Tech Support Journal

This virus came as an email saying UPS Tracking Number 7117069933 with content that says;

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Your UPS

The zipped attachment is an executable file that will install a rootkit (ntos.exe) on the system. Additional files are downloaded when an Internet connection is detected and the system will force an auto restart after downloading and add some of it to startup.

For some strange reason, it also display a warning stating that your PC is infected with a virus. This is probably an early stage before it mutates into some sort of rogue antivirus software that requires purchase before removing of viruses.

It also disables any attempt to run malware removal tools like hijackthis, combofix, sdfix but it miss out smitfraudfix which doesn’t cleans it anyway. To be able to run those tools, you will need to rename them example hijackthis.exe to hjt.exe and combofix.exe to comb.exe. You will also need to terminate the virus process braviax.exe or buritos.exe depending on which is active at that time.

Combofix (Combo fix) can be downloaded from

Usage of combofix

Download Combofix

This particular tool will clean up the rootkit in your system and delete all the virus files it found. The author of the software also requires you to agree to a disclaimer (twice) before allowing you to run the tool. If you disagree, the downloaded file will be deleted and you have to re-download it again. If the file downloaded is more than 1 week old, it will also be deleted.

After cleaning, you will also need to disable system restore, empty your recycle bin and clear all temp files to ensure that no traces of the virus is in the system.

Symantec detected the virus as Backdoor.Paproxy, Trojan.Virantix.C, Trojan.wsnpoem for its various files and contrary to advice on Symantec’s site, this removal of ntos.exe won’t work even in safe mode.

Files associated with this virus;

in C:\windows\system32

ntos.exe, buritos.exe, braviax.exe, crypts.dll, winivstr.exe, karina.dat, delself.bat

It also creates a subfolder wsnpoem that contains two files audio.dll and video.dll.

Although tools like combofix is effective against viruses and malwares, it serves as a secondary course of action when you’re already infected, you will still need an antivirus software that will minimize such incidence from occurring.

Eliminate viruses and spyware with McAfee VirusScan.

Computer help and advice from live online experts. 24/7

This entry was posted on Saturday, July 26th, 2008 at 4:13 am and is filed under Viruses Trojans and Malwares. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.