Tech Support Journal

This trojan and its bunch of services trashed a user’s PC leaving it with no network connections and a long list of failed system services that can’t startup properly. Any attempt to restart any of those services returns a “The executable program that this service is configured to run in does not implement the service.” error.

Combofix only managed to clear some of the problems but the major problem of having a kernel-level rootkit in the system was undetectable by it. None of the rootkit removal tools I ran, Microsoft Malicious Software Removal Tool, gromozon, hookanlz & haxfix, were able to detect it. File Secure Blacklight was aborted midway because the scanning process took too long.

To remove all traces of this trojan, you will to boot up either using Bartpe from your CDROM Drive and run regedit from it or attached the infected system’s hard drive to another clean system as a secondary drive and then run regedit.

If your disk drive is SATA type, you will have to disable AHCI in the system BIOS when booting from BartPE and then re-enabling it back once you’re done. (Otherwise you will get a prompt to do a scandisk)

Load the infected systems’ registry hive by browsing to the infected drive’s Windows\system32\config folder and load the file with the filename System into regedit’s HKEY_USERS (or any of the root keys if you can remember where you place it) and then give it a random name.

Locate HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00*\Services, where * represents whatever the digits you see in the infected system’s registry, and remove the following services by right clicking and selecting delete.

Some of the registry entries may be set to read-only and in order to delete it, it has to be set to Full-Control. This can be done by right-clicking and selecting Permission and then put a check on the box beside Full-Control.

Services to delete on all variation of ControlSets in the registry;

43vpkuodh, 6to4, Ekwin, FlWin, GmWin, iprip, Irmon, P0LICYAGENT (Note: the zero in place of O in POLICYAGENT), ProtectedStorager4, RIP, RpcUsnsvc, u6qkchfua5

Delete the following files on the infected system;

Windows folder

soni.exe (Downloader)
RavNT.exe (Trojan Horse)
iasxin.dll (Trojan.Zlob)
360safe.exe (Downloader)
17533.exe (Downloader)
iexplore.exe (Infostealer)
ThunderAtone.dll (Trojan.Adclicker)
39.exe
icpb.dll (trojan service name: iprip, Win32 Service that loads using svchost process)
usnsvc.exe (trojan service name: RpcUsnsvc, Loads as a stand-alone Win32 service on startup)

Windows\system32 folder

ggcg.exe (Backdoor.Graybird)
telem32.dll (Downloader)
usmsvc.exe
usmsho.dll
ThunderBHONew11.dll (not sure if this is from the same ‘vendor’ or from other infections)
ThunderBHONew12.dll (not sure if this is from the same ‘vendor’ or from other infections)
msn.exe
UUSee_heima_Setup_110253.exe
dlbar.exe (Backdoor.Trojan)
msn.exe
dcb.dll
imsins.ini
yoyo1048.exe
wv.dat
winxp1.exe
winxp2.exe (Downloader)
kmss.dat
irmon64.dll (trojan service name: Irmon, Win32 Service that loads using svchost process)
AVTAPIT.DLL (trojan service name: FlWin, GmWin, Ekwin, Win32 Service that loads using svchost process)
6to4.dll (trojan service name: 6to4, Win32 Service that loads using svchost process)
cb22b.exe (trojan service name: P0LICYAGENT, Loads as a service on startup)

Windows\system32\Com\1.1.5

WndHook.dll

Windows\system32\drivers

u6qkchfua5.sys (trojan service name: u6qkchfua5, kernel-mode driver that loads on booting up, detect as Trojan.Farfli)
43vpkuodh.sys (trojan service name: 43vpkuodh, kernel-mode driver that loads on booting up, detect as Trojan.Farfli)

Windows\system32\config

sam5.log (trojan service name: ProtectedStorager4, Win32 Service that loads using svchost process)

Documents And Settings\*User Profile*\Local Settings\Temp\

RIP.exe (trojan service name: RIP, Loads as a service on startup)

Once done with deleting the files, export the Svchost key from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost as on a clean system with similar operating system as a .reg file and then import it into the problematic PC. Reboot it and all the services should start without any problem.

Eliminate viruses and spyware with McAfee VirusScan.

XP Antivirus 2008 is a malware program that imitates legit antivirus program by installing itself as a startup process and then place the following wallpaper to entice its victims to register their antivirus software to remove the prompts that it constantly generates.

They also install a copy of Mark Russinovich’s BSOD Screen Saver which will simulate a PC crash and restart with the following random error messages.

