MSIE Infected

Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter yprs_x in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this file to your next reply.

Now please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then reboot into safe mode and fix the same O4 line with HJT if it still shows up.

Then reboot into normal mode and run the same procedure with RegSearch again and attach a new log.

 

Please download and install Registrar Lite
Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do
that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YPRS_X
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YPRS_X\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YPRS_X\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YPRS_X\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yprs_x
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yprs_x\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_YPRS_X
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_YPRS_X\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_YPRS_X\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\yprs_x
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YPRS_X
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YPRS_X\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YPRS_X\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YPRS_X\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yprs_x
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yprs_x\Enum

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry
  key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone
  below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to
"all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and
hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to
everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click
Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The
click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the
whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Then reboot into normal mode and run the same procedure with RegSearch again and attach a new log

 

• Create a folder named C:\FixYPRS
• Download the attached FixYPRS.zip file into the above folder
• Extract the contents of the FixYPRS.zip file into this folder
• You should now have 4 files in this folder after doing the above
• Locate the FixYPRS.bat file and double click on it.
• Now reboot into safe mode and have HJT fix that O4 line if still seen
• Now reboot into normal mode
• After reboot run the same procedure with RegSearch again and attach a new log.
• Also tell me if you still got the error message

 

Let's try this again with some modifications to my last batch file.

• Download this new attached FixYPRS2.zip file into the C:\FixYPRS folder created last time
• Extract the contents of the FixYPRS2.zip file into this folder same folder
• You should now have 6 files in this folder after doing the above
• Locate the new FixYPRS2.bat file and double click on it.
• This will create a file named C:\FixYPRS.txt Attach this file here now before continuing. DO NOT CONTINUE without attaching first, otherwise you will loose what I need to see.
• Now reboot into safe mode and run the FixYPRS2.bat once more time.
• Now while in safe mode have HJT fix that O4 line if still seen
• Now reboot into normal mode
• Now attach the second copy of C:\FixYPRS.txt here. If it will not attach it means the file is exactly the same. In that case, just tell me.
• After reboot run the same procedure with RegSearch again and attach a new log.
• Also tell me if you still got the error message

 

Yes but we are getting more and more of it deleted. The actual infected regkeys are getting fewer and fewer. The only reason the Regsearch log is so large is due to stuff left of from a history like feature of RegistrarLite. If fact, do the below:

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new log from RegSearch again. I will try to work up another fix based on your logs later. Working on income taxes today!

 

Thanks but if I was lucky, I would have won the lottery and then someone else would be doing my taxes.

Just popping in for a minute and have something else I want you to do before I start working up the next fix.

Click Start and select Search
Now Select "All files and folders"
Enter the yprs_x in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Also make sure that the Case Sensitive option is Unchecked.

Then click the Search button.

Report back with what is found.

 

Okay here is an new version ( FixYPRS3.zip)

• Download this new attached FixYPRS3.zip file into the C:\FixYPRS folder created last time
• Extract the contents of the FixYPRS3.zip file into this folder same folder
• Locate the new FixYPRS3.bat file and double click on it.
• This will create a file named C:\FixYPRS.txt Attach this file here now before continuing. DO NOT CONTINUE without attaching first, otherwise you will loose what I need to see.
• Now reboot into safe mode and when you login in safe mode, use the account name Administrator (not admin) and run the FixYPRS2.bat once more time.
• Now while in safe mode have HJT fix that O4 line if still seen
• Also while in safe moderun the same procedure with RegSearch and name this file RegSearch-Safe.txt
• Now reboot into normal mode
• Now attach the second copy of C:\FixYPRS.txt here. If it will not attach it means the file is exactly the same. In that case, just tell me.
• After reboot run the same procedure with RegSearch again and name this file RegSearch-Norm.txt
• Attach the RegSearch-Safe.txt and the RegSearch-Norm.txt files too

 

Okay that seems to have deleted a few more keys! The trick is in keeping them deleted.

 

Okay that confirms a suspicion I had. The reason I wanted to see a log from Regsearch in safe mode and from normal mode is that I suspected that some if not all of the keys were being deleted and then being recreated at reboot. That is exactly what happened. In that last procedure just before booting in safe mode, only 2 registry keys remained. Now they are all back again after getting into normal bootup.

