Trojan Horse PSW.OnlineGames and other malware

I get an error message saying cannot create file C:\_OTMoveit\MovedFiles\12192007_141722.log

In the results pane it says File/folder C:\Windows\systems32ztinetzt.exe not found

I just got off the phone with Dell tech support. The guy did a live session where he remoted on to this computer and removed some startup stuff, a bunch of prefetch files and some IE addons. Maybe this deleted this file ztinetzt?

He also told me the other file that is causing the error messages on startup is definitely malware. He said they have ahad a lot of calls on it in the past few days. This is the yprlnwb.dll file. I'm for removing it.

in edit: checked My Computer and I don't see this file (ztinetzt) in the Windows\system32 folder.

OK, I think it is time to get rid of it.

----------

Follow these steps to create a backup of the registry.

• Click the Start button, then click Run. The Run window opens.
• Type REGEDIT, then click OK. The Registry Editor opens.
• Choose Registry, Export Registry File.
• Verify the following entries in the Export Registry File Dialog Box:
  • Save in: Desktop
  • File Name: Registry Backup
  • Export Range: All
• Click Save.
• Exit the Registry Editor.
• Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.

CAUTION:
Do not double-click the REGISTRY BACKUP.REG file on your Desktop unless you intend to undo your changes. Immediately verify the effect of your changes. When you have verified that the changes to the registry produce the desired result, delete the REGISTRY BACKUP.REG file from the desktop, otherwise restore it immediately.

Do not allow the REGISTRY BACKUP.REG file to remain on the desktop beyond the testing period to avoid inadvertently double-clicking it.

----------

Again click the Start button, then click Run and type REGEDIT then click OK.

Navigate to the Registry Key {1B202102-FE38-11cf-64CD-21FF5FE1CF20} by following the below path.

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B202102-FE38-11cf-64CD-21FF5FE1CF20}

Right click on {1B202102-FE38-11cf-64CD-21FF5FE1CF20} and delete.

---------

Enable Viewing Of Hidden System Files & Folders

1. Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

----------

Boot into Safe Mode and find the C:\windows\systems32\drivers\yprlnwb.sys

When you get to yprlnwb.sys right click on it and delete.

Reboot to normal mode and make sure everything is OK.

----------

Then try combofix again (I know I know) but this is an important tool that we need to get to run. If it will not run then we will go to another tool.

Delete the copy from the desktop and download a new one. It updates constantly so is always good to get a new download.

Download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

• Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
• When finished, it will produce a log for you.
• Attach that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Ok, the ztinetzt reg entry is gone but the yprlnwb.dll came back on restart and so did the two error messages. When I deleted it in safemode it went away. Not for long. So what it putting it back?

I have talked to a friend who suggested to run these two tools.

TrojanHunter ..... http://www.misec.net/ (free trial but removes what is found)

AVG Anti-Rootkit Free .... http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0

Let me know what was found.

Uninstalled ComboFix and downloaded and ran it. Same result. It hangs onDeleting files/folders "C:\windows\system32\drivers\yprlnwb.sys"

The file I see in C is yprlnwb.dll not .sys.

Anyway, ComboFix isn't working.

Trojanhunter found about a dozen trojans but hit error messages on half of them. Log attached.

AVG antiroot found no rootkits.

Please download, update and run a-squared free

At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.

* If malware is found, click the button Remove Selected Malware
* If malware is found, select all found and click Quarantine selected objects
* Click Save Report. Save the report to somewhere convenient, such as your desktop
* Add the report as an attachment in your next post.

========If that will not run try the online scanner below========

Run the a-squared online scanner

1. Select Scan your PC now
2. After the definitions load select Scan

When the scan completes:
1. Click Save Report
2. Choose to save the a2scan scan report to the desktop
3. Next place a check mark in the boxes next to the items found and click Quarantine selected objects
4. Add the a2scan log as an attachment in the next post.
* To remove the items in quarantine hold down the ctrl key while clicking each entry with the mouse.
* Once they are all highlighted select Delete

A squared didn't find much.

Here is the log.

Lets try another.

TrendMicro Sysclean


Create a new folder on the desktop by Right-Clicking an empty area of the desktop and select New > Folder. Name it Sysclean.


1. Download Sysclean by Trendmicro and save it to the new folder on your Desktop.
2. Download the latest Pattern Files from Trendmicro and save it to the same folder as the Sysclean. Pattern file is in Zip format such as lptxxx.zip (Windows)
3. Extract the contents of the lptxxx.zip in the folder where Sysclean in located.

4. Reboot computer in SafeMode

a) During BootUp process Press F8 continuously until selection appears
b) Use Arrow Up+Down to select SafeMode on the selections menu.
c) Hit Enter to proceed.

5. If it requires you to login please use the login name with administrative rights. Without this privilege, Sysclean will not delete/clean infected files located on System folder.
6. Open the Sysclean folder on on your Desktop and Double-click Sysclean to run and do a full system scan. This may take time. Reboot when finished, repeat as desired to make sure that all threats are removed.

Sysclean ran okay and found 0 viruses. I saw it repairing a bunch of damaged files and XP seems to be running a bit faster now. Still getting the two error messages on open.

I checked my own C drive and found no yprlnwb.dll or yprlnwb.sys in System32drivers so that seems to confirm what the Dell guy said that these aren't needed for XP.

Been reading lots of stuff I googled on totour and there seems to be similarities between totour and yprlnwb but people who have totour are seeing a totour.exe and it does some bad things to internet connections which I am not seeing.

The Dell guy talked like yprlnwb might be a new infection as he said they'd gotten a lot of calls on it for the past few days, so maybe the AV community will catch up with this and find a cure.

Combofix was updated again today so it may be worth a try.

Wasn't the yprlnwb.dll there in the system32\drivers at one point but came right back after we tried to uninstall it?

Run this online scanner Panda ActiveScan
PandaActiveScan will only fix certain viruses and trojans. Most items found will not be fixed. But the log produced is very useful in manual removal steps that may follow.
1. When the page appears, click the Scan your PC button.
2. In the next window, click the Check Now button
3. You now need to enter some information before you can run a scan

• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company

4. Click the Scan Now button
5. If you get a prompt about an ActiveX component, allow the component to be installed.
6. Now a download to your PC will begin. This is a required component for the scan. It contains detection information. (Note: It may take a while to download based on your connection speed.)
7. When the download has completed, click on Local Disks to start the scan
8. When the scan is finished close the popup window and then click See Report.
9. Click Yes to the prompt, then click Save Report.
10. The default report name is Activescan.txt. Save it to your desktop so you can attach it to your post.

There's two yprlnwb files that I know of.

One is in System32. That's the yprlnwb.dll.

Then there's one in System32drivers. That I believe is the one that ComboFix was trying to remove.

I tried removing them both in safe mode this morning but they both came back.

I read on another forum that totour gets reloaded through explorer.exe.

I'll try new ComboFix and other scans and repost.

The least we can do is help get the files identified and maybe a quicker cure will be added to the removal tools we use.

Go to http://www.uploadmalware.com/

Fill in the information:

Your Username: Use the same name as on this site.

Topic Where File Was Requested: http://www.techspot.com/vb/topic94699.html

File(s) To Submit: Click Browse to locate the files.
C:\windows\system32\drivers\yprlnwb.sys
C:\windows\system32\drivers\yprlnwb.dll

Comments Or Further Info: These files recreate themselves after manual removal. Combofix seems to get stuck on them and will not complete the scan.
They do not show up in any virus scan. Thank You.

If you want to add any more information that may help the go right ahead, the more they know the better.

Then click Send File

Same result with "new" ComboFix. Hangs on deleting that file

Panda wouldn't run. I kept getting an error and an IE message bar about Panda wanting to run ActiveX. I'd click ok, but when it went back tot the app the same problem would come up.

I'll report this to that site you mention.

I am going to take a break from this one. It looks like we're at a deadend until the experts crack that one file.

Many thanks for your help. You stayed with it and I appreciate that.

Hi,

There is still another way we can try. I have not followed your thread, but since ComboFix is not working well in cleaning, we can use avenger. It is a very powerful removal tool, which should be used with care.

Please post fresh ComboFix and HJT logs for me to take a look. I'll provide the cleaning instructions thereafter. Thanks.

Regards
momok

We ran avenger a couple days ago. Here was my comment:

"Avenger won't run. Error message:

Could not open script file. Please verify that path name is valid and file exists"

Combofix crashes when I run it as it sticks on removing this yprlnwb.sys file.

I'll run HJT again and post a log.

New hjt log. Don't think previous ones ever showed yprlnwb. Note this file has been linked on other websites to a virus called totour. Runs completely hidden, propagates all kinds of exploits etc.

here's a profile of totour from Prevx:

MALWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY
1. COVERT ANALYSIS OF: TOTOUR.EXE

* File Names Used: 48
* Paths Used: 21
* Common File Name: TOTOUR.EXE
* Common Path: %WINDIR%\SYSTEM32\
* Vendor Information: Microsoft Corporation
* Product Information: Sample LSP Installer
* Version Information: 5.2.3790.1830
* TOTOUR.EXE may use 48 or more path and file names, these are the most common:
* 1 :%honeypotroot%\B33029BA154F2C880C6F5BEF279F.....pmw
* 2 :%honeypotroot%\trojans\trojan.win32.agent.afg\F24E9E44.EXE
* 3 :%PROGRAMFILES%\ALWIL SOFTWARE\AVAST4\DATA\MOVED\TOTOUR.EXE.VIR
* File Name Structure: Normal
* File and Path Structure: Suspicious, unusually high number of file and path combinations

2. RELATIONSHIP ANALYSIS OF: TOTOUR.EXE

* Malicious Objects Created: 1 objects
* Malicious Creators: None
* Malware Run Keys: None
* Self Persists:
* Antivirus Detection: No third party antivirus detection observed
* Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: TOTOUR.EXE

* The following behaviors have been observed for this object:
* Installs programs.
* Deletes programs.
* Invokes dll components.
* Creates Run Keys.
* Runs other programs.
* Creates registry entries.
* Creates known malware.
* Packed Executable.

4. PROPAGATION ANALYSIS OF: TOTOUR.EXE

* Malware Group Propagation Rate: Moderate (spreading)
* Malware Group: Covert Sys Exec
* Copyright Prevx Limited 2005, 2006

http://fileinfo.prevx.com/spyware/qq9ffc74625582-TOTO34367007/filesearch.asp

I don't know if yprlnwb is totour or not. Totour exploits I've seen posted on forums are pretty viscious, like totally disrupting internet connection, as an example.

I talked to Dell tech support, as this is a Dell box. I wanted to know if yprlnwb was a known XPfile or not. He said it wasn't. He said the computer didn't need it. He said it was malware. He said they'd had numerous calls on this one over the past few days. This sounded like the usual India call center Dell tech support which in my experience has given new meaning to the term "flaky" but this guy was very capable it seemed. Sounds like it could be a totour variant as it shares some characteristics reported by Prevx. It self propagates. I have gone into System32 in safe mode and deleted both files. They reappear on reboot, along with the two error messages saying this file yprlnwb.dll is a "bad image" and saying it is not a valid Win32 application. ComboFix tried to delete yprlnwb.sys, which is in the drivers folder of Syst32 but ComboFix hangs on this deletion attempt. Tried it many times, always the same result.

Do I have totour? Don't know. After cleaning over 6000 viruses in the past week, my recent AV scans showzero, zip, nada. But I still get the error messages on yprlnwb every time I reboot. And Prevx says that totour is undetected by any scanner.

That's where I am up to now with this.

in edit: one other comment I picked up from googling is that one person said that totour is repropagating through explorer.exe. Don't know how he knows that but he seemed sure.