click on the file tab and then click on System recovery
• Put a checkmark next to Restore SafeBoot registry keys
• Click on Execute selected operations
• Restart the computer and see if you can enter safe mode by the F8 method and run SDFix.

Ya mon. Safe mode back. Got to dl SDfix.

SDFix ran ok. Still have the yprlnwb error messages on boot.

OK, try combofix.


Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

• Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
• When finished, it will produce a log for you.
• Attach that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Combofix did the same thing again. I don't think it was removed by that utility you gave me OTMOVEIT. I don't think that did anything.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u



Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

Then try combofix once again.

Are you are turning off ZA before the scan?

If it will not run then post a fresh deckards scan.

Uninstalled Combofix, downloaded it, ran it, same result. Hangs on deleting that one file.

Here's the Deckard log

OK, I will stop with the combofix finally. :blackeye:

As for the C:\windows\systems32\drivers\yprlnwb.sys error.

We can delete it but it i haven't seen it in any logs. I don't want to delete a legitimate system file and crash you out.

EDIT, did the extra text come out this time?

OK, found another one.


First uninstall Spysweeper, we don't need it and it may try to block any fixes we do.

Remember to turn off Zone Alarm before running The Avenger.

Now download The Avenger By Swandog46, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the Input script manually box.
* Click on the Magnifying Glass Icon which will open a new window titled View/edit script
* Copy everything in the Quote box below, and paste it in the box that opens:

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

* Now click the 'Done' button.
* Click on the Green Light and OK the prompt.
* You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

* It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please attach the C:\avenger.txt in your next post.

----------

Create a Startup List

1. Open HijackThis and select Open the Misc Tools section
2. Click on the button which says Generate StartupList log
3. Click Yes when prompted and a notepad document will open.
4. Save the log to the desktop and attach it in the next post.

----------

Create An Uninstall List

1. Start HijackThis
2. Click on the Open the Misc Tools section
3. Click on the Open Uninstall Manager button.
4. Click on the Save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
5. Save it to your desktop
6. Add the uninstall_list.txt as an attachment in the next post.

----------

Next post please attach
avenger.txt
Startup list
Uninstall list


----------

After those are attached.

This one will not produce a log, but you can let me know what was found. (if anything)

Download CounterSpy V2 CounterSpy is a 15 day full featured evaluation.

1. Double click the installer on the desktop
2. After Counterspy is installed and you have restarted your computer (if prompted), double-click the icon on
your desktop to begin the install.
3. The Getting Started setup wizard opens. The wizard will guide you through the initial steps needed to configure CounterSpy.
** When the Activate Now prompt appears just click Next

To scan you computer
1. Click System Scan on the main page. The System Scan page opens.
2. Set the scan options on the left side of the page. We recommend selecting Full System scan.
3. Click Scan Now. CounterSpy starts scanning your computer. After the scan is complete, the
CounterSpy System Scan Results summary window opens.
4. Review the summarized information, then click View Results. You return to the System Scan
results page.

To take action against a security risk
1. Select a security risk.
2. Make a selection from the Recommended Action drop down menu next to it and select Remove
** Select Remove in all menus
3. Check the Create restore point option. This will create the Windows backup (useful in case something goes wrong). Then press Take Action
4. Now CounterSpy will ask you to confirm your actions. Press Yes within the window that appeares. This will start the removal process.
5. The program may need to reboot your computer. Clicking Yes if prompted is highly recommended.

Just catching up. Deckard seems to be sending the Extra log somewhere differently than it used to. I have gone looking for it but no luck. I will run another one today.

The two error messages I get on boot are first:

rundll 32.exe-Bad Image
DLL C:\windows\system32\yprlnwb.dll
is not a valid windows image
Please check against your installation diskette

The second error message is:

Rundll
Error loading C:\windows\system32\yprlnwb.dll
%1 is not a valid Win32 application

That utility you gave me to check on this led me to links that said this was a nasty called totour.exe

Did you read those links I posted?

I don't know what the connection is between totour and yprlnwb though.

ComboFix is also trying to remove that file and it is failing. This seems to correlate with other posts that this is a particularly hard one to remove.

I definitely want to resolve this one if only because these error messages are a nuisance, but if this thing is the heart of this virus infection, then obviously it must go.

Avenger won't run. Error message:

Could not open script file. Please verify that path name is valid and file exists

Here's the lists from HJT:

startup
uninstall

CounterSpy worked. Found some nasties:

Bifrost
Backdoor
Author: Evileye Software.com
Bifrost is an advanced remote administration tool that allows users to remotely control cpmuters behind firewalls and routers
location: HKEY_Users\S-1-5-21-2867663507-3293229926-269589

ShellHook
location: HKEY_local_machine\software\classes\clsii\{AEB6?..rest of entry not visible

Adspy/Kubar.A l Toolbar
location: C:\Windows\system32\inet.dll

I selcted Remove for all of these. There were a few cookies too. CS said it removed them all. I'm running this scan again as it seems very thorough.

New Deckard scan. It looks to me as if it no longer is generating an Extra log. It use to pop two notepad files right up, now only one. I looked in the Deckard folder, nothing but main.txt.

Second CounterSpy scan found nothing.

OK, I am ready again.....



Please download OTMoveIt by OldTimer OTMoveIt.exe and place it on your desktop.

Double click OTMoveIt.exe to launch it.
Be sure there is a check mark next to Unregister Dll's and OCX's
Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

Then click the MoveIt! button.
* The list will be processed and the results will appear in the right hand pane.
* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
* When finished click Exit to exit the program.
* A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Please attach the log back here please.