This malware like it predecessors spreads typically via spam probably from the same bunch of folks trying sell enlargement stuffs, anything that can get you to reveal your credit card info.

To clear this malware, start your PC in Safe Mode and delete the following registry entries or select the text below and save it as a file with .reg extension then open it;

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
“iv”=-
“Internet Antivirus Pro”=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITGrdEngine]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\Root\LEGACY_ITGRDENGINE]

Delete files and folders;

c:\program files\Internet Antivirus Pro
c:\documents and settings\{User Profile Name}\Application Data\Internet Antivirus Pro
c:\documents and settings\{User Profile Name}\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe
c:\documents and settings\{User Profile Name}\Local Settings\Application Data\Microsoft\Windows\services.exe

If you’re intending to trace the origin of the program, the config file shows the following mirror sites where updates are downloaded.

Mirror0=http://internetantiviruspro.com/updates/updateloadlist.ini
Mirror1=http://internet-antivirus-pro.com/updates/updateloadlist.ini
Mirror2=http://freewebtown.com/kvaigon/updateloadlist.ini
Mirror3=http://xoomer.alice.it/gyeynon/updateloadlist.ini

Their related sites used primarily for stats and info gathering;

Url0=in4co.com
Url1=in7co.com
Url2=in6co.com
Url3=cokiran.com
Url4=cokien.com
Url5=in5co.com

Url0=http://in4sk.com/reports/install-report.php
Url1=http://in7sk.com/reports/install-report.php
Url2=http://in6sk.com/reports/install-report.php
Url3=http://websscan.com/reports/install-report.php
Url4=http://in1sk.com/reports/install-report.php
Url5=http://in5sk.com/reports/install-report.php

Loads on startup by adding the file symlssdb.exe to startup which will run as a hidden process.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Symantec System DB”=”symlssdb.exe”

It disables registry edit & Task Manager (regedit.exe & Ctrl-Alt-Del won’t work), prevents Run command and CMD command prompt from running.  It will also prevent malware removal tools like Combofix, Hijackthis, KillBox from running.  To run any of these tools, rename them to a different filenames.

On more seriously infected systems, it will also auto-generates porn-related url links on the desktop & attempts to run it at random.

It will also infect removal drives by adding autorun.inf and shellsrv.exe into the Recycler folder.  It may also generate/replace hosts file found in c:\windows\system32\drivers\etc with one that consists mainly of antivirus software vendors’ domains pointing them to an invalid loopback address of 127.0.0.1.

Downloading Killbox & deleting the process c:\windows\system32\symlssdb.exe on restart may be the only course of action that you need to take. Rename it to kb.exe after download before running it.

To restore registry editing, download unhookexec.inf from Symantec’s web site, save to desktop then right click and install it.

While at it, might as well open up the file with notepad & add the following lines & save before installing it so that Task Manager, CMD & Run can be restored as well.

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD,65537,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr,65537,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoRun,65537,0

If you do not want to make changes to that file, run regedit after that,  browse to [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System], enable registry editing tool and task manager by changing the values for the corresponding entries.

On some badly infected system, you may need to download and run Combofix which cleans it up easily.

Files associated with this infection;

C:\WINDOWS\onfwbsak.dll
C:\WINDOWS\rwlfsdmk.dll
C:\WINDOWS\eofn.exe
C:\WINDOWS\dfmlxbpkexw.dll
C:\WINDOWS\peltodgx.dll
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\symlssdb.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex3.ico
C:\Documents and Settings\User\Desktop\BDSM galleries.URL

If there are traces of tdss*.dll files,  a server service tdsserv.sys will also be running that requires to be removed.  This file is located in C:\Windows\system32\drivers folder and in registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ,  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet*\Services\TDSServ & HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv. Permission for the key TDSServ needs to be taken over before it can be deleted.

Deletion can only be done in Safe Mode or via remote registry editing.

This trojan will also install a copy of mxlivemedia ad program which needs to be uninstalled via Add/Remove program. Unfortunately, I cannot remember the exact name of the program but it starts with Ron.

There seems to be many fake antivirus and antispyware malwares related to this virus like Antivirus2009 which comes with AntiSpywareShield, SAV and Seekmo, all installed after tdssserv.sys service is started on an infected PC.  Like all its other variants, this malware name its program files similiar to legit programs (SAV, etc) to avoid deletion and primarily serves porn on infected PCs.

It also adds schedule tasks to run some random file to load itself so that if it has higher chance of surviving removal attempts.

Using TCP/IP with printer server detected as Generic Card,  printing failed. The workaround is selecting Network Printer, using Internet Port http then type the ip address of the printer follow by queue name of lp1. e.g. http://192.168.1.250/lp1

This works with various printer models like Canon and HP.

Combofix only managed to clear some of the problems but the major problem of having a kernel-level rootkit in the system was undetectable by it. None of the rootkit removal tools I ran, Microsoft Malicious Software Removal Tool, gromozon, hookanlz & haxfix, were able to detect it. File Secure Blacklight was aborted midway because the scanning process took too long.

To remove all traces of this trojan, you will to boot up either using Bartpe from your CDROM Drive and run regedit from it or attached the infected system’s hard drive to another clean system as a secondary drive and then run regedit.

If your disk drive is SATA type, you will have to disable AHCI in the system BIOS when booting from BartPE and then re-enabling it back once you’re done. (Otherwise you will get a prompt to do a scandisk)

Load the infected systems’ registry hive by browsing to the infected drive’s Windows\system32\config folder and load the file with the filename System into regedit’s HKEY_USERS (or any of the root keys if you can remember where you place it) and then give it a random name.

Locate HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00*\Services, where * represents whatever the digits you see in the infected system’s registry, and remove the following services by right clicking and selecting delete.

Some of the registry entries may be set to read-only and in order to delete it, it has to be set to Full-Control. This can be done by right-clicking and selecting Permission and then put a check on the box beside Full-Control.

Services to delete on all variation of ControlSets in the registry;

43vpkuodh, 6to4, Ekwin, FlWin, GmWin, iprip, Irmon, P0LICYAGENT (Note: the zero in place of O in POLICYAGENT), ProtectedStorager4, RIP, RpcUsnsvc, u6qkchfua5

Delete the following files on the infected system;

Windows folder

soni.exe (Downloader)
RavNT.exe (Trojan Horse)
iasxin.dll (Trojan.Zlob)
360safe.exe (Downloader)
17533.exe (Downloader)
iexplore.exe (Infostealer)
ThunderAtone.dll (Trojan.Adclicker)
39.exe
icpb.dll (trojan service name: iprip, Win32 Service that loads using svchost process)
usnsvc.exe (trojan service name: RpcUsnsvc, Loads as a stand-alone Win32 service on startup)

Windows\system32 folder

ggcg.exe (Backdoor.Graybird)
telem32.dll (Downloader)
usmsvc.exe
usmsho.dll
ThunderBHONew11.dll (not sure if this is from the same ‘vendor’ or from other infections)
ThunderBHONew12.dll (not sure if this is from the same ‘vendor’ or from other infections)
msn.exe
UUSee_heima_Setup_110253.exe
dlbar.exe (Backdoor.Trojan)
msn.exe
dcb.dll
imsins.ini
yoyo1048.exe
wv.dat
winxp1.exe
winxp2.exe (Downloader)
kmss.dat
irmon64.dll (trojan service name: Irmon, Win32 Service that loads using svchost process)
AVTAPIT.DLL (trojan service name: FlWin, GmWin, Ekwin, Win32 Service that loads using svchost process)
6to4.dll (trojan service name: 6to4, Win32 Service that loads using svchost process)
cb22b.exe (trojan service name: P0LICYAGENT, Loads as a service on startup)

Windows\system32\Com\1.1.5

WndHook.dll

Windows\system32\drivers

u6qkchfua5.sys (trojan service name: u6qkchfua5, kernel-mode driver that loads on booting up, detect as Trojan.Farfli)
43vpkuodh.sys (trojan service name: 43vpkuodh, kernel-mode driver that loads on booting up, detect as Trojan.Farfli)

Windows\system32\config

sam5.log (trojan service name: ProtectedStorager4, Win32 Service that loads using svchost process)

Documents And Settings\*User Profile*\Local Settings\Temp\

RIP.exe (trojan service name: RIP, Loads as a service on startup)

Once done with deleting the files, export the Svchost key from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost as on a clean system with similar operating system as a .reg file and then import it into the problematic PC. Reboot it and all the services should start without any problem.

Eliminate viruses and spyware with McAfee VirusScan.

They also install a copy of Mark Russinovich’s BSOD Screen Saver which will simulate a PC crash and restart with the following random error messages.

BOGUS_DRIVER
IRQL_NOT_LESS_OR_EQUAL
BAD_POOL_HEADER
SYSINTERNAL_GREAT_SITE
KMODE_EXECPTION_NOT_HANDLED
PAGE_FAULT_IN_NONEPAGE_AREA
UNEXPECTED_KERNAL_MODE_TRAP
PANIC_STACK_SWITCH
NO_MORE_IRP_STACK_LOCATIONS
MAXIMUM_WAIT_OBJECTS_EXCEEDED

Files that the program loads on an infected system;

in C:\Windows\system32

blphc7v6i0e5f7.exe,blphc7v6i0e5f7.scr,
phc7v6j0e5f7.exe,lphcr7pj0e3d3.exe

in C:\Windows

winlogon.exe

in C:\Documents and Settings\{your user profile}\Local Settings\temp\

.tt3.tmp.vbs

The file names may varies with their new improved versions, but the containment of this malware is relatively easy.

By deleting the .vbs files found in C:\Documents and Settings\* user profile * \Local Settings\temp\ in safe mode, the software will be crippled.

You may then run regedit to delete those entries similiar to the above in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

if there are entries of it within.

You will also need to enable “show hidden files and folders” in your Folder Options in order to see Local Settings in your local profile.

Eliminate viruses and spyware with McAfee VirusScan.

Replace the RAM but doesn’t seems to help. Try different slots, different combination of new 512MB with existing 512MB, then with existing 256MB then again without both the old memory modules, still not luck.

No difference whatever, whichever way I try. Notice errors showing unable to run .NET Framework or something, so decided to install .NET Framework again but I only realised that I have installed 2.0 instead only after I have started the installation.

Midway through the installation, there was a prompt that says that the previous .NET 1.1 was suspended, click OK to undo suspended installation and continued with installation of the 2.0 version.

At the same time also notice alot of strange looking services in the Services panel. Although they’re not running, their startup type were all set to start automatically.

Did a search on it and realise almost all of it are some sort of rootkit or malware, e.g. GrayPigeonServer which runs G_SERVER.EXE in Windows folder, QQ1 which runs QQMY.EXE in the same location or system32 location can remember exact, Socks5 Slave which runs in Windows folder under a subfolder COM\Services.exe which I am quite sure it is a form of socks server installation for proxying a connection to another location.

All of them are removed from HKLM\SYSTEM\CurrentControlSet\Service but there are also similiar entries under ENUM\ROOT which I am unable to remove. Initial I thought that it was due to it be referenced in a running service.

I restarted the server into Safe Mode and try to delete it from there but was also unable to. Did some research and realised that I need to add my rights to the registry keys before I could delete it. Remembered that to admend rights on registry, I will to run regedt32.exe instead of regedit.exe. Started it, add administrators with full access to the key, apply and then delete all of the references.

Also, stop all vulnerable processes like IIS, IISAdmin, FTP, WebAdmin for Mdaemon then disabled all of them. I also ran some addition tools like DeepMonitor and Killbox but I cannot remember the exact processes that I terminated.

How the server got infected, I have no idea as I am not the only administrator managing it.

Fortunately, it was at an early stage of infection and the server managed to boot up ok after that.

Eliminate viruses and spyware with McAfee VirusScan.

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Your UPS

The zipped attachment is an executable file that will install a rootkit (ntos.exe) on the system. Additional files are downloaded when an Internet connection is detected and the system will force an auto restart after downloading and add some of it to startup.

For some strange reason, it also display a warning stating that your PC is infected with a virus. This is probably an early stage before it mutates into some sort of rogue antivirus software that requires purchase before removing of viruses.

It also disables any attempt to run malware removal tools like hijackthis, combofix, sdfix but it miss out smitfraudfix which doesn’t cleans it anyway. To be able to run those tools, you will need to rename them example hijackthis.exe to hjt.exe and combofix.exe to comb.exe. You will also need to terminate the virus process braviax.exe or buritos.exe depending on which is active at that time.

Combofix (Combo fix) can be downloaded from

Usage of combofix

Download Combofix

This particular tool will clean up the rootkit in your system and delete all the virus files it found. The author of the software also requires you to agree to a disclaimer (twice) before allowing you to run the tool. If you disagree, the downloaded file will be deleted and you have to re-download it again. If the file downloaded is more than 1 week old, it will also be deleted.

After cleaning, you will also need to disable system restore, empty your recycle bin and clear all temp files to ensure that no traces of the virus is in the system.

Symantec detected the virus as Backdoor.Paproxy, Trojan.Virantix.C, Trojan.wsnpoem for its various files and contrary to advice on Symantec’s site, this removal of ntos.exe won’t work even in safe mode.

Files associated with this virus;

in C:\windows\system32

ntos.exe, buritos.exe, braviax.exe, crypts.dll, winivstr.exe, karina.dat, delself.bat

It also creates a subfolder wsnpoem that contains two files audio.dll and video.dll.

Although tools like combofix is effective against viruses and malwares, it serves as a secondary course of action when you’re already infected, you will still need an antivirus software that will minimize such incidence from occurring.

Eliminate viruses and spyware with McAfee VirusScan.

The server is also serving as the authoritative nameserver for some 30 odd domains and primary authoritative nameserver for two of it. It is also not using the DNS server that is built-in to Windows 2000 Server but a third party software know as Simple DNS.

The two domains who emails are also hosted on this server seems to have problem receiving mails. Upon checking, we realise that the zone information for these two domains are not available. When we query direct, we also get no response but when we log on to the server, the DNS server was running fine.

We also realise that the zone information is available when we log on and finally realise that Simple DNS was not set to run as a service which it was previously. By enabling it, all zone information propagated properly soon after.

A call that we have attended to was for a newly purchased Acer notebook was having problem connecting to the company’s wireless network.

Although the basic troubleshooting measures like releasing and renewing of IP, ensuring that the WEP keys and settings were correct has already been done the user is still unable to connect to his company’s network.

The notebook would be able to connect to the wireless network for a few seconds then it would be disconnected.

After going through the network settings, it seems Intel® PROSet/Wireless Network Connection Software has been disabled and Windows Wireless Zero Configuration are being used in place of it.

In the Network Connections settings, there were 2 other protocol installed along with TCP/IP, one is WLAN Transport and the otherAEGIS Protocol (IEEE 802.1x).

Removing both WLAN Transport and AEGIS wireless protocol resolved the issue immediately.

The reason could be due to Windows’ Wireless Zero Configuration does not work well with the above two protocols which was actually meant to be used with Intel’s wireless software.

In other instances, I have encounter NWLink NetBIOS and NWLink IPX/SPX/NetBIOS Compatible Transport Protocol being installed in an environment that is non-Netware, causing the startup to be extremely slow and user having random network problems.

In most scenario where the network are solely Windows machines, there is no need to install anything more than Client for Microsoft Network, File And Printer Sharing and TCP/IP protocol.  QOS is only required in an environment where you have managed switches that are able to prioritize traffic based on the type of packets being transmitted.

An attempt to boot from XP CD generates an error ‘File setupdd.sys could not be loaded.
The error code is 14
Setup cannot continue.’

Removing the pci modem changes the error code from 14 to 7. Removing and reinstalling the AGP graphic card and memory modules and ensuring that they are fitted properly boots the system up fine without the need for a reinstallation of Windows.

There are also other things to bear in mind when you’re planning to troubleshoot or recover and XP crash, (These points are especially useful when your system crash with the error - “Windows could not start because the following file is missing or corrupt C:\windows\system32\config\system”) ;

1. There is always a folder in Windows installation folder that consists system files that can restore your system to the state of your first install, provided that the crash isn’t hardware failure related. (e.g. C:\windows\repair) The folder with your system files prior to the crash is located at c:\windows\system32\config. Copying files (after backing up the original files) to the above location will restore your system to first boot state.

2. Enabling wildcards to ease copy and deletion process, which can be useful when you’re working in recovery console mode. The command is  AllowWildCards = TRUE , to be typed at the command prompt. Another command AllowAllPaths = TRUE is also useful as it allows you to access all files and folders on the system.

3. Once you’re back into your first install state, you can then set explorer to display hidden and system files and folders, disable simple file sharing from the folder options in Windows explorer. This will enable you to see a folder call “System Volume Information Folder” which consist system files backup at various time from c:\windows\system32\config . You may need to give yourself rights to the folder in order to access its contents.

Restoring the system files from point 3 will be a closer match to your last system state prior to the crash.