FlWin EKWin GmWin AVTAPIT.DLL Trojan
This trojan and its bunch of services trashed a user’s PC leaving it with no network connections and a long list of failed system services that can’t startup properly. Any attempt to restart any of those services returns a “The executable program that this service is configured to run in does not implement the service.” error.
Combofix only managed to clear some of the problems but the major problem of having a kernel-level rootkit in the system was undetectable by it. None of the rootkit removal tools I ran, Microsoft Malicious Software Removal Tool, gromozon, hookanlz & haxfix, were able to detect it. File Secure Blacklight was aborted midway because the scanning process took too long.
To remove all traces of this trojan, you will to boot up either using Bartpe from your CDROM Drive and run regedit from it or attached the infected system’s hard drive to another clean system as a secondary drive and then run regedit.
If your disk drive is SATA type, you will have to disable AHCI in the system BIOS when booting from BartPE and then re-enabling it back once you’re done. (Otherwise you will get a prompt to do a scandisk)
Load the infected systems’ registry hive by browsing to the infected drive’s Windows\system32\config folder and load the file with the filename System into regedit’s HKEY_USERS (or any of the root keys if you can remember where you place it) and then give it a random name.
Locate HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00*\Services, where * represents whatever the digits you see in the infected system’s registry, and remove the following services by right clicking and selecting delete.
Some of the registry entries may be set to read-only and in order to delete it, it has to be set to Full-Control. This can be done by right-clicking and selecting Permission and then put a check on the box beside Full-Control.
Services to delete on all variation of ControlSets in the registry;
43vpkuodh, 6to4, Ekwin, FlWin, GmWin, iprip, Irmon, P0LICYAGENT (Note: the zero in place of O in POLICYAGENT), ProtectedStorager4, RIP, RpcUsnsvc, u6qkchfua5
Delete the following files on the infected system;
Windows folder
soni.exe (Downloader)
RavNT.exe (Trojan Horse)
iasxin.dll (Trojan.Zlob)
360safe.exe (Downloader)
17533.exe (Downloader)
iexplore.exe (Infostealer)
ThunderAtone.dll (Trojan.Adclicker)
39.exe
icpb.dll (trojan service name: iprip, Win32 Service that loads using svchost process)
usnsvc.exe (trojan service name: RpcUsnsvc, Loads as a stand-alone Win32 service on startup)
Windows\system32 folder
ggcg.exe (Backdoor.Graybird)
telem32.dll (Downloader)
usmsvc.exe
usmsho.dll
ThunderBHONew11.dll (not sure if this is from the same ‘vendor’ or from other infections)
ThunderBHONew12.dll (not sure if this is from the same ‘vendor’ or from other infections)
msn.exe
UUSee_heima_Setup_110253.exe
dlbar.exe (Backdoor.Trojan)
msn.exe
dcb.dll
imsins.ini
yoyo1048.exe
wv.dat
winxp1.exe
winxp2.exe (Downloader)
kmss.dat
irmon64.dll (trojan service name: Irmon, Win32 Service that loads using svchost process)
AVTAPIT.DLL (trojan service name: FlWin, GmWin, Ekwin, Win32 Service that loads using svchost process)
6to4.dll (trojan service name: 6to4, Win32 Service that loads using svchost process)
cb22b.exe (trojan service name: P0LICYAGENT, Loads as a service on startup)
Windows\system32\Com\1.1.5
WndHook.dll
Windows\system32\drivers
u6qkchfua5.sys (trojan service name: u6qkchfua5, kernel-mode driver that loads on booting up, detect as Trojan.Farfli)
43vpkuodh.sys (trojan service name: 43vpkuodh, kernel-mode driver that loads on booting up, detect as Trojan.Farfli)
Windows\system32\config
sam5.log (trojan service name: ProtectedStorager4, Win32 Service that loads using svchost process)
Documents And Settings\*User Profile*\Local Settings\Temp\
RIP.exe (trojan service name: RIP, Loads as a service on startup)
Once done with deleting the files, export the Svchost key from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost as on a clean system with similar operating system as a .reg file and then import it into the problematic PC. Reboot it and all the services should start without any problem.
Eliminate viruses and spyware with McAfee VirusScan.