BOGUS_DRIVER
IRQL_NOT_LESS_OR_EQUAL
BAD_POOL_HEADER
SYSINTERNAL_GREAT_SITE
KMODE_EXECPTION_NOT_HANDLED
PAGE_FAULT_IN_NONEPAGE_AREA
UNEXPECTED_KERNAL_MODE_TRAP
PANIC_STACK_SWITCH
NO_MORE_IRP_STACK_LOCATIONS
MAXIMUM_WAIT_OBJECTS_EXCEEDED

Files that the program loads on an infected system;

in C:\Windows\system32

blphc7v6i0e5f7.exe,blphc7v6i0e5f7.scr,
phc7v6j0e5f7.exe,lphcr7pj0e3d3.exe

in C:\Windows

winlogon.exe

in C:\Documents and Settings\{your user profile}\Local Settings\temp\

.tt3.tmp.vbs

The file names may varies with their new improved versions, but the containment of this malware is relatively easy.

By deleting the .vbs files found in C:\Documents and Settings\* user profile * \Local Settings\temp\ in safe mode, the software will be crippled.

You may then run regedit to delete those entries similiar to the above in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

if there are entries of it within.

You will also need to enable “show hidden files and folders” in your Folder Options in order to see Local Settings in your local profile.

Eliminate viruses and spyware with McAfee VirusScan.

Server that is running as Domain Controller and also as a mail server keeps restarting by itself at random. Suspected it to be a RAM related issue.

Replace the RAM but doesn’t seems to help. Try different slots, different combination of new 512MB with existing 512MB, then with existing 256MB then again without both the old memory modules, still not luck.

No difference whatever, whichever way I try. Notice errors showing unable to run .NET Framework or something, so decided to install .NET Framework again but I only realised that I have installed 2.0 instead only after I have started the installation.

Midway through the installation, there was a prompt that says that the previous .NET 1.1 was suspended, click OK to undo suspended installation and continued with installation of the 2.0 version.

At the same time also notice alot of strange looking services in the Services panel. Although they’re not running, their startup type were all set to start automatically.

Did a search on it and realise almost all of it are some sort of rootkit or malware, e.g. GrayPigeonServer which runs G_SERVER.EXE in Windows folder, QQ1 which runs QQMY.EXE in the same location or system32 location can remember exact, Socks5 Slave which runs in Windows folder under a subfolder COM\Services.exe which I am quite sure it is a form of socks server installation for proxying a connection to another location.

All of them are removed from HKLM\SYSTEM\CurrentControlSet\Service but there are also similiar entries under ENUM\ROOT which I am unable to remove. Initial I thought that it was due to it be referenced in a running service.

I restarted the server into Safe Mode and try to delete it from there but was also unable to. Did some research and realised that I need to add my rights to the registry keys before I could delete it. Remembered that to admend rights on registry, I will to run regedt32.exe instead of regedit.exe. Started it, add administrators with full access to the key, apply and then delete all of the references.

Also, stop all vulnerable processes like IIS, IISAdmin, FTP, WebAdmin for Mdaemon then disabled all of them. I also ran some addition tools like DeepMonitor and Killbox but I cannot remember the exact processes that I terminated.

How the server got infected, I have no idea as I am not the only administrator managing it.

Fortunately, it was at an early stage of infection and the server managed to boot up ok after that.

Eliminate viruses and spyware with McAfee VirusScan.

This virus came as an email saying UPS Tracking Number 7117069933 with content that says;

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Your UPS

The zipped attachment is an executable file that will install a rootkit (ntos.exe) on the system. Additional files are downloaded when an Internet connection is detected and the system will force an auto restart after downloading and add some of it to startup.

For some strange reason, it also display a warning stating that your PC is infected with a virus. This is probably an early stage before it mutates into some sort of rogue antivirus software that requires purchase before removing of viruses.

It also disables any attempt to run malware removal tools like hijackthis, combofix, sdfix but it miss out smitfraudfix which doesn’t cleans it anyway. To be able to run those tools, you will need to rename them example hijackthis.exe to hjt.exe and combofix.exe to comb.exe. You will also need to terminate the virus process braviax.exe or buritos.exe depending on which is active at that time.

Combofix (Combo fix) can be downloaded from

Usage of combofix

Download Combofix

This particular tool will clean up the rootkit in your system and delete all the virus files it found. The author of the software also requires you to agree to a disclaimer (twice) before allowing you to run the tool. If you disagree, the downloaded file will be deleted and you have to re-download it again. If the file downloaded is more than 1 week old, it will also be deleted.

After cleaning, you will also need to disable system restore, empty your recycle bin and clear all temp files to ensure that no traces of the virus is in the system.

Symantec detected the virus as Backdoor.Paproxy, Trojan.Virantix.C, Trojan.wsnpoem for its various files and contrary to advice on Symantec’s site, this removal of ntos.exe won’t work even in safe mode.

Files associated with this virus;

in C:\windows\system32

ntos.exe, buritos.exe, braviax.exe, crypts.dll, winivstr.exe, karina.dat, delself.bat

It also creates a subfolder wsnpoem that contains two files audio.dll and video.dll.

Although tools like combofix is effective against viruses and malwares, it serves as a secondary course of action when you’re already infected, you will still need an antivirus software that will minimize such incidence from occurring.

Eliminate viruses and spyware with McAfee VirusScan.