• Content
  • Comments (0)
  • Related articles
Jan
24
2013

How to remove Trojan.Ransom.Win32.Blocker.ajpo – ifgxpers.exe Thursday, 24 January 2013

There is a new ransom trojan which is kinda tough to remove. First, because it is in full screen – always on top and closes explorer.exe and Task Manager (see pictures 00 – 04). Ctrl + Alt + Del works, Task Manager opens but is closed immediately so is not much to do and second because is hiding under the [ ifgxpers.exe ] which can be easily confused with the [ igfxpers.exe ] is pretty common and is mainly used by graphic cards drivers and the last thing, when is running is under [ svchost.exe ]. Anyway this trojan is not so smart as you may think, has a flaw – if we start the system without network cable, the trojan does not activates. So, here is the removal procedure assuming that the trojan is already in the system and is alive and active:

  • remove network cable
  • BOOT or restart the system
  • go to: c:\ProgramData\ and delete the [ ifgxpers.exe] file

in addition you can test it :

  • copy c:\Windows\System32\taskmgr.exe to the desktop and rename it (ex: taskmgr1.exe – see the picture 01)
  • plug-in the network cable and restart the system, the troian takes some time to fire up so first thing when you see the desktop is to activate taskmgr1.exe
  • when the trojan is active in full screen just Alt-Tab to the Task Manager, on Application tab there is Dialog Window (picture 04) – right click and Go To Process (picture 02)
  • there is, under svchost.exe (picture 03) – you can [ End Process ] now
  • additional free tool that confirms the presence of this trojan is Kaspersky Security Scan (picture 08 / 09), unfortunately ESET NOD32 (picture 06 / 07) and Microsoft Security Essentials (picture 10 / 11) are failing badly to detect the trojan, instead Kaspersky Internet Security 2012 does do job as expected (picture 12)

 

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*