Laman

Jumat, 18 Maret 2011

How to remove TR/Crypt.ZPACK.Gen2

For remove TR/Crypt.ZPACK.Gen2 virus,please clean/delete all TR/Crypt.ZPACK.Gen2 infected files and Delete/Modify any values TR/Crypt.ZPACK.Gen2 added to the registry as following:
TR/Crypt.ZPACK.Gen2 Aliases

  • Packed.Win32.Krap.ai
  • Trojan.FakeAV!gen39
  • TR/Kazy.6775
  • TR/Crypt.ZPACK.Gen2
  •  Troj/FakeAV-CFB
For successful remove TR/Crypt.ZPACK.Gen2 virus,you may also need do as following:
1. Temporarily Disable System Restore .
2. Update AVG virus definitions database. Reboot computer in SafeMode then do Whole Computer scan;
3. Delete the IE temp files,some TR/Crypt.ZPACK.Gen2 temp file exisit there.
4.If you failed to remove TR/Crypt.ZPACK.Gen2,please contact AVG official support at http://avg.com/support
Remove TR/Crypt.ZPACK.Gen2 virus manually
1. Stop from running by disable or remove the suspicious startup program
    use msconfig (click on Start button --- click on Run --- type msconfig
    use Windows Task Manager (ctrl+shift+esc) --- services --- find suspicious file ---end process
    if msconfig and Windows Task Manager has been blocked by virus, use AVG 2011 System Tools (AVG 2011 feature) or download and use  another application such CCleaner or Hijackthis or Process Explorer



Processes Created
  • c:\docume~1\support\locals~1\applic~1\ximmt.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\ping.exe
  • c:\windows\system32\taskkill.exe

2. Delete regystry added by malicious software (malware)
   use Registry Editor (click on Start button --- click on Run --- type regedit)
   go to HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run --- then find suspicious string value on the right pane, delete it
   go to HKEY_CURRENTUSER/Software/Microsoft/Windows/CurrentVersion/Run --- then find suspicious string value on the right pane, delete it

Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Download
    RunInvalidSignatures
    0x00000001

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    sgmadslx
    c:\Documents and Settings\test user\Local Settings\Application Data\xspuheocv\xobsmmptssd.exe

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    sgmadslx
    c:\Documents and Settings\test user\Local Settings\Application Data\xspuheocv\xobsmmptssd.exe

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    SaveZoneInformation
    0x00000001

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    SaveZoneInformation
    0x00000001

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    hbgbswjd
    C:\DOCUME~1\support\LOCALS~1\Temp\inqkkpmru\xljdgrrtsbl.exe

  • HKCU\Software\Microsoft\Internet Explorer\Download
    RunInvalidSignatures
    0x00000001

 
Registry Keys Modified
  • HKCU\Software\Microsoft\Internet Explorer\Download
    CheckExeSignatures
    no

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    LowRiskFileTypes
    .exe

  • HKCU\Software\Microsoft\Windows Script\Settings
    JITDebug
    0x00000001

 Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    LowRiskFileTypes
    .exe

  • HKCU\Software\Microsoft\Internet Explorer\Download
    CheckExeSignatures
    no


3. Delete or quarantine the suspicious file
   use Windows Explorer --- go to local drive (example D:/) --- D:/Documents and Settings/Administrator/localsettings/temp ---- delete all temporary files

This trojan Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\ximmt.exe
  • c:\Documents and Settings\test user\Local Settings\Application Data\xspuheocv\xobsmmptssd.exe
 Note : this removal is only recommended for advanced user
If you failed to remove TR/Crypt.ZPACK.Gen2,please contact AVG official support at http://avg.com/support

Enjoy AVG
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)