Run the previous procedure again, but this time while in safe mode also try to get the c:\windows\system32\drivers\yprs_x.sys

Also this time I want to run FixYPRS3.bat at all times, I will rewrite the procedure below to make sure we have the correct instructions!

• Locate the new FixYPRS3.bat file and double click on it.
• This will create a file named C:\FixYPRS.txt Attach this file here now before continuing. DO NOT CONTINUE without attaching first, otherwise you will loose what I need to see.
• Now reboot into safe mode and when you login in safe mode, use the account name Administrator (not admin) and run the FixYPRS3.bat once more time.
• Now while in safe mode have HJT fix that O4 line if still seen.
• ALSO save a HijackThis log from safe mode now!! And attach later. Call it hijackthis-safe.log
• Also while in safe moderun the same procedure with RegSearch and name this file RegSearch-Safe.txt
• Now while in safe mode see if you can manually delete the c:\windows\system32\drivers\yprs_x.sys file. If you cannot, make sure you tell me later, but then use Pocket Killbox to delete it which will require a reboot.
• Now reboot into normal mode if you did not already reboot with PocketKillbox
• Now attach the second copy of C:\FixYPRS.txt here. If it will not attach it means the file is exactly the same. In that case, just tell me.
• After reboot run the same procedure with RegSearch again and name this file RegSearch-Norm.txt
• Attach the RegSearch-Safe.txt and the RegSearch-Norm.txt files too
• ALSO save a HijackThis log from Normal Mode now!! Call it hijackthis-norm.log Attach it too!

It will take 2 messages to attach all of the logs.

 

You know I really starting to wonder if this is really related to Yahoo some how. I did not think it was because I would have expected more information to be available on it. I'm not sure it this would present any problems for you but can we just uninstall all of the below:

Yahoo! Address AutoComplete
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Messenger

You can always reinstall later. Perhaps this service is really related to something Yahoo needs and as I said the yprs_x.sys file seems to be a copy of BEEP.SYS from Microsoft. Maybe they use it to beep at you with their messenger program.

If you do uninstall them, make sure the below lines are also delete from your HJT log.
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

 

Why do I always see notepad open in your HJT logs?? If you have it open for some reason, you should not. It makes me wonder if malware is opening it. Everything else should be closed before using HJT to avoid these kind of questions. Even RegSearch should not be running when you get a HijackThis log.

 

Okay at least I know why it is open! Many malware infections will open and run things like iexplore.exe and notepad.exe. This is one of the reasons why the READ & RUN ME procedure for HijackThis indicates to shut everything down. We need to be sure when we see something running that it is not malware.

Did you uninstall Yahoo yet?

 

Okay new version of .bat file and some procedure changes.

Download the attached FixYPRS4.zip and extract the FixYPRS4.bat file to the same folder as all others.

• Locate the new FixYPRS4.bat file and double click on it.
• This will create a file named C:\FixYPRS.txt Attach this file here now before continuing. DO NOT CONTINUE without attaching first, otherwise you will loose what I need to see.
• Now Download The Avenger ( http://swandog46.geekstogo.com/avenger.zip ) by Swandog46, and save it to your Desktop.
• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy the quoted bold print below and paste it in the box that opens from Avenger:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself but as it reboots, get into safe mode.
• And when you login in safe mode, use the account name Administrator (not admin)
• Now while in safe mode have HJT fix that O4 line if still seen.
• Now run the FixYPRS4.bat one more time.
• Also while in safe mode run the same procedure with RegSearch and name this file RegSearch-Safe.txt
• Now reboot into normal mode
• Now attach the second copy of C:\FixYPRS.txt here. If it will not attach it means the file is exactly the same. In that case, just tell me.
• After reboot run the same procedure with RegSearch again and name this file RegSearch-Norm.txt
• Attach the RegSearch-Safe.txt and the RegSearch-Norm.txt files too
• A log file from Avenger will was produced at C:\avenger.txt, please post that log here in your next reply.