Troj/Zapchas-R

Please follow the instructions for removing Trojans.

Troj/Zapchas-R is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

When Troj/Zapchas-R is installed the following files are created:

<Windows system folder>\aliases.ini
<Windows system folder>\control.ini
<Windows system folder>\mirc.ico
<Windows system folder>\mirc.ini
<Windows system folder>\nicks.txt
<Windows system folder>\remote.ini
<Windows system folder>\script.ini
<Windows system folder>\servers.ini
<Windows system folder>\sup.bat
<Windows system folder>\sup.reg
<Windows system folder>\svchost.exe
<Windows system folder>\users.ini
<Windows system folder>\win.com

The file script.ini is also detected as Troj/Zapchas-R. The file svchost.exe is a version of the mIRC chat application. The other files are not inherently dangerous but may be safely deleted.

Troj/Zapchas-R creates the following registries entry in order to run the mIRC application on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GNP Generic Host Process
<Windows system folder>\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GNP Generic Host Process
<Windows system folder>\svchost.exe

The following registry entries are set or modified, so that svchost.exe is run when files with extensions of CHA and IRC are opened/launched:

HKCR\ChatFile\Shell\open\command
(default)
<Windows system folder>\svchost.exe" -noconnect

HKCR\irc\Shell\open\command
(default)
<Windows system folder>\svchost.exe" -noconnect

Registry entries are set as follows:

HKCR\ChatFile\DefaultIcon
(default)
<Windows system folder>\svchost.exe

HKCR\irc\DefaultIcon
(default)
<Windows system folder>\svchost.exe

Registry entries are created under:

HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\