How to Prevent and Remove the Trojan.Win32.VBKrypt.nzf
|
| No. | Filename | Size |
| 1 | %Temp%\jPV4DRV4.exe | 86,016 bytes |
- Note:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
b. Memory Modifications
-
There was a new process created in the system:
| Process Name | Process Filename | Allocated Size |
| explorer.exe | %Windir%\explorer.exe | 45,056 bytes |
c. Registry Modifications
-
The following port was open in the system:
| Port | Protocol | Process |
| 7054 | TCP | WinNT.exe (%System%\WinNT.exe) |
- The following Registry Key was created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36A5A0DB-297E-FDE2-0501-060104070800}
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active
Setup\Installed
Components\{36A5A0DB-297E-FDE2-0501-060104070800}]
- StubPath = "%Temp%\jPV4DRV4.exe"
so that jPV4DRV4.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- Windows = "%Temp%\jPV4DRV4.exe"
so that jPV4DRV4.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active
Setup\Installed
Components\{36A5A0DB-297E-FDE2-0501-060104070800}]
d. Other details
-
There were registered attempts to establish connection with the remote hosts. The connection details are:
| Remote Host | Port Number |
| 174.36.183.108 | 80 |
| 66.240.163.28 | 80 |
- The data identified by the following URLs was then
requested from the remote web server:
- http://udp-first.com/index.php?id=XX00CD1A40&co=COMPUTERNAME&us=UserName&os=Windows%20XP&vr=5.1&av=&dt=
- http://66.240.163.28/index.php?id=XX00CD1A40&co=COMPUTERNAME&us=UserName&os=Windows%20XP&vr=5.1&av=&dt=
3. How-to's
a. How to prevent the Trojan.Win32.VBKrypt.nzf ?
Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan.Win32.VBKrypt.nzf Manually?
Step 1 : Remove the following Trojan.Win32.VBKrypt.nzf registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{36A5A0DB-297E-FDE2-0501-060104070800}
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{36A5A0DB-297E-FDE2-0501-060104070800}]
StubPath = "%Temp%\jPV4DRV4.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Windows = "%Temp%\jPV4DRV4.exe"
Step 2 : It is possibly a way to load the
"Trojan.Win32.VBKrypt.nzf" malicious programs, by hiding within
the system WIN.INI file and the strings "run=" and "load=", so
this must be carefully checked.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
WinNT.exe = "%System%\WinNT.exe"
Step3: Locate and delete the following Trojan.Win32.VBKrypt.nzf files
%Temp%\jPV4DRV4.exe
c. How to Remove these trojans Instantly?
Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
4. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm