This is an old revision of the document!

How to remove TR/Crypt.ZPACK.Gen

This is a work in progress.

Someone recently gave me a laptop to work on. The symptom was that it was shutting down on it's own, randomly. I ran it for 5 days solid without an incident, until it finally shut down by itself. The only clue was an entry by the BITS service in the system log that said a process “C:\WINDOWS\TEMP\GUR142.EXE” had been terminated. I found more entries like this one, each with a different filename in the pattern GURXXX.EXE. So, I ran many virus scans, but nothing turned up. Then, I ran Avira, and the laptop shut itself down. This happened EVERY time I ran Avira. So, I rebooted into Safe Mode, and Avira actually found and removed a virus (TR/Crypt.ZPACK.Gen - C:\WINDOWS\SYSTEM32\w32etend.dll). Unfortunately, each time I rebooted the virus came back (Avira blocks it upon launch - I have the early Avira launch option set). Subsequent virus scans find nothing. It's only detected at launch.

FYI, I think superantispyware caught this virus at some point in my scanning, and claimed to have removed it, but apparently failed.

Virusscans that did not find it:

  • NOD32 4 (rescue cd and program)
  • AVG 8.5 (program)
  • Kaspersky (boot disk)
  • Bitdefender (online scan and rescuecd, via gdata)
  • Gdata (uses avast and bitdefender)
  • Malwarebytes
  • Trend Micro Housecall (online scan)
  • Panda Activescan (online scan)
  • Dr. Web CureIt (found other viruses, but not this one)

Virusscans that found it, and said they removed it, but did not:

  • Avira
  • Superantispyware

The last thing I tried was following this guide, which didn't help:

removing_tr_crypt_zpack_gen.1241155893.txt.gz · Last modified: 2009/04/30 22:31 by justinhomi
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki