ylrwrs.exe rpc attack ????

[BostonBill]

this file keeps tryin to contact remote ip 67.19.11.195

i was havin what appeared to be rpc problems tons

ended up havin to reinstall win 2000

sp4 and lost recovery console password i.e. never had it

i can not find ylrwrs.exe on my machine

and no references to this dile on web what so ever

any clues ?
since i blocked it no shut downs
i also find aot of TFTP files in my system32 folder

like TFTP1196

also svchost is tryin to send out to net alot

anyone know these symptoms ?????


thks

 

[Doug Knox MS-MVP]

You're infected. Update your antivirus software, reboot your computer in Safe Mode and run a full antivirus scan.

 

[David H. Lipman]

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt249.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

You can also try some of the below online scanners.

BitDefender:
http://www.bitdefender.com/scan/license.php

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

RAV
http://www.ravantivirus.com/scan/

Symantec:
http://security.symantec.com/

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com


* * * Please report your results ! * * *

Dave



| this file keeps tryin to contact remote ip 67.19.11.195
|
| i was havin what appeared to be rpc problems tons
|
| ended up havin to reinstall win 2000
|
| sp4 and lost recovery console password i.e. never had it
|
| i can not find ylrwrs.exe on my machine
|
| and no references to this dile on web what so ever
|
| any clues ?
| since i blocked it no shut downs
| i also find aot of TFTP files in my system32 folder
|
| like TFTP1196
|
| also svchost is tryin to send out to net alot
|
| anyone know these symptoms ?????
|
|
| thks

 

[BostonBill]

I searched and found this in registry:


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer
Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"000"="lolx.exe"
"001"="worm.exe"
"002"="yIrwrs.exe"
"003"="DCOMX"
"004"="DCOMX.EXE "
"005"="sh33w32"
"006"="sh33w"
"007"="ylrwrs.exe"
"008"="sp4"
"009"="TFTPD.EXE"
"010"="bookmark"
"011"="desk"
"012"="note"

none of the methods sugested found any of it or the scanners i tried 3
or 4 of them....

Seems like the scanners protection must be pretty lame really.

I deleted this section but i cant find the files i am seeing my
machine tryin to contact a remote thro svchost and a remote that is
tryin to connect to mine
pretty convinced its the issue have it stopped with fire wall/

All the info i read and tried really did not find the actual problems
or there is no references to this ylrwrs.exe on all of net i
found.

REAL PAIN IN A

guess you cant trust scanners huh

 

[Malke]

I searched and found this in registry:


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer
Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"000"="lolx.exe"
"001"="worm.exe"
"002"="yIrwrs.exe"
"003"="DCOMX"
"004"="DCOMX.EXE "
"005"="sh33w32"
"006"="sh33w"
"007"="ylrwrs.exe"
"008"="sp4"
"009"="TFTPD.EXE"
"010"="bookmark"
"011"="desk"
"012"="note"

none of the methods sugested found any of it or the scanners i tried 3
or 4 of them....

Seems like the scanners protection must be pretty lame really.

I deleted this section but i cant find the files i am seeing my
machine tryin to contact a remote thro svchost and a remote that is
tryin to connect to mine
pretty convinced its the issue have it stopped with fire wall/

All the info i read and tried really did not find the actual problems
or there is no references to this ylrwrs.exe on all of net i
found.

REAL PAIN IN A

guess you cant trust scanners huh

No, it is rather that you aren't that skilled in removing viruses and
malware. The registry entries above are in the Most Recently Used
section. The scanners that Dave suggested you download and run are only
the *first* step in cleaning an infected computer. They enable you to
install a full-featured antivirus program, update its definitions, and
do a complete scan in Safe Mode. The scanners are not there to "protect
you". You need to use an installed antivirus for that. A good one is
EZ-AV from www.my-etrust.com. You also need to continue your computer
cleanup by removing non-viral malware as well.

Here are general malware removal steps; all initial scans should be done
in Safe Mode:

1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions;

2) remove spyware with Spybot Search & Destroy
(www.safer-networking.org) and Ad-aware (www.lavasoftusa.com). These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from
http://www.intermute.com/spysubtract/cwshredder_download.html. I would
not install the other Intermute programs, however. Alternately, there
are CoolWebSearch malware removal steps at
http://www.silentrunners.org/sr_cwsremoval.html. A combination of
HijackThis and About:Buster (http://www.majorgeeks.com) works well in
removing homepage hijackers. Always read the instructions before
running a spyware removal tool. Be sure to update these programs before
running, and it is a good idea to do virus/spyware scans in Safe Mode.
Make sure you are able to see all hidden files and extensions (View tab
in Folder Options);

3) If you are running Windows ME or XP, you should disable/enable System
Restore because malware will be in the Restore Points. With ME, you
must disable System Restore completely. With XP, you can delete all but
the most recent (presumably clean) System Restore point from the More
Options section of Disk Cleanup (Run>cleanmgr).

4) make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update;

5) run a firewall.

Malke

 

[BostonBill]

Have run panda platinum wih 2 day old update

hijack

adaware

trend on line

stinger

spybot

all were most recent versions

stinger found sdbot.gen one time and then sdbot.dam

stinger did the best it seems but there is still problems

with svchost tryin all day to get on net trigger a reboot it seems



my firewall is telling me svchost is try to go out on net

and a file named ylrwrs.exe is tryin as well

I am pretty sure these are problems



and other specific removers i have rough idea of what the type problem
is

the programs are not finding the files

There is no references to ylrwrs.exe i can find

the file ylrwrs.exe is not on my machine that i can tell.

also no references to how svchost is tryin to get out to net

to let remote know to attack.

maybe someone knows something other than run a program

or the instructions you recive on virus site and repeating them.


Its not working

Was hoping someone might have specific expertise, not run program x y
z

and have it not find the problem.

i have also done sp4 which got me in huge trouble before in conjuction
with firewall. locked out of my install i had no recovery password
set
and windows was askin for one. super catch 22

I tried linuix make boot the hex table was invalid.

so i am havin to run on a paralell install

 

[Malke]

Have run panda platinum wih 2 day old update>
hijack (snip)
all were most recent versions stinger found sdbot.gen one time and
then sdbot.dam stinger did the best it seems but there is still >

Did you run all scans in Safe Mode?

my firewall is telling me svchost is try to go out on net and a file

named ylrwrs.exe is tryin as well

Then your computer is not clean.

Have you enabled the ability to see all hidden files and protected
operating system files? Have you disabled System Restore?

maybe someone knows something other than run a program or the
instructions you recive on virus site and repeating them.

Using instructions found in this newsgroup and on antivirus sites, if
followed carefully, can usually remove viruses and malware. However, it
does take skill and patience. If you are unable to do this yourself,
take the machine to a good local computer repair shop (not a BestBuy or
CompUSA type of store) and have them clean it for you.

i have also done sp4

Service Pack 4 for what? You're posting in a Windows XP group, and we're
only up to Service Pack 2.

I tried linuix make boot the hex table was invalid.

so i am havin to run on a paralell install

It is unclear what you were trying to do from the above sentences. At
this point, I can only suggest you 1) follow instructions you
previously received for removal; or 2) take the machine to a
professional; 3) or format and reinstall Windows.

Good luck,

Malke