Trojan Horse PSW.OnlineGames and other malware

By unhacker57
Dec 17, 2007
Topic Status:
Not open for further replies.
  1. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Uninstalled Combofix, downloaded it, ran it, same result. Hangs on deleting that one file.
  2. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Here's the Deckard log
  3. evilfantasy

    evilfantasy Banned Posts: 428

    OK, I will stop with the combofix finally. :blackeye:

    As for the C:\windows\systems32\drivers\yprlnwb.sys error.

    We can delete it but it i haven't seen it in any logs. I don't want to delete a legitimate system file and crash you out.

    EDIT, did the extra text come out this time?
  4. evilfantasy

    evilfantasy Banned Posts: 428

    OK, found another one.


    First uninstall Spysweeper, we don't need it and it may try to block any fixes we do.

    Remember to turn off Zone Alarm before running The Avenger.

    Now download The Avenger By Swandog46, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the Input script manually box.
    * Click on the Magnifying Glass Icon which will open a new window titled View/edit script
    * Copy everything in the Quote box below, and paste it in the box that opens:

    Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

    * Now click the 'Done' button.
    * Click on the Green Light and OK the prompt.
    * You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    The Avenger will automatically do the following:

    * It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    * On reboot, it will briefly open a black command window on your desktop, this is normal.
    * After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
    * The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Please attach the C:\avenger.txt in your next post.

    ----------

    Create a Startup List

    1. Open HijackThis and select Open the Misc Tools section
    2. Click on the button which says Generate StartupList log
    3. Click Yes when prompted and a notepad document will open.
    4. Save the log to the desktop and attach it in the next post.

    ----------

    Create An Uninstall List

    1. Start HijackThis
    2. Click on the Open the Misc Tools section
    3. Click on the Open Uninstall Manager button.
    4. Click on the Save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
    5. Save it to your desktop
    6. Add the uninstall_list.txt as an attachment in the next post.

    ----------

    Next post please attach
    avenger.txt
    Startup list
    Uninstall list



    ----------

    After those are attached.

    This one will not produce a log, but you can let me know what was found. (if anything)

    Download CounterSpy V2 CounterSpy is a 15 day full featured evaluation.

    1. Double click the installer on the desktop
    2. After Counterspy is installed and you have restarted your computer (if prompted), double-click the icon on
    your desktop to begin the install.
    3. The Getting Started setup wizard opens. The wizard will guide you through the initial steps needed to configure CounterSpy.
    ** When the Activate Now prompt appears just click Next

    To scan you computer
    1. Click System Scan on the main page. The System Scan page opens.
    2. Set the scan options on the left side of the page. We recommend selecting Full System scan.
    3. Click Scan Now. CounterSpy starts scanning your computer. After the scan is complete, the
    CounterSpy System Scan Results summary window opens.
    4. Review the summarized information, then click View Results. You return to the System Scan
    results page.

    To take action against a security risk
    1. Select a security risk.
    2. Make a selection from the Recommended Action drop down menu next to it and select Remove
    ** Select Remove in all menus
    3. Check the Create restore point option. This will create the Windows backup (useful in case something goes wrong). Then press Take Action
    4. Now CounterSpy will ask you to confirm your actions. Press Yes within the window that appeares. This will start the removal process.
    5. The program may need to reboot your computer. Clicking Yes if prompted is highly recommended.
  5. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Just catching up. Deckard seems to be sending the Extra log somewhere differently than it used to. I have gone looking for it but no luck. I will run another one today.

    The two error messages I get on boot are first:

    rundll 32.exe-Bad Image
    DLL C:\windows\system32\yprlnwb.dll
    is not a valid windows image
    Please check against your installation diskette

    The second error message is:

    Rundll
    Error loading C:\windows\system32\yprlnwb.dll
    %1 is not a valid Win32 application

    That utility you gave me to check on this led me to links that said this was a nasty called totour.exe

    Did you read those links I posted?

    I don't know what the connection is between totour and yprlnwb though.

    ComboFix is also trying to remove that file and it is failing. This seems to correlate with other posts that this is a particularly hard one to remove.

    I definitely want to resolve this one if only because these error messages are a nuisance, but if this thing is the heart of this virus infection, then obviously it must go.
  6. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Avenger won't run. Error message:

    Could not open script file. Please verify that path name is valid and file exists
  7. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Here's the lists from HJT:

    startup
    uninstall
  8. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    CounterSpy worked. Found some nasties:

    Bifrost
    Backdoor
    Author: Evileye Software.com
    Bifrost is an advanced remote administration tool that allows users to remotely control cpmuters behind firewalls and routers
    location: HKEY_Users\S-1-5-21-2867663507-3293229926-269589

    ShellHook
    location: HKEY_local_machine\software\classes\clsii\{AEB6?..rest of entry not visible

    Adspy/Kubar.A l Toolbar
    location: C:\Windows\system32\inet.dll

    I selcted Remove for all of these. There were a few cookies too. CS said it removed them all. I'm running this scan again as it seems very thorough.
  9. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    New Deckard scan. It looks to me as if it no longer is generating an Extra log. It use to pop two notepad files right up, now only one. I looked in the Deckard folder, nothing but main.txt.

    Second CounterSpy scan found nothing.
  10. evilfantasy

    evilfantasy Banned Posts: 428

    OK, I am ready again.....



    Please download OTMoveIt by OldTimer OTMoveIt.exe and place it on your desktop.

    Double click OTMoveIt.exe to launch it.
    Be sure there is a check mark next to Unregister Dll's and OCX's
    Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

    Then click the MoveIt! button.
    * The list will be processed and the results will appear in the right hand pane.
    * If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    * When finished click Exit to exit the program.
    * A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

    Please attach the log back here please.
  11. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    I get an error message saying cannot create file C:\_OTMoveit\MovedFiles\12192007_141722.log

    In the results pane it says File/folder C:\Windows\systems32ztinetzt.exe not found

    I just got off the phone with Dell tech support. The guy did a live session where he remoted on to this computer and removed some startup stuff, a bunch of prefetch files and some IE addons. Maybe this deleted this file ztinetzt?

    He also told me the other file that is causing the error messages on startup is definitely malware. He said they have ahad a lot of calls on it in the past few days. This is the yprlnwb.dll file. I'm for removing it.

    in edit: checked My Computer and I don't see this file (ztinetzt) in the Windows\system32 folder.
     
  12. evilfantasy

    evilfantasy Banned Posts: 428

    OK, I think it is time to get rid of it.

    ----------

    Follow these steps to create a backup of the registry.

    • Click the Start button, then click Run. The Run window opens.
    • Type REGEDIT, then click OK. The Registry Editor opens.
    • Choose Registry, Export Registry File.
    • Verify the following entries in the Export Registry File Dialog Box:
      • Save in: Desktop
      • File Name: Registry Backup
      • Export Range: All
    • Click Save.
    • Exit the Registry Editor.
    • Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.

    CAUTION:
    Do not double-click the REGISTRY BACKUP.REG file on your Desktop unless you intend to undo your changes. Immediately verify the effect of your changes. When you have verified that the changes to the registry produce the desired result, delete the REGISTRY BACKUP.REG file from the desktop, otherwise restore it immediately.

    Do not allow the REGISTRY BACKUP.REG file to remain on the desktop beyond the testing period to avoid inadvertently double-clicking it.

    ----------

    Again click the Start button, then click Run and type REGEDIT then click OK.

    Navigate to the Registry Key {1B202102-FE38-11cf-64CD-21FF5FE1CF20} by following the below path.

    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B202102-FE38-11cf-64CD-21FF5FE1CF20}

    Right click on {1B202102-FE38-11cf-64CD-21FF5FE1CF20} and delete.

    ---------

    Enable Viewing Of Hidden System Files & Folders

    1. Click Start.
    2. Select Control Panel.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading select Show hidden files and folders.
    6. Uncheck the Hide extensions for known file types option.
    7. Uncheck the Hide protected operating system files (recommended) option.
    8. Click Apply.
    9. Click OK.

    ----------

    Boot into Safe Mode and find the C:\windows\systems32\drivers\yprlnwb.sys

    When you get to yprlnwb.sys right click on it and delete.

    Reboot to normal mode and make sure everything is OK.

    ----------

    Then try combofix again (I know I know) but this is an important tool that we need to get to run. If it will not run then we will go to another tool.

    Delete the copy from the desktop and download a new one. It updates constantly so is always good to get a new download.

    Download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    • Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    • When finished, it will produce a log for you.
    • Attach that log in your next reply.

    Do not mouseclick combofix's window while it's running. That may cause your computer to stall
  13. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Ok, the ztinetzt reg entry is gone but the yprlnwb.dll came back on restart and so did the two error messages. When I deleted it in safemode it went away. Not for long. So what it putting it back?
  14. evilfantasy

    evilfantasy Banned Posts: 428

  15. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Uninstalled ComboFix and downloaded and ran it. Same result. It hangs onDeleting files/folders "C:\windows\system32\drivers\yprlnwb.sys"

    The file I see in C is yprlnwb.dll not .sys.

    Anyway, ComboFix isn't working.
  16. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Trojanhunter found about a dozen trojans but hit error messages on half of them. Log attached.

    AVG antiroot found no rootkits.
  17. evilfantasy

    evilfantasy Banned Posts: 428

    Please download, update and run a-squared free

    At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.

    * If malware is found, click the button Remove Selected Malware
    * If malware is found, select all found and click Quarantine selected objects
    * Click Save Report. Save the report to somewhere convenient, such as your desktop
    * Add the report as an attachment in your next post.

    ========If that will not run try the online scanner below========

    Run the a-squared online scanner

    1. Select Scan your PC now
    2. After the definitions load select Scan

    When the scan completes:
    1. Click Save Report
    2. Choose to save the a2scan scan report to the desktop
    3. Next place a check mark in the boxes next to the items found and click Quarantine selected objects
    4. Add the a2scan log as an attachment in the next post.
    * To remove the items in quarantine hold down the ctrl key while clicking each entry with the mouse.
    * Once they are all highlighted select Delete
  18. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    A squared didn't find much.

    Here is the log.
  19. evilfantasy

    evilfantasy Banned Posts: 428

    Lets try another.

    TrendMicro Sysclean


    Create a new folder on the desktop by Right-Clicking an empty area of the desktop and select New > Folder. Name it Sysclean.


    1. Download Sysclean by Trendmicro and save it to the new folder on your Desktop.
    2. Download the latest Pattern Files from Trendmicro and save it to the same folder as the Sysclean. Pattern file is in Zip format such as lptxxx.zip (Windows)
    3. Extract the contents of the lptxxx.zip in the folder where Sysclean in located.

    4. Reboot computer in SafeMode

    a) During BootUp process Press F8 continuously until selection appears
    b) Use Arrow Up+Down to select SafeMode on the selections menu.
    c) Hit Enter to proceed.

    5. If it requires you to login please use the login name with administrative rights. Without this privilege, Sysclean will not delete/clean infected files located on System folder.
    6. Open the Sysclean folder on on your Desktop and Double-click Sysclean to run and do a full system scan. This may take time. Reboot when finished, repeat as desired to make sure that all threats are removed.
  20. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Sysclean ran okay and found 0 viruses. I saw it repairing a bunch of damaged files and XP seems to be running a bit faster now. Still getting the two error messages on open.

    I checked my own C drive and found no yprlnwb.dll or yprlnwb.sys in System32drivers so that seems to confirm what the Dell guy said that these aren't needed for XP.

    Been reading lots of stuff I googled on totour and there seems to be similarities between totour and yprlnwb but people who have totour are seeing a totour.exe and it does some bad things to internet connections which I am not seeing.

    The Dell guy talked like yprlnwb might be a new infection as he said they'd gotten a lot of calls on it for the past few days, so maybe the AV community will catch up with this and find a cure.
  21. evilfantasy

    evilfantasy Banned Posts: 428

    Combofix was updated again today so it may be worth a try.

    Wasn't the yprlnwb.dll there in the system32\drivers at one point but came right back after we tried to uninstall it?

    Run this online scanner Panda ActiveScan
    PandaActiveScan will only fix certain viruses and trojans. Most items found will not be fixed. But the log produced is very useful in manual removal steps that may follow.
    1. When the page appears, click the Scan your PC button.
    2. In the next window, click the Check Now button
    3. You now need to enter some information before you can run a scan
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    4. Click the Scan Now button
    5. If you get a prompt about an ActiveX component, allow the component to be installed.
    6. Now a download to your PC will begin. This is a required component for the scan. It contains detection information. (Note: It may take a while to download based on your connection speed.)
    7. When the download has completed, click on Local Disks to start the scan
    8. When the scan is finished close the popup window and then click See Report.
    9. Click Yes to the prompt, then click Save Report.
    10. The default report name is Activescan.txt. Save it to your desktop so you can attach it to your post.
  22. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    There's two yprlnwb files that I know of.

    One is in System32. That's the yprlnwb.dll.

    Then there's one in System32drivers. That I believe is the one that ComboFix was trying to remove.

    I tried removing them both in safe mode this morning but they both came back.

    I read on another forum that totour gets reloaded through explorer.exe.

    I'll try new ComboFix and other scans and repost.
  23. evilfantasy

    evilfantasy Banned Posts: 428

    The least we can do is help get the files identified and maybe a quicker cure will be added to the removal tools we use.

    Go to http://www.uploadmalware.com/

    Fill in the information:

    Your Username: Use the same name as on this site.

    Topic Where File Was Requested: http://www.techspot.com/vb/topic94699.html

    File(s) To Submit: Click Browse to locate the files.
    C:\windows\system32\drivers\yprlnwb.sys
    C:\windows\system32\drivers\yprlnwb.dll

    Comments Or Further Info: These files recreate themselves after manual removal. Combofix seems to get stuck on them and will not complete the scan.
    They do not show up in any virus scan. Thank You.

    If you want to add any more information that may help the go right ahead, the more they know the better.

    Then click Send File
  24. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    Same result with "new" ComboFix. Hangs on deleting that file

    Panda wouldn't run. I kept getting an error and an IE message bar about Panda wanting to run ActiveX. I'd click ok, but when it went back tot the app the same problem would come up.

    I'll report this to that site you mention.
  25. unhacker57

    unhacker57 Newcomer, in training Topic Starter Posts: 64

    I am going to take a break from this one. It looks like we're at a deadend until the experts crack that one file.

    Many thanks for your help. You stayed with it and I appreciate that.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.