Remove Trojan.Win32.Pincav.cryr – Detailed Information and Effective Solution

VilmaTech Onlione Support
and this website should not be
mistakenly taken to be
associated, affiliated, sponsored
or owned by Trojan.Win32.Pincav.cryr’s
creator or distributors.
The provision of information
and solution
is the one and only intent.

OUTLINE

• Generality about Trojan.Win32.Pincav.cryr
• Trojan.Win32.Pincav.cryr affection scenario
• Trojan.Win32.Pincav.cryr’s payload
• How Trojan.Win32.Pincav.cryr’s spreads?
• Follow steps to remove Trojan.Win32.Pincav.cryr

Trojan.Win32.Pincav.cryr Generality

Trojan.Win32.Pincav.cryr is a Trojan horse and another variant from Trojan.Win32.Pincav that has been active for half of decades. Such Trojan horse is a Trojan downloader, whose length is approximately 35,840 byte, written with Visual C/C language. Trojan.Win32.Pincav.cryr appears as an executable file and it mainly targets Windows 2000/Windows XP/Windows 2003/Windows Vista/ Windows 7. In most cases, the Trojan horse cannot be detected until several full scans are run by reputable anti-virus programs due to its UPX shell.

What Is It Like to Get Trojan.Win32.Pincav.cryr?

Abnormal connections – browser hijacking/redirecting might be caught in sight.
Instable security utilities – installed anti-virus program might exit itself without reasons.

Error messages – the affected system would pop-up some messages telling that something is corrupted, missing or disabled.

Additional processes – unknown processes or multiple processes would be seen to run in the background to hog CPU.

Information theft – victims would find that the online game account is stolen somehow.

Poor PC performance – the system would free from time to time, programs, services and games would exit all of a sudden.

More unknown virus and items in local disk – people would find that there are many unfamiliar folders and files accumulating in local disk and it is hard to tell difference.

Trojan.Win32.Pincav.cryr’s Payload 

The Trojan horse is commonly found to piggyback on some video players. Once PC users click on it to download and install, its code will be downloaded into %Temp% and released as executable files resembling the file of normal programs.
When done, Trojan.Win32.Pincav.cryr would copy itself to %SystemRoot%\system32\system.exe to load and run .dll files (the name can be random according to the targeted operating system).

When such dll files are run and loaded, its driver files with the suffix “.sys” will be released under %SystemDriver%. By doing so, Trojan.Win32.Pincav.cryr manages to create services accordingly and run the driver files to acquire SSDT address as well as restore SSDT for the injection of all the currently running processes, especially the ones related to security service. As soon as the security applications are shut down thereafter, Trojan.Win32.Pincav.cryr would then delete the driver files and remove/disable the services concerning security defense.

Some of the generated .dll files would then create mutex to hinder multiple running; besides, Trojan.Win32.Pincav.cryr would then set up a thread in DataBase under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to achieve automatic start. What’s worse, the Trojan horse would copy the system file “wininet.dll” to %Temp% so that it could attain its correlation function. Consequently, Trojan.Win32.Pincav.cryr is enabled to read the virus downloading site from designated website periodically to download and install plenty of virus/Trojan onto the target machine.

Trojan.Win32.Pincav.cryr Dissemination Routine

1. Trojan.Win32.Pincav.cryr could attack the loosely built websites or the counterfeit promotional sites.
2. Trojan.Win32.Pincav.cryr bundles with third-party programs or files.
3. Trojan.Win32.Pincav.cryr is downloaded onto a machine by other Trojan downloader.

If one read this article in details, one would be now clear that why Trojan.Win32.Pincav.cryr manages to dodge the detection and deletion by installed anti-virus programs and why failure occurs when trying to install another security utility. In such case, manual method is recommended. Below is the steps offered by Global PC Support Center. If you are not that computer savvy to carry out the below steps, it is recommended to get specialized technical help by starting a live chat window here.

Follow steps to remove Trojan.Win32.Pincav.cryr

A
Bring up Task Manager to remove the items with the path directing to Trojan.Win32.Pincav.cryr's according to the report by the installed anti-virus program.
(tip: if you are not able to access Task Manager with the key combination, please access Run box from Start menu and type “CMD”; hit Enter key to put in “taskkill.exe /im msblast.exe” or “taskkill.exe /im teekids.exe” or “taskkill.exe /im penis32.exe”)

Access Task Manager > View >　select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to  Trojan.Win32.Pincav.cryr's path(according to the threat alert) or the path that doesn't belong to system.

select Colunms to tick PID and Path Name

(tip: if some vicious processes reappear, one could find the PPID through PID functionality; please then remove the parent process(es) with the command “taskkill /im system.exe /f” through DOS window.)

B
show hidden files and folders to remove the ones created by Trojan.Win32.Pincav.cryr.

Windows 7/XP/Vista - Control Panel > user accounts and family safety > Folder Options > View tab > tick ‘Show hidden files and folders’ > non-tick ‘Hide protected operating system files (Recommended)’ > OK button.

Windows 8 - Windows Explorer > View tab > tick ‘File name extensions’ and ‘Hidden items’ > OK button.

• Access the detected path and remove all the items there.
• Access the following folders to remove the items generated on the day when  Trojan.Win32.Pincav.cryr was firstly detected:
  (tip: if one owns Windows XP, it is suggested to execute the following steps after closing down System Restore function: right click on “My Computer”/”Computer” > Property > navigate to System Restore tab > tick “Turn off System Restore”)
  

  

  turn off system restore to remove Trojan.Win32.Pincav.cryr

%SystemRoot%\system32\%Temp%\IXP000.TMP\
%SystemDriver%\
C:\Windows
C:\Windows\System32
C:\windows\winstart.bat
C:\windows\wininit.ini
C:\windows\Autoexec.bat
C:\Users\[your username]\Documents\
C:\users\user\appdata\local\
C:\Program Files\

variable declarations

• %SystemDriver% - the system division is "C:\" by default.          
• %SystemRoot% - the directory of WINDOWS is known as“C:\Windows” by default.
• %Documents and Settings% - the user's document is commonly referring to as “C:\Documents and Settings”.
• %Temp% - it is commonly known as“C:\Documents and Settings\[current user name]\Local Settings\Temp”.
• %ProgramFiles%　- the default installation directory of system programs defaults to“C:\ProgramFiles”.

C
Access DataBase to make rectifications.

• Press down Win key and R key together.
• Type “regedit” and hit Enter key.
• Navigate to the following entry to see and remove the values (C:\WINDOWS\system32\system.exe) under “Run” that you have not seen before:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• Then search for the processes detected in step B to remove them in Database.

What Trojan.Win32.Pincav.cryr aims at is stealing confidential information for money. All the damages it imposes are serving this ultimate goal. One should know that by downloading more infections on machines, Trojan.Win32.Pincav.cryr can also get profitable income. It is recommended to remove Trojan.Win32.Pincav.cryr before it loads more items to threaten your information security and introduce more virus in. If you encounter difficulties, please do feel free to get exclusive help according to your concrete situation from VilmaTech Online Support.

Reference:

SSDT (System Service Descriptor Table) – Wikipedia

Mutex (mutual exclusion) – Wikipedia