TechSpot

Trojan Horse PSW.OnlineGames and other malware

By unhacker57
Dec 17, 2007
  1. momok

    momok TS Rookie Posts: 2,272

    Hi,

    There is still another way we can try. I have not followed your thread, but since ComboFix is not working well in cleaning, we can use avenger. It is a very powerful removal tool, which should be used with care.

    Please post fresh ComboFix and HJT logs for me to take a look. I'll provide the cleaning instructions thereafter. Thanks.

    Regards
    momok
     
  2. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    We ran avenger a couple days ago. Here was my comment:

    "Avenger won't run. Error message:

    Could not open script file. Please verify that path name is valid and file exists"

    Combofix crashes when I run it as it sticks on removing this yprlnwb.sys file.

    I'll run HJT again and post a log.
     
  3. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    New hjt log. Don't think previous ones ever showed yprlnwb. Note this file has been linked on other websites to a virus called totour. Runs completely hidden, propagates all kinds of exploits etc.
     
  4. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    here's a profile of totour from Prevx:

    MALWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY
    1. COVERT ANALYSIS OF: TOTOUR.EXE

    * File Names Used: 48
    * Paths Used: 21
    * Common File Name: TOTOUR.EXE
    * Common Path: %WINDIR%\SYSTEM32\
    * Vendor Information: Microsoft Corporation
    * Product Information: Sample LSP Installer
    * Version Information: 5.2.3790.1830
    * TOTOUR.EXE may use 48 or more path and file names, these are the most common:
    * 1 :%honeypotroot%\B33029BA154F2C880C6F5BEF279F.....pmw
    * 2 :%honeypotroot%\trojans\trojan.win32.agent.afg\F24E9E44.EXE
    * 3 :%PROGRAMFILES%\ALWIL SOFTWARE\AVAST4\DATA\MOVED\TOTOUR.EXE.VIR
    * File Name Structure: Normal
    * File and Path Structure: Suspicious, unusually high number of file and path combinations

    2. RELATIONSHIP ANALYSIS OF: TOTOUR.EXE

    * Malicious Objects Created: 1 objects
    * Malicious Creators: None
    * Malware Run Keys: None
    * Self Persists:
    * Antivirus Detection: No third party antivirus detection observed
    * Anti-Spyware Detection: No third party anti-spyware detection observed

    3. ACTIVITY ANALYSIS OF: TOTOUR.EXE

    * The following behaviors have been observed for this object:
    * Installs programs.
    * Deletes programs.
    * Invokes dll components.
    * Creates Run Keys.
    * Runs other programs.
    * Creates registry entries.
    * Creates known malware.
    * Packed Executable.

    4. PROPAGATION ANALYSIS OF: TOTOUR.EXE

    * Malware Group Propagation Rate: Moderate (spreading)
    * Malware Group: Covert Sys Exec
    * Copyright Prevx Limited 2005, 2006

    http://fileinfo.prevx.com/spyware/qq9ffc74625582-TOTO34367007/filesearch.asp
     
  5. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    I don't know if yprlnwb is totour or not. Totour exploits I've seen posted on forums are pretty viscious, like totally disrupting internet connection, as an example.

    I talked to Dell tech support, as this is a Dell box. I wanted to know if yprlnwb was a known XPfile or not. He said it wasn't. He said the computer didn't need it. He said it was malware. He said they'd had numerous calls on this one over the past few days. This sounded like the usual India call center Dell tech support which in my experience has given new meaning to the term "flaky" but this guy was very capable it seemed. Sounds like it could be a totour variant as it shares some characteristics reported by Prevx. It self propagates. I have gone into System32 in safe mode and deleted both files. They reappear on reboot, along with the two error messages saying this file yprlnwb.dll is a "bad image" and saying it is not a valid Win32 application. ComboFix tried to delete yprlnwb.sys, which is in the drivers folder of Syst32 but ComboFix hangs on this deletion attempt. Tried it many times, always the same result.

    Do I have totour? Don't know. After cleaning over 6000 viruses in the past week, my recent AV scans showzero, zip, nada. But I still get the error messages on yprlnwb every time I reboot. And Prevx says that totour is undetected by any scanner.

    That's where I am up to now with this.

    in edit: one other comment I picked up from googling is that one person said that totour is repropagating through explorer.exe. Don't know how he knows that but he seemed sure.
     
  6. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Ran another Virustotal rview of C:\windows\systeme32\drivers\yprlnwb.sys and this one is apparently getting a lot more attention than it was a few days ago. Lots of feedback on it:

    File yprlnwb.sys received on 12.23.2007 01:51:09 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 9/32 (28.13%)
    Loading server information...
    Your file is queued in position: 2.
    Estimated start time is between 41 and 59 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2007.12.22.10 2007.12.21 Win-Trojan/Rootkit.14336.C
    AntiVir 7.6.0.46 2007.12.22 TR/Rootkit.Gen
    Authentium 4.93.8 2007.12.22 -
    Avast 4.7.1098.0 2007.12.22 Win32:Agent-EUI
    AVG 7.5.0.516 2007.12.22 -
    BitDefender 7.2 2007.12.23 -
    CAT-QuickHeal 9.00 2007.12.22 -
    ClamAV 0.91.2 2007.12.23 -
    DrWeb 4.44.0.09170 2007.12.22 -
    eSafe 7.0.15.0 2007.12.20 -
    eTrust-Vet 31.3.5395 2007.12.21 Win32/Livuto!generic
    Ewido 4.0 2007.12.22 -
    FileAdvisor 1 2007.12.23 -
    Fortinet 3.14.0.0 2007.12.22 -
    F-Prot 4.4.2.54 2007.12.22 W32/Cinmus.E.gen!Eldorado
    F-Secure 6.70.13030.0 2007.12.21 -
    Ikarus T3.1.1.15 2007.12.23 Trojan-Downloader.Win32.Agent.bgg
    Kaspersky 7.0.0.125 2007.12.23 -
    McAfee 5191 2007.12.21 -
    Microsoft 1.3109 2007.12.23 -
    NOD32v2 2743 2007.12.23 -
    Norman 5.80.02 2007.12.21 -
    Panda 9.0.0.4 2007.12.22 -
    Prevx1 V2 2007.12.23 -
    Rising 20.23.52.00 2007.12.22 RootKit.Win32.Agent.sh
    Sophos 4.24.0 2007.12.22 -
    Sunbelt 2.2.907.0 2007.12.21 -
    Symantec 10 2007.12.23 Backdoor.Haxdoor
    TheHacker 6.2.9.168 2007.12.22 -
    VBA32 3.12.2.5 2007.12.22 -
    VirusBuster 4.3.26:9 2007.12.22 -
    Webwasher-Gateway 6.6.2 2007.12.23 Trojan.Rootkit.Gen
    Additional information
    File size: 14848 bytes
    MD5: 249e0051075b37be3075ff9a447e7e60
    SHA1: 69628578bb9793f82beb8709be7e157ea4da21aa
    PEiD: -


    ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
     
  7. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Ran Symantec online scanner. It detected two problems.

    One is:

    C:\Windows\32\UPS.dll infected with Infostealer.Menghuan

    The second is:

    C:Windows\32\Drivers\yprlnwb.sys is infected with Backdoor.Haxdoor


    Symantec offers a free removal tool for Haxdoor. I ran it and it said it did not detect Haxdoor.


    Out of around 25 scanners I've run, only Symantec and ComboFix has detected yprlnwb.sys and neither one of them removed it. But getting it identified is better than having it be a mystery. Hopefully someone will get a tool that works on Haxdoor.
     
  8. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Let's just give this a shot. Could you try running Avenger once more, but with a slight change in the way you run it.

    Download my attachment "avengerscript.txt".

    When you run Avenger, do the following.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    It will restart your computer. On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

    Please attach the content of c:\avenger.txt into your reply

    PS. When you run ComboFix, did you run it with a CFScript file, or was it the usual way? Does the problem also occur in safe mode?


    Regards,
    momok
     
  9. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Avenger script attached. That had some effect. The first of the two error messages that has been popping up on bot did not appear this time. This was:

    rundll 32.exe - Bad Image
    DLL C:\windows\sysetem32\yprlnwb.dll
    is not a vaild windows image
    please check against your installation diskette

    Now the second error message has changed. It now says:

    Rundll
    Error loading C:\windows\system32\yprlnwb.dll
    specified module could not be found

    Avenger says it removed the two files.

    Looks like there is still a startup script that is trying to load them again.

    Bujt this looks like progress.

    As for ComboFix, I always just double clicked on the exe and it ran, not in safe mode. Should I try it in safe mode?
     
  10. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Making progress. Ran ComboFix and it ran all the way to the end this time. Deleted some stuff.

    log attached.
     
  11. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Update: I am now getting no error messages on booting this machine.

    Symantec online scanner no longer detects Backdoor.Haxdoor.

    It does still detect an infection in:

    C:windows\system32\ups.dll

    They call the infection Infostealer.Menghuan

    Research shows this virus is meant to steal passwords from people playing an online game called Menghuan. It is also a keylogger. The threat level is supposedly low.

    UPS.dll is supposedly needed in case of use of a backup power supply. It is considered a legitimate file. So I am wondering how to clean this one.

    Also, do you see anything else in the ComboFix log?
     
     
  12. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Sorry for the long delay.

    Could you post fresh HJT, ComboFix and AVG Antispyware logs as attachments in your next reply. Thanks


    Regards,
    momok =)

    This thread is for the use of unhacker57 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  13. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Ok here's new ComboFix and HJT logs. Ran ComboFix first then HJT. Will add the AVG log.

    In edit: this uploader only works some times, not every time. No Hjt log and no manager in edit function.

    so maybe this has the HJT log

    nope.

    the hard way:

    ok here's the AVG AS log.

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
     
  14. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Please delete the following files

    C:\WINDOWS\SYSTEM32\SBRC.dat
    C:\WINDOWS\SYSTEM32\SBFC.dat
    C:\install.dat

    Your logs look pretty clean to me. I'd like you to do the following:

    Please visit http://www.virustotal.com OR http://virusscan.jotti.org/

    In the textbox beside "Browse..." button, copy and paste this path: C:\windows\system32\ups.dll

    Click on "Send File"/"Submit".

    Let me know the results.
    Thanks.

    Regards,
    momok
     
  15. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Deleted those three files. Virustotal got a lot of hits on ups.dll as a trojan. I'll paste the log. I'm inclined to remove this thing.

    File ups.dll received on 12.26.2007 18:55:55 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 6/32 (18.75%)
    Loading server information...
    Your file is queued in position: 1.
    Estimated start time is between 38 and 54 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2007.12.27.10 2007.12.26 -
    AntiVir 7.6.0.46 2007.12.26 -
    Authentium 4.93.8 2007.12.26 -
    Avast 4.7.1098.0 2007.12.26 -
    AVG 7.5.0.516 2007.12.25 -
    BitDefender 7.2 2007.12.26 -
    CAT-QuickHeal 9.00 2007.12.25 -
    ClamAV 0.91.2 2007.12.26 -
    DrWeb 4.44.0.09170 2007.12.26 Trojan.PWS.Gamania.origin
    eSafe 7.0.15.0 2007.12.26 -
    eTrust-Vet 31.3.5400 2007.12.24 -
    Ewido 4.0 2007.12.26 -
    FileAdvisor 1 2007.12.26 -
    Fortinet 3.14.0.0 2007.12.26 -
    F-Prot 4.4.2.54 2007.12.25 -
    F-Secure 6.70.13030.0 2007.12.26 -
    Ikarus T3.1.1.15 2007.12.26 -
    Kaspersky 7.0.0.125 2007.12.26 -
    McAfee 5192 2007.12.24 -
    Microsoft 1.3109 2007.12.26 PWS:Win32/OnLineGames.CPI
    NOD32v2 2747 2007.12.25 -
    Norman 5.80.02 2007.12.26 -
    Panda 9.0.0.4 2007.12.25 Suspicious file
    Prevx1 V2 2007.12.26 Generic.Malware
    Rising 20.24.21.00 2007.12.26 Trojan.PSW.Win32.XYOnline.ps
    Sophos 4.24.0 2007.12.26 -
    Sunbelt 2.2.907.0 2007.12.21 -
    Symantec 10 2007.12.26 Infostealer.Menghuan
    TheHacker 6.2.9.168 2007.12.22 -
    VBA32 3.12.2.5 2007.12.26 -
    VirusBuster 4.3.26:9 2007.12.26 -
    Webwasher-Gateway 6.6.2 2007.12.26 -
    Additional information
    File size: 32822 bytes
    MD5: 05d670de3e8f36f13a54b70c858db825
    SHA1: 3b7067c26747509a564564297009d204a06c5ac1
    PEiD: Armadillo v1.xx - v2.xx
    Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=D5AAFB4836DC11AD806A00F2CF1365007F02EDF7


    ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
     
  16. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Yes I would have advised you to delete that file too.
    After you're done deleting the file, reboot and see if you face any further symptoms. Also check if the file is indeed gone for good.

    Let me know after that and I'll provide some final steps to conclude the cleaning process.

    Regards,
    momok =)
     
  17. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Deleted ups.dll and rebooted. I don't see it now.
     
  18. momok

    momok TS Rookie Posts: 2,272

    Hi,

    1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    2. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    3. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    momok =)

    This thread is for the use of unhacker57 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Didn't find a quarantine file there for AVG AS. Maybe I deleted everything it found rather than quarantined.

    So that's everything?
     
  20. momok

    momok TS Rookie Posts: 2,272

    Yes, your system is clean already. =)
     
  21. unhacker57

    unhacker57 TS Rookie Topic Starter Posts: 64

    Ok, many thanks momok.

    I also want to say thanks again to Evil Fantasy, who was a huge help in wading through thousands of viruses.

    unhacker
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.