Results 1 to 9 of 9

Thread: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

  1. #1
    tryprotect Guest

    Default ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    Hello,

    We have ZA Security Suite version 7.0.483.000 and have virus/spyware definitions updated automatically.

    The subject trojan or virus was detected by ZA during yesterday's regular weekly scan of our laptop. This was not found on our 2 desktop PCs. The actual scan results reported two files, one file ZA indicated it would delete upon reboot and the second file ZA indicated it would rename upon reboot. I only remember that one of the files was named "Packed.Win32.Krap.ai". I agreed to the reboot.

    After rebooting, the laptop Windows boot screen and login screen appeared as usual. However, the desktop was empty (with wallpaper but without icons) for approxiamtely 5 minutes before the icons, clock, shortcuts, Start button, etc. appeared. ZA did not load during bootup and I could not load it manually. The laptop connects to our home network, but it can not connect to the internet.

    Before allowing ZA to proceed with the file deletions/renaming, I saw on Kasperky's website that "Packed.Win32.Krap.ai" is on their December 2009 internet malware top twenty list. However after allowing ZA to proceed, I saw a thread on this ZA forum dated 2/28/10 indicating that a ZA scan reported "Packed.Win32.Krap.ai" as a false postive.

    Any help on how I can get the laptop back to were it should be (normal boot time, ZA loaded and internet accessable) will be greatly appreciated.

    Thank you,

    tryprotect
    Last edited by fax; March 1st, 2010 at 12:10 AM. Reason: title

  2. #2
    benreffell Guest

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    Do you mean this thread showed it as a false positive?
    http://forums.zonelabs.com/showthrea...075#post276075

    That thread was referring to a file named vsxml.dll (part of an older ZoneAlarm install) in which it thought it had found the "Packed.Win32.Krap.ai" malicious software. If your ZASS found it in the same file also then it is (probably) just a false alarm.

    If it found Packed.Win32.Krap.ai by itself or in another file that is NOT a false alarm! (probably)

    The behaviour of your PC makes it sound like it IS MALICIOUS and you need to take action.

    The thread (link below) is for ZASS Version 9 and will tell you what to do if you were infected,
    (but I recall seeing instructions for version 7, if you don't want to update first (I would definitely update as soon as you have fixed it though))
    http://forums.zonealarm.com/showthread.php?t=70448

    If in any doubt upload file here to check it with multiple AV engines
    http://www.virustotal.com

    http://www.threatexpert.com
    should give you more details of what it did to your PC so you can tell if it really did anything or if ZA stopped it, or how you can fix it.

    PS. Also search for other threads on this forum without the file extension which are for the same basic virus i.e. Packed.Win32.Krap which may give you other information on this type of virus
    Last edited by benreffell; March 2nd, 2010 at 08:59 PM. Reason: clearer

  3. #3
    tryprotect Guest

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    benreffell,

    Thank you for your reply. I do not recall any of the details of the ZA scan results other than there were two line of malware identified and one referenced "Packed.Win32.Krap.ai". Since there is no ZA icon near the desktop clock and since trying to manually launch ZA does not force the icon to appear, I do not know how to get more details on the ZA malware report. So I am not sure how to get the information that I would need to clearly determine whether the report was a false positive.

    One thing I learned after my first post was that, although the ZA icon does not appear next to the desktop clock, the Control Panel>Security Center indicates that ZA firewall is active. In contrast, Windows Task Manager>Processes does list ZA's vsmon.exe file.

    Based on your reply and the link you provided, unless you disagree, I would like to do the following:

    - Get needed information from the laptop so I can determine whether the ZA report was a false positive (I do not know how to get this needed information)

    - Post data to VirsusTotal to determine if report was a false positive

    - If not a false positive, determine that ZA corrected the problem (when I agreed to let ZA delete one file and rename another), or now take steps to fix.

    - If it was a false positive, uninstall ZA7 and install ZA9.1


    Is simply uninstalling ZA7 and installing ZA9.1 and then rescanning the laptop an viable alternate solution? Or would the install of ZA9.1 be corrupted if Packed.Win32.Krap.ai is still active at time of ZA9.1 install?

    Thank you again,

    tryprotect

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,285

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    Quote Originally Posted by tryprotect View Post
    Is simply uninstalling ZA7 and installing ZA9.1 and then rescanning the laptop an viable alternate solution? Or would the install of ZA9.1 be corrupted if Packed.Win32.Krap.ai is still active at time of ZA9.1 install? Thank you again, tryprotect
    Yes, this is the best way to proceed. Please remove ZA via the XP control panel --> add/remove a program. If you have difficulties you can use the ZA removal tool. Then install ZASS 9.1, manual update the antivirus, scan the system. Done.

    Next time you should mind updating your security tools. They are the first line of defense and it is essential they are updated. Every new version add new feature against latest threats.

    You should Check you are not running vulnerable software, here. Then set ZA antivirus update frequency to lowest level (30 minutes). Just few minutes can make the difference between been infected and been protected.

    Do not overlap security tool one over the other. It is likely to cause conflicts behind the scene with application fighting for resources and blocking each other. End result less security and difficulties in case of infections. Remove any other security tool you have installed.

    Hope this helps.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    tryprotect Guest

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    Fax,

    Thank you. I will do as you suggest.

    Based on my experience with ZA7, I know that it took a few or several months of updates before a stable version of ZA7 was available, so I decided to stay with what I knew was working on my computer (ZA7). I agree that keeping my security software up-to-date is important. ~~Snip~~

    Then I will comfortable updating my computer with the current ZA version.

    Thank you again for your help!

    tryprotect
    Last edited by GeorgeV; March 3rd, 2010 at 03:30 PM. Reason: Removed Off topic Comments.

  6. #6
    benreffell Guest

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    Quote Originally Posted by tryprotect View Post
    benreffell,

    Thank you for your reply. I do not recall any of the details of the ZA scan results other than there were two line of malware identified and one referenced "Packed.Win32.Krap.ai". Since there is no ZA icon near the desktop clock and since trying to manually launch ZA does not force the icon to appear, I do not know how to get more details on the ZA malware report. So I am not sure how to get the information that I would need to clearly determine whether the report was a false positive.

    One thing I learned after my first post was that, although the ZA icon does not appear next to the desktop clock, the Control Panel>Security Center indicates that ZA firewall is active. In contrast, Windows Task Manager>Processes does list ZA's vsmon.exe file.

    Based on your reply and the link you provided, unless you disagree, I would like to do the following:

    - Get needed information from the laptop so I can determine whether the ZA report was a false positive (I do not know how to get this needed information)

    - Post data to VirsusTotal to determine if report was a false positive

    - If not a false positive, determine that ZA corrected the problem (when I agreed to let ZA delete one file and rename another), or now take steps to fix.

    - If it was a false positive, uninstall ZA7 and install ZA9.1


    Is simply uninstalling ZA7 and installing ZA9.1 and then rescanning the laptop an viable alternate solution? Or would the install of ZA9.1 be corrupted if Packed.Win32.Krap.ai is still active at time of ZA9.1 install?

    Thank you again,

    tryprotect
    I assume you have done as Fax suggested

    But FYI
    As far as I know there is no easy way to get the virus file ZA detected out of quarantine to send to virustotal, other than the restoring steps as laid out in one of the original links (something I don't like to do).

    I believe it does not simply put the virus into another secure folder (like some AV progs) but "writes" it into another file or database of some sort (?). If you set ZA to "ask you what it should do" then you may be able to get to the file before it is put into quarantine (I seem to recall doing this some years ago, but have just let ZA deal with it recently, though I think I may change back now due to a recent false pos')

    (PS. infected emails are quarantined by changing the name, I believe)
    Last edited by benreffell; March 6th, 2010 at 06:47 PM.

  7. #7
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,285

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    Quote Originally Posted by benreffell View Post
    As far as I know there is no easy way to get the virus file ZA detected out of quarantine to send to virustotal,
    Set the antivirus to manual and after the detection select "ignore once". This will allow the uploading but not the spreading. Of course, none of these procedures is fully secure when dealing with malware.

    If you have doubts or you do not want to risk then just ask to malware experts at spywarehammer of bleepingcomputer. They will guide you safely through the process.

    Thanks,
    Fax
    Last edited by fax; March 6th, 2010 at 10:08 PM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  8. #8
    tryprotect Guest

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    Fax,

    I have not been able to write until now.

    I removed ZASS7 via add/remove programs. The process appeared to stall (windows box opened saying could not continue or there was a problem do you want to file a report) but ended up continuing until the end. Using the ZA Removal Tool may also have hiccupped. I installed ZASS 9.1, but it to hiccupped when it got to the found network screen (I answered once, it asked again, I answered again), but the installed completed.

    Because the network-found screen came up twice during the ZASS 9.1 install, I uninstalled ZASS 9.1 by the usual method (unchecked load at boot, rebooted, uninstalled via the ZASS Start menu selection, and ran the ZA Removal Tool). Then I reinstalled ZASS 9.1. The reinstall went smoothly. However, every time I boot the laptop, the ZASS 9.1 found-network screen appears, asking me to select internet or trusted zone (I always select trusted) and for the network name. When this window comes up, if I wait several seconds, I can see that the laptop connects to the network even before I make my selection and click OK.

    Since I would rather not have to populate this network-found during every boot, I wanted to ask if another uninstall would fix the issue. I am prepared to go through the 20 minute process to manually searching the registry and using CCleaner to remove all fragments of ZASS 7 and ZASS 9.1. I still have previous ZA posts that describe in detail how to do this, and did it myself before my previous upgrading to ZASS7. The reason I am asking if I should do this is because of the hiccups I had while uninstalling ZASS7 and the hiccup experienced when initially installing ZASS9.1.

    I am willing to try this even if it is likely it would not make a difference. But I am thinking that the less-than-smooth removal of ZASS7, might have left something behind. Please let me know your thoughts.

    Thank you again.

  9. #9
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,285

    Default Re: ZASS 7: Packed.Win32.Krap.ai found in ZA Weekly Scan 2/28/10

    I am not sure I follow the issue, it is also difficult to suggest solutions.
    I would reccomend you contact ZA technical support and explain in details your issue. Link in my signature.

    Thanks,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Packed.Win32.Krap.ag.
    By bcool in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 5
    Last Post: November 29th, 2009, 07:32 PM
  2. virus - packed.win32.krap.d
    By geopris in forum Malware Discussion
    Replies: 1
    Last Post: December 17th, 2008, 10:41 PM
  3. virus - packed.win32.krap.d
    By fax in forum Windows and ZoneAlarm Messages and Alerts
    Replies: 0
    Last Post: December 16th, 2008, 02:49 PM
  4. What is Packed.Win32.Krap.B?
    By rtviii in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 4
    Last Post: October 31st, 2008, 11:58 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •