Troj/Zapchas-AA

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GNP Generic Host Process
<System>\svchost.exe

and delete it if it exists.

Close the registry editor.

Troj/Zapchas-AA is a backdoor Trojan which allows a remote intruder to gain access and control over the computer via IRC channels.

The backdoor includes functions that allow a remote intruder to upload and download files, run programs and steal CD keys.

When the Trojan is installed the following component files, detected as Troj/Zapchas-AA, are created in the Windows system folder:

script.ini

The Troj/Zapchas-AA also creates the following files which may be safely deleted after the Trojan has been removed:

aliases.ini
control.ini
fullname.txt
ident.txt
mircico
mirc.ini
nicks.txt
popups.txt
remote.ini
servers.ini
sup.bat
sup.reg
users.ini

The following file which is a copy of the chat program Mirc may replace a Windows system file by the same name. This file will need to be restored from the Windows installation CDs.

svchost.exe

The following registry entries will be created to run svchost.exe automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GNP Generic Host Process
<System>\svchost.exe

Several registry entries will be created under which will refer to svchost.exe:

HKCR\ChatFile

Entries will be created under which refer to svchost.exe and/or mIRC:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall