How to remove TR/Crypt.ZPACK.Gen

This is a work in progress.

Someone recently gave me a laptop to work on. The symptom was that it was shutting down on it's own, randomly. I ran it for 5 days solid without an incident, until it finally shut down by itself. The only clue was an entry by the BITS service in the system log that said a process “C:\WINDOWS\TEMP\GUR142.EXE” had been terminated. I found more entries like this one, each with a different filename in the pattern GURXXX.EXE. So, I ran many virus scans, but nothing turned up. Then, I ran Avira, and the laptop shut itself down. This happened EVERY time I ran Avira. So, I rebooted into Safe Mode, and Avira actually found and removed a virus (TR/Crypt.ZPACK.Gen - C:\WINDOWS\SYSTEM32\w32etend.dll). Unfortunately, each time I rebooted the virus came back (Avira blocks it upon launch - I have the early Avira launch option set). Subsequent virus scans find nothing. It's only detected at launch.

FYI, I think superantispyware caught this virus at some point in my scanning, and claimed to have removed it, but apparently failed.

Virusscans that did not find it:

  • NOD32 4 (rescue cd and program)
  • AVG 8.5 (program)
  • Kaspersky (boot disk)
  • Bitdefender (online scan and rescuecd, via gdata)
  • Gdata (uses avast and bitdefender)
  • Malwarebytes
  • Trend Micro Housecall (online scan)
  • Panda Activescan (online scan)
  • Dr. Web CureIt (found other viruses, but not this one)


Virusscans that found it, and said they removed it, but did not:

  • Avira
  • Superantispyware



The last thing I tried was following this guide, which didn't help: http://forums.majorgeeks.com/showthread.php?t=35407



Edit — years later.

The way I finally got rid of this virus was to write my own antivirus. Seriously. IIRC, the virus was creating random filenames. So my “antivirus” searched through specific locations (windows folder, user folder) and googled every single filename. It reported back with every file that did not return any search results. This allowed me to find each file that had a random filename.

 
removing_tr_crypt_zpack_gen.txt · Last modified: 2012/07/25 13:30 by justinhomi
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki