Troj/OnLineG-F

Please follow the instructions for removing Trojans.

Troj/OnLineG-F is a password stealing Trojan for the Windows platform which attempts to steal logon details for online games.

When Troj/OnLineG-F is installed the following files are typically created:

<Temp>\<filename>.exe
<Temp>\<filename>0.dll
<Common Files>\Relive.dll
<Common Files>\svchost.exe
<Program Files>\Internet Explorer\msvcrt.dll
<Program Files>\Internet Explorer\msvcrt.ebk
<Program Files>\Internet Explorer\msvcrt.bak
<System>\Packet.dll
<System>\WanPacket.dll
<System>\wpcap.dll
<System>\drivers\npf.sys

where <filename> is a 4 character string a-z.

The following registry entry is created to run the Troj/OnLineG-F executable on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<filename>
<Temp>\<filename>.exe

For example, given a filename of <Temp>\fysa.exe, the following registry entry is created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
fysa
<Temp>\fyso.exe

The file npf.sys is registered as a new system driver service named "NPF", with a display name of "Netgroup Packet Filter". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\NPF

The files Relive.dll and msvcrt.dll are registered as COM objects, creating registry entries under:

HKCR\CLSID\{D3626E66-B13B-C628-ACDF-BDABCFA265E1}
HKCR\CLSID\{0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3}

The file msvcrt.dll is registered as a ShellExecute hook, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

The file Relive.dll is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3626E66-B13B-C628-ACDF-BDABCFA265E1